Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Suspicions remain after multiple scans


  • This topic is locked This topic is locked
18 replies to this topic

#1 Rustum

Rustum

  • Members
  • 41 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Cape Town, SA
  • Local time:10:41 PM

Posted 28 September 2010 - 09:19 AM

Hi.

(Windows XP-SP3, Firefox 3.5.10)

Last week I suffered what I suspected was some form of virus or other malware/hijack attack. While surfing, I would occasionally get a Java 6 update popup (my Java was a bit old). This popup occurred maybe 4 or 5 times over a few days. Then, the details get confusing: My AVG scan hung, I couldn't update its database and my PC crashed. It would boot, but not load Windows, giving an error message about administrator password.

I then used the Windows install to repair my installation, updated various things, etc. I have now run scans with updated AVG, MalwareBytes Anti-Malware, Super Anti-Spyware, Spybot. (Teatimer runs concurrently with SAS). At various points a few things were picked up; these were quarantined and cleaned.

But I remain suspicious. I have found multiple copies of the SAS executable in the SAS program folder; they have very long alpha-numeric names. So I don't know what's going on. During installing and updating various pieces of software, I have also nervously denied registry changes for some things (through Spybot).

Where then can I start to be able to say with satisfaction that I am clean? I am unsure whether any of the anti-virus and malware programs are clean.

Thank you in anticipation

Rustum

BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 52,082 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:03:41 PM

Posted 28 September 2010 - 12:11 PM

Get a second opinion by performing an Online Virus Scan like ESET or Kaspersky.

Anytime you come across a suspicious file for which you cannot find any information about, the file has a legitimate name but is not located where it is supposed to be, or you want a second opinion, submit it to Jotti's virusscan or VirusTotal. In the "File to upload & scan" box, browse to the location of the suspicious file and submit (upload) it for scanning/analysis.

FYI: mvps.org is no longer recommending Spybot S&D or Ad-Aware due to poor testing results. See here - (scroll down and read under Freeware Antispyware Products). Ad-Aware has even been placed into the Installers Hall of Shame.

Further, most people don't understand Spybot's TeaTimer or how to use it and that feature can cause more problems than it's worth. TeaTimer monitors changes to certain critical keys in Windows registry but does not indicate if the change is normal or a modification made by a malware infection. The user must have an understanding of the registry and how TeaTimer works in order to make informed decisions to allow or deny the detected changes. If you don't have understanding how a particular security tool works, then you probably should not be using it. Additionally, TeaTimer may conflict with other security tools which do a much better job of protecting your computer and even prevent disinfection of malware by those tools.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 Rustum

Rustum
  • Topic Starter

  • Members
  • 41 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Cape Town, SA
  • Local time:10:41 PM

Posted 28 September 2010 - 12:20 PM

Thank you for the prompt response Quietman7, and thanks for the tip on SpyBot's decreased rep. I understand the issues around Teatimer for less-than-advanced users, but have always tried to allow changes only when I've installed something.

In the meantime, I've uninstalled Super-AntiSpyware. It turns out that it was also slowing down my shutdown.

But I'm onto your step by step guide now. And will report whether issues are resolved or not.

Thanks again.

#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 52,082 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:03:41 PM

Posted 28 September 2010 - 12:22 PM

Ok.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#5 Rustum

Rustum
  • Topic Starter

  • Members
  • 41 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Cape Town, SA
  • Local time:10:41 PM

Posted 28 September 2010 - 11:05 PM

Hi.

Dr.Web express scan in Safe Mode found Trojan.Startpage.1505 - quarantined and deleted.

ESET Online scan identified Win32/Toolbar.AskSBar application in a Nero install executable - quarantined and deleted

EDIT: Possible further symptoms? I don't use Iexplore, but I tried opening it. It returns an error, specifying urlmon.dll. (But perhaps this is related to me mucking about with Teatimer?). Furthermore, Windows Auto-update also seems to be giving problems. From Control Panel>Security Center, Auto Update shows it is on. When I click Control Panel>Auto Update though, nothing happens. When I go to Microsoft and click on download links (using Firefox), it returns a message in the browser window saying that I should be using IE 5 and higher (while my version is IE 7 I think), then also provides a link for other browsers. Clicking link for other browsers takes me back to Microsoft update pages, but I can't seem to run any checks to see if I need any further updates. All links seem to give that browser window error message. However, I was able to download Windows Software Removal Tool yesterday.

