Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

AV warning about installshield setup but can't find it


  • This topic is locked This topic is locked
10 replies to this topic

#1 coles1mom

coles1mom

  • Members
  • 212 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:11:07 AM

Posted 17 November 2010 - 03:34 PM

Good Afternoon,

Kaspersky keeps blocking an Installshield Installation setup.exe but cannot find it to quarantine it. They advised me to just add Adobe to my trusted list. IE8 at times just closes then reopens a few seconds later.
Today got the BSOD after the computer had been hibernating for about a hour.

Tried to run GMER, had to hard shut down, all 4 times. It did make it as far a svchost.exe [200] msvcrt.dll

Could just be a Vista issue, I know :P

I have tried SAS, MBAM, rkill, tdsskiller.

Thank You for your help.


DDS (Ver_10-11-10.01) - NTFSx86
Run by R&P at 14:21:03.10 on Wed 11/17/2010
Internet Explorer: 8.0.6001.18975
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.2942.1982 [GMT -5:00]

SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\rundll32.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2011\avp.exe
C:\Windows\system32\svchost.exe -k hpdevmgmt
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\DRIVERS\xaudio.exe
C:\Windows\system32\WUDFHost.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\hp\support\hpsysdrv.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2011\avp.exe
C:\Program Files\Adobe\Reader 9.0\Reader\reader_sl.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Users\R&P\Desktop\dds.com

============== Pseudo HJT Report ===============

uStart Page = about:blank
mStart Page = about:blank
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: IEVkbdBHO Class: {59273ab4-e7d3-40f9-a1a8-6fa9cca1862c} - c:\program files\kaspersky lab\kaspersky internet security 2011\ievkbd.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: FilterBHO Class: {e33cf602-d945-461a-83f0-819f76a199f8} - c:\program files\kaspersky lab\kaspersky internet security 2011\klwtbbho.dll
TB: {472734EA-242A-422B-ADF8-83D1E48CC825} - No File
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
mRun: [hpsysdrv] c:\hp\support\hpsysdrv.exe
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [AVP] "c:\program files\kaspersky lab\kaspersky internet security 2011\avp.exe"
mRun: [hpqSRMon] c:\program files\hp\digital imaging\bin\hpqSRMon.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: Add to Anti-Banner - c:\program files\kaspersky lab\kaspersky internet security 2011\ie_banner_deny.htm
IE: {4248FE82-7FCB-46AC-B270-339F08212110} - {4248FE82-7FCB-46AC-B270-339F08212110} - c:\program files\kaspersky lab\kaspersky internet security 2011\klwtbbho.dll
IE: {CCF151D8-D089-449F-A5A4-D9909053F20F} - {CCF151D8-D089-449F-A5A4-D9909053F20F} - c:\program files\kaspersky lab\kaspersky internet security 2011\klwtbbho.dll
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Notify: klogon - c:\windows\system32\klogon.dll
AppInit_DLLs: c:\progra~1\kasper~1\kasper~1\mzvkbd3.dll

============= SERVICES / DRIVERS ===============

R1 kl2;kl2;c:\windows\system32\drivers\kl2.sys [2010-6-9 11352]
R1 KLIM6;Kaspersky Anti-Virus NDIS 6 Filter;c:\windows\system32\drivers\klim6.sys [2010-4-22 22104]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-5-10 67656]
R2 AVP;Kaspersky Anti-Virus Service;c:\program files\kaspersky lab\kaspersky internet security 2011\avp.exe [2010-7-1 352976]
R3 HSXHWBS3;HSXHWBS3;c:\windows\system32\drivers\HSXHWBS3.sys [2008-8-26 207360]
R3 klmouflt;Kaspersky Lab KLMOUFLT;c:\windows\system32\drivers\klmouflt.sys [2009-11-2 19984]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S3 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-1-20 21504]
S3 PSI;PSI;c:\windows\system32\drivers\psi_mf.sys [2010-7-7 14904]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]

=============== Created Last 30 ================

2010-11-16 14:28:06 -------- d-----w- c:\users\r&p\appdata\local\Adobe
2010-11-16 14:21:30 6146896 ----a-w- c:\progra~2\microsoft\windows defender\definition updates\{1c805a20-12b9-4e13-b28b-ca810a9119a0}\mpengine.dll
2010-11-10 12:11:36 2409784 ----a-w- c:\program files\windows mail\OESpamFilter.dat
2010-10-27 10:59:35 1696256 ----a-w- c:\windows\system32\gameux.dll
2010-10-27 10:59:34 4240384 ----a-w- c:\windows\system32\GameUXLegacyGDFs.dll
2010-10-27 10:59:34 28672 ----a-w- c:\windows\system32\Apphlpdm.dll

==================== Find3M ====================

2010-10-19 15:41:44 222080 ------w- c:\windows\system32\MpSigStub.exe
2010-09-15 08:50:37 472808 ----a-w- c:\windows\system32\deployJava1.dll
2010-09-13 13:56:41 8147456 ----a-w- c:\windows\system32\wmploc.DLL
2010-09-08 06:01:28 916480 ----a-w- c:\windows\system32\wininet.dll
2010-09-08 05:57:18 43520 ----a-w- c:\windows\system32\licmgr10.dll
2010-09-08 05:57:05 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2010-09-08 05:56:53 71680 ----a-w- c:\windows\system32\iesetup.dll
2010-09-08 05:56:53 109056 ----a-w- c:\windows\system32\iesysprep.dll
2010-09-08 05:04:36 385024 ----a-w- c:\windows\system32\html.iec
2010-09-08 04:26:46 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2010-09-08 04:25:15 1638912 ----a-w- c:\windows\system32\mshtml.tlb
2010-09-06 16:20:29 125952 ----a-w- c:\windows\system32\srvsvc.dll
2010-09-06 16:19:06 17920 ----a-w- c:\windows\system32\netevent.dll
2010-08-31 15:46:37 954752 ----a-w- c:\windows\system32\mfc40.dll
2010-08-31 15:46:37 954288 ----a-w- c:\windows\system32\mfc40u.dll
2010-08-31 15:44:31 531968 ----a-w- c:\windows\system32\comctl32.dll
2010-08-31 13:27:38 2038272 ----a-w- c:\windows\system32\win32k.sys
2010-08-26 16:37:45 157184 ----a-w- c:\windows\system32\t2embed.dll
2010-08-26 16:33:06 173056 ----a-w- c:\windows\apppatch\AcXtrnal.dll
2010-08-26 16:33:04 542720 ----a-w- c:\windows\apppatch\AcLayers.dll
2010-08-26 16:33:04 458752 ----a-w- c:\windows\apppatch\AcSpecfc.dll
2010-08-26 16:33:04 2159616 ----a-w- c:\windows\apppatch\AcGenral.dll
2010-08-20 16:05:07 867328 ----a-w- c:\windows\system32\wmpmde.dll

============= FINISH: 14:21:26.48 ===============


UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_10-11-10.01)

Microsoft® Windows Vista™ Home Premium
Boot Device: \Device\HarddiskVolume1
Install Date: 9/12/2008 6:07:11 PM
System Uptime: 11/17/2010 2:16:55 PM (0 hours ago)

Motherboard: OEM_MB | | IVY8
Processor: AMD Athlon™ 64 X2 Dual Core Processor 4400+ | Socket AM2 | 2300/200mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 287 GiB total, 218.736 GiB free.
D: is FIXED (NTFS) - 12 GiB total, 1.231 GiB free.
E: is CDROM ()
F: is Removable
G: is Removable
H: is Removable
I: is Removable

==== Disabled Device Manager Items =============

Class GUID: {4d36e972-e325-11ce-bfc1-08002be10318}
Description: Microsoft 6to4 Adapter
Device ID: ROOT\*6TO4MP\0003
Manufacturer: Microsoft
Name: 6TO4 Adapter
PNP Device ID: ROOT\*6TO4MP\0003
Service: tunnel

==== System Restore Points ===================


==== Installed Programs ======================

32 Bit HP CIO Components Installer
4300
4300_Help
4300Trb
Acrobat.com
ActiveCheck component for HP Active Support Library
Adobe Flash Player 10 ActiveX
Adobe Reader 9.4.0
AIO_CDB_ProductContext
AIO_CDB_Software
AIO_Scan
BufferChm
Cards_Calendar_OrderGift_DoMorePlugout
Compatibility Pack for the 2007 Office system
Copy
CustomerResearchQFolder
CyberLink DVD Suite Deluxe
Destinations
DeviceManagementQFolder
DocProc
DocProcQFolder
ESET Online Scanner v3
eSupportQFolder
Fax
Hardware Diagnostic Tools
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
HP Active Support Library
HP Advisor
HP Customer Experience Enhancements
HP Customer Feedback
HP Customer Participation Program 8.0
HP Demo
HP Imaging Device Functions 8.0
HP OCR Software 8.0
HP Photosmart Essential
HP Photosmart Essential 2.5
HP Photosmart Essential 3.0
HP Photosmart, Officejet, PSC and Deskjet All-In-One Driver Software 8.0.B
HP Product Assistant
HP Recovery Manager RSS
HP Solution Center 8.0
HP Update
HPAsset component for HP Active Support Library
HPPhotoSmartPhotobookWebPack1
HPProductAssistant
HPSSupply
HPTCSSetup
Java Auto Updater
Java™ 6 Update 22
Kaspersky Internet Security 2011
LabelPrint
LightScribe System Software
LightScribeTemplateLabeler
Malwarebytes' Anti-Malware
MarketResearch
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 4 Client Profile
Microsoft Application Error Reporting
Microsoft Office Home and Student 60 day trial
Microsoft Office PowerPoint Viewer 2007 (English)
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Microsoft Works
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB941833)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
muvee autoProducer 6.1
My HP Games
NVIDIA Drivers
OGA Notifier 2.0.0048.0
PCIe Soft Data Fax Modem with SmartCP
PictureMover
Power2Go
PowerDirector
PSSWCORE
Python 2.5.2
Realtek High Definition Audio Driver
Scan
Secunia PSI
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473)
SolutionCenter
Spelling Dictionaries Support For Adobe Reader 8
SPORE Creature Creator Trial Edition
Spybot - Search & Destroy
Status
Sun Download Manager 2.0 (web)
SUPERAntiSpyware
Toolbox
TrayApp
UnloadSupport
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
VideoToolkit01
WebReg