Edit 2: I am 7/8 hours ahead of you and work from home, so I have also done some additional things to try and clean my machine.
1. I ran a full MBAM scan in normal mode. It found 6 infections. 2 are for a Trojan Downloader (although it's a false positive and for a duplicate file; I've scanned these at Jotti's, some scanners report variously named malware, one reported false positive, rest found nothing), 2xTrojan.Agent in the registry, and 2 Malware Traces in Documents and Settings. All 6 have been quarantined.

The last two are odd: their path is Docs & Settings\All Users\Documents\Server and they are "admin.txt" and "server.dat", but /Documents folder is invisible via Windows explorer, while via Windows Explorer Search one can open the containing folder (My folder view options are set to show hidden and system files). But, as said, they've been quarantined.

2. After reboot, checked IExplore again. No dice. Disabled 3rd party add-ons, ran rereg. It opened IExplore, showing still the AVG toolbar, but the program froze, then crashed, then gave kernel32.dll error. Then ran check with Windows File Protection. It eventually asked asked for SP3 disc, but I have early XP Professional disc. I let it run to completion then ran the SP3 patch again. Reboot. Still no luck with IExplore opening. Other programs seem to be running fine - I don't much care about IExplore, but am just worried that it may be connected to Windows Update issues I am (might be?) experiencing.

Anyway, I don't intend to frustrate you with running additional scans before you've responded, but given the time difference and my anxiety about logging in to gmail and my banking site, I am a bit anxious about getting rid of malware as soon as possible. I hope though that the additional info provides a better profile of my machine.

Edited by Rustum, 29 September 2010 - 03:33 AM.


#6 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 52,082 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:03:41 PM

Posted 29 September 2010 - 06:57 AM

You cannot open Internet Explorer or nothing occurs after you click a link

When going to the above Microsoft Article ID: 281679, you should see a window open for Posted Image which says it may automatically fix your problem. If so, click the link in the window to Run now or select the Learn More button.

If the Microsoft Fit it window does not appear, use the following links:
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#7 Rustum

Rustum
  • Topic Starter

  • Members
  • 41 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Cape Town, SA
  • Local time:10:41 PM

Posted 29 September 2010 - 08:12 AM

Hi Quietman7. Thanks.

I had already uninstalled (or tried to) IExplore 7 with Revouninstaller to see whether that might fix it. No luck. And Revo said that the internal uninstaller was not working. I let the Revo uninstallation run its course.

So, now I have run Mr Fixit. The problem persists. The error message still shows an IExplore version 7 on a version 6 build.

Just wondering whether SP3 isn't causing problems. Before the recent re-install, I was not running SP3 because I had read about so many complaints about it... Just a thought.

#8 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 52,082 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:03:41 PM

Posted 29 September 2010 - 08:17 AM

Please provide the complete error message exactly as given or post a screenshot.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#9 Rustum

Rustum
  • Topic Starter

  • Members
  • 41 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Cape Town, SA
  • Local time:10:41 PM

Posted 29 September 2010 - 08:32 AM

Error signature:

AppName: iexplore.exe AppVer: 7.0.6000.17055 ModName: urlmon.dll
ModVer: 6.0.2900.5512 Offset: 0003e6e7

(sorry, don't have a Photobucket etc. account)

#10 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 52,082 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:03:41 PM

Posted 29 September 2010 - 09:48 AM

urlmon.dll is a module that contains functions used by Microsoft OLE.

When doing a Google search for this particular problem, you will find this is a common complaint with various causes and possible solutions. What works for one person may not work for another. Some solutions recommend to re-register urlmon.dll and others says to uncheck the box that says Enable third-Party Browser extensions under the Advanced Tab in Internet Explorer Properties, or to run SFC both of which you have already tried.

The urlmon.dll version on my XP3 system is 7.0.6000.17080 and is the same version of iexplore.exe.

Your copy appears to be an older version 6.0.2900.5512. You may want to perform a search on your system to see if you can locate a more current version of urlmon.dll, then try replacing it.

Alternative you can download SystemLook from one of the links below and save it to your Desktop.Link 1: SystemLook (32-bit)
Link 2: SystemLook (32-bit)

Link 1: SystemLook (64-bit)
Link 2: SystemLook (64-bit)
  • Double-click SystemLook.exe to run it.
  • Vista/Windows 7 users right-click and select Run As Administrator.
  • Copy and paste everything in the codebox below into the main textfield:
    :filefind
    urlmon.dll
  • Click the Look button to start the scan.
  • When finished, a Notepad window will open SystemLook.txt with the results of the search and save a copy on your Desktop.
  • Please copy and paste the contents of that log in your next reply.

.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#11 Rustum

Rustum
  • Topic Starter

  • Members
  • 41 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Cape Town, SA
  • Local time:10:41 PM

Posted 29 September 2010 - 09:54 AM

SystemLook:

SystemLook 04.09.10 by jpshortstuff
Log created at 16:53 on 29/09/2010 by Administrator
Administrator - Elevation successful

========== filefind ==========

Searching for "urlmon.dll"
C:\WINDOWS\$hf_mig$\KB974455\SP2QFE\urlmon.dll --a---- 628224 bytes [05:49 25/09/2009] [05:49 25/09/2009] 63A184C947B459F6F7788CA4E3857E51
C:\WINDOWS\$hf_mig$\KB974455\SP3GDR\urlmon.dll --a---- 627712 bytes [05:37 25/09/2009] [05:37 25/09/2009] 64829DA097C9C482594E3EBE2F8F3FF4
C:\WINDOWS\$hf_mig$\KB974455\SP3QFE\urlmon.dll --a---- 628736 bytes [05:32 25/09/2009] [05:32 25/09/2009] B5C92F495A62909F4E12BB947258DDC6
C:\WINDOWS\$hf_mig$\KB974455-IE7\SP3QFE\urlmon.dll --a---- 1170944 bytes [17:32 25/10/2009] [07:31 29/08/2009] 7E449339ABD7078FDF27A2227EAE5800
C:\WINDOWS\$hf_mig$\KB976325-IE7\SP3QFE\urlmon.dll --a---- 1170944 bytes [07:45 29/10/2009] [07:45 29/10/2009] 57298949300B66FB4E26673E460D7771
C:\WINDOWS\$hf_mig$\KB978207-IE7\SP3QFE\urlmon.dll --a---- 1170944 bytes [09:57 05/01/2010] [09:57 05/01/2010] F0B8F96CA3F5E9A23F175C0E9A4FFAA1
C:\WINDOWS\$hf_mig$\KB980182-IE7\SP3QFE\urlmon.dll --a---- 1171968 bytes [11:49 11/03/2010] [11:49 11/03/2010] 7146C8EECE7859B167CC3798FDD7F051
C:\WINDOWS\$hf_mig$\KB982381-IE7\SP3QFE\urlmon.dll --a---- 1171968 bytes [17:20 04/05/2010] [17:20 04/05/2010] 5B367F89508B987DB0B2E7F8897CB8E4
C:\WINDOWS\$NtServicePackUninstall$\urlmon.dll -----c- 485376 bytes [06:35 24/09/2010] [18:37 27/02/2004] D22A95604BEC13979AB6CC3B9B355164
C:\WINDOWS\$NtUninstallKB826939$\urlmon.dll -----c- 455680 bytes [14:04 24/10/2009] [01:41 29/08/2002] 2AA791546B4E00E56348196BC6D4724D
C:\WINDOWS\ie7\urlmon.dll --a--c- 624640 bytes [17:31 25/10/2009] [05:56 25/09/2009] 3CE7F2C8F0361AE2FB2514CB3B3915BD
C:\WINDOWS\ie7updates\KB974455-IE7\urlmon.dll -----c- 1162240 bytes [17:33 25/10/2009] [16:54 13/08/2007] 5F0510D33E1B173F9803EC5C287F7CDA
C:\WINDOWS\ie7updates\KB976325-IE7\urlmon.dll -----c- 1168384 bytes [18:14 03/01/2010] [07:36 29/08/2009] CCD7A7961EDE16F0C381CF6E7182A9EF
C:\WINDOWS\ie7updates\KB978207-IE7\urlmon.dll -----c- 1168384 bytes [14:35 27/01/2010] [07:46 29/10/2009] 2BA799D03CC9FF9124E37A39F6A6F004
C:\WINDOWS\ie7updates\KB980182-IE7\urlmon.dll -----c- 1168384 bytes [10:46 14/04/2010] [10:00 05/01/2010] C813B21122833B8D6C556C4C38DA78F2
C:\WINDOWS\ie7updates\KB982381-IE7\urlmon.dll -----c- 1168384 bytes [09:03 10/06/2010] [12:38 11/03/2010] 5CC4CA802CC6EE0EB3DB05133645FB59
C:\WINDOWS\ServicePackFiles\i386\urlmon.dll ------- 619520 bytes [18:49 23/09/2010] [03:42 14/04/2008] DD639FAE9C80EBB3B9E632202A9DEB54
C:\WINDOWS\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\urlmon.dll --a---- 619520 bytes [21:59 24/10/2009] [00:12 14/04/2008] DD639FAE9C80EBB3B9E632202A9DEB54
C:\WINDOWS\SoftwareDistribution\Download\d0d6ed29e882a2ff5905d66f68fd56c0\SP3GDR\urlmon.dll --a---- 1168384 bytes [17:26 25/10/2009] [07:36 29/08/2009] CCD7A7961EDE16F0C381CF6E7182A9EF
C:\WINDOWS\SoftwareDistribution\Download\d0d6ed29e882a2ff5905d66f68fd56c0\SP3QFE\urlmon.dll --a---- 1170944 bytes [17:26 25/10/2009] [07:31 29/08/2009] 7E449339ABD7078FDF27A2227EAE5800
C:\WINDOWS\system32\urlmon.dll --a---- 619520 bytes [18:37 27/02/2004] [03:42 14/04/2008] DD639FAE9C80EBB3B9E632202A9DEB54
C:\WINDOWS\system32\dllcache\urlmon.dll --a--c- 619520 bytes [18:37 27/02/2004] [03:42 14/04/2008] DD639FAE9C80EBB3B9E632202A9DEB54