==== End Of File ===========================

BC AdBot (Login to Remove)

 


#2 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:03:07 PM

Posted 27 November 2010 - 09:35 PM

Hi,

Welcome to Bleeping Computer. My name is m0le and I will be helping you with your log.
  • Please subscribe to this topic, if you haven't already. You can subscribe by clicking the Options box to the right of your topic title and selecting Track This Topic.

  • Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.

  • Please reply to this post so I know you are there.
The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day after that then I will close the topic.

Once I receive a reply then I will return with your first instructions.

Thanks :thumbup2:
Posted Image
m0le is a proud member of UNITE

#3 coles1mom

coles1mom
  • Topic Starter

  • Members
  • 212 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:11:07 AM

Posted 28 November 2010 - 06:59 AM

Good Morning m0le

Thank you for helping me out.

#4 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:03:07 PM

Posted 28 November 2010 - 07:17 AM

Could also be a false positive.

Can you tell me exactly what Kaspersky says (or screenshoot it if you know how to)?
Posted Image
m0le is a proud member of UNITE

#5 coles1mom

coles1mom
  • Topic Starter

  • Members
  • 212 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:11:07 AM

Posted 28 November 2010 - 08:59 AM

m0le, I think I've got the screen shot done. Sorry about having to attach it.

I have uninstalled flash and reinstalled it since I first posted about the issue. I also had to reinstall a graphics drive as well.
12 issues with IE8, a couple of host process issues,5 issues with securnia psi stopped working, SAS stopped working and so forth. All this in less than a month. Just thought there might be some malware behind it all.

I just love Vista.

#6 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:03:07 PM

Posted 28 November 2010 - 04:31 PM

It isn't letting me open that - I think it's probably a site security issue.

Do you know how to post an image?
Posted Image
m0le is a proud member of UNITE

#7 coles1mom

coles1mom
  • Topic Starter

  • Members
  • 212 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:11:07 AM

Posted 28 November 2010 - 05:23 PM

Sorry, I don't. It states: Not Found... Unknown threat UDS: dangerous object multi generic...c:\program files\installshield installation information C27C82E4-9C53-4D76-9Ed3 A01AD5EE679\setup.exe

After about two hours of the warning popping up I clicked KIS to quarantine it and that is how I got the not found message. Then I started getting a bunch of window error reports which I know Vista is famous for but just wanted to make sure.

m0le, if my DDS looks ok, then I'm sorry I took your time from someone who does need it.

Thank you so much for your help. :)

#8 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:03:07 PM

Posted 28 November 2010 - 07:12 PM

It looks like a false positive to me, coles1mom.

You could attempt to navigate to it and send it to a multi-scan site such as Jotti to be sure.


Please make sure that you can view all hidden files. Instructions on how to do this can be found here:

How to see hidden files in Windows

Go to Jotti

When the jotti page has finished loading, click the Browse button and navigate to the following file and click Submit.

c:\program files\installshield installation information C27C82E4-9C53-4D76-9Ed3 A01AD5EE679\setup.exe

Please post back the results of the scan in your next post.

If Jotti is busy, try the same at VirusTotal
Posted Image
m0le is a proud member of UNITE

#9 coles1mom

coles1mom
  • Topic Starter

  • Members
  • 212 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:11:07 AM

Posted 28 November 2010 - 07:59 PM

Good Evening m0le,

That file does not exist. I guess that is why KIS couldn't find it either.

Thank you.

#10 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:03:07 PM

Posted 28 November 2010 - 08:28 PM

No problem. :thumbup2:
Posted Image
m0le is a proud member of UNITE

#11 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:03:07 PM

Posted 03 December 2010 - 07:54 PM

Since this issue appears to be resolved ... this topic has been closed. Glad we could help. :)

If you're the topic starter, and need this topic reopened, please contact me via pm with the address of the thread.

Everyone else please begin a New Topic.
Posted Image
m0le is a proud member of UNITE




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users