-= EOF =-



#12 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 52,082 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:03:41 PM

Posted 29 September 2010 - 10:30 AM

Now you have several locations of the file to choose from. Since this tool provides the file size and date, I would check for a newer version number by manually navigating to the file, right-clicking on it and look at the version tab. The urlmon.dll file in the system32 folder (and dllcache subfolder) is the one you should be looking to replace as that would be the typical one involved with the error. Rename it by adding .vir after the file's extension. Then copy a newer file from another location and drop the copy in the system 32 folder and see if that resolves the error.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#13 Rustum

Rustum
  • Topic Starter

  • Members
  • 41 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Cape Town, SA
  • Local time:10:41 PM

Posted 29 September 2010 - 10:45 AM

I took the newest I could find, 7.0.6000.21256, followed your instructions and dropped a copy in the system32 folder and dllcache folder. No help. I then checked the properties of the two copies - the one in the system32 file now says 6.0.2900.5512. So it seems something is writing to that urlmon.dll.

#14 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 52,082 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:03:41 PM

Posted 29 September 2010 - 10:58 AM

From what you are describing I don't believe this a malware related issue and you may be dealing with a separate issue. When did you first notice the problem with IE?

Also, besides that problem, how your computer is running and if there are any more signs of infection, strange audio ads, unwanted pop-ups, security alerts, or browser redirects.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#15 Rustum

Rustum
  • Topic Starter

  • Members
  • 41 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Cape Town, SA
  • Local time:10:41 PM

Posted 29 September 2010 - 11:11 AM

My computer is running fine. My main anxiety is to make sure that it is absolutely clean.

I noticed the IE issue after I had repaired my installation. Since I never use IE, I only noticed it when I wanted to go to certain microsoft update pages. So:

1. In Firefox, I would go to a link. In the Firefox browser, there was a message to use IE 5 or later. Upshot: I started worrying about Window's updates possibly being blocked.

2. So I tried IE, and discovered the problem.

I'm still worried that:

1. I cannot check to see whether I have the latest updates - my SP3 was downloaded in July 2010, so I imagine there should be updates (Autoupdate is on).

2. Whether my machine is fully clean.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users