Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Outlook express autonomus, odd Kaspersky warnings, Malwarebytes fights infection and loses?


  • This topic is locked This topic is locked
54 replies to this topic

#1 Digitalrust

Digitalrust

  • Members
  • 70 posts
  • OFFLINE
  •  
  • Local time:01:00 AM

Posted 14 March 2011 - 10:57 PM

I had about three years of fast, headache free, use with this computer which I think is pretty good luck but then about a month ago Kaspersky Internet Security 2011 - 11.0.1.400 warning messages started popping up on my screen saying that each of the below listed applications were "Allowed" by Kaspersky as trusted but they were, "Using program interfaces of other applications".

Firefox
WebToolBar component
Firefox
Outlook Express
Windows Messenger
WebToolBar component
Firefox
HP CUE Alert Popup Window Objects
GPCore COM object
HP CUE Status Root
Generic Host Process for Win32 Services
iTunesHelper
HP Digital Imaging Monitor
Windows Explorer
WMI
Windows Genuine Advantage Notifications
Windows NT Logon Application
WMI
Application Layer Gateway Service
Generic Host Process for Win32 Services
Windows NT Logon Application
WebToolBar component
WebToolBar component
HP CUE Alert Popup Window Objects
GPCore COM object
HP CUE Status Root
iTunesHelper
Generic Host Process for Win32 Services
HP Digital Imaging Monitor
Windows Explorer
Windows Genuine Advantage Notifications
Windows NT Logon Application
Windows Messenger
Windows NT Logon Application

This kind of warning message was new. It kept popping up for about two weeks off and on with no perceptible pattern. Since I had never seen that message before, I scanned my computer with Kaspersky AV, but it found nothing.

The "Using program interfaces of other applications" warning kept popping up so I scanned my computer with Malwarebytes Anti-Malware it found two registry infections "Registry Data Items Infected: 2" and "Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully."

I figured I had found the problem because the "Using program interfaces of other applications" stopped and I thought the problem was fixed. I wasn't that lucky.

About a day later the "Using program interfaces of other applications" messages appeared again with every program I started. Then, and this was really freaky to watch the Outlook Express program opened all by itself. I mean it just started all by itself and other windows started opening really fast as if someone else, a ghost?, was sitting at my keyboard.

Then the Kaspersky warning message window reported that trusted "Internet Control Panel" was allowed access to protected storage. Then it said "Outlook Express, a trusted application, via another application, was attempting to access password storage." Then in really quick succession I think it said svchost and wmi were seeking low level disk access. What??? The outgoing data light started blinging so I pulled the internet plug out and just sat there staring at the screen knowing I had a big problem.

First I backed up all of the data that had changed since my last full backup, I created an account on bleepingcomputer.com, enabled the firewall which, to my surprise, was turned off, ran defogger, ran dds, ran gmer but there I ran into another problem.

The first time when gmer was just about finished it frozeup. I could not save any logs, close any windows, type anything. I was frozen out. So I cut the power and restarted. The second time I ran gmer it had similar problems. The third time I ran GMER I was able to save the ark.txt.

I am totally out of my depth here and I am hoping there is a bleepingcomputer.com expert who can help me solve these problems?

This is my DDS.txt:

DDS (Ver_10-12-12.02) - NTFSx86
Run by Arclight at 19:26:22.45 on Thu 03/10/2011
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_11
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1429 [GMT -8:00]

AV: Kaspersky Internet Security *Enabled/Updated* {2C4D4BC6-0793-4956-A9F9-E252435469C0}
FW: Kaspersky Internet Security *Enabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2011\avp.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\svchost.exe -k hpdevmgmt
C:\WINDOWS\system32\svchost.exe -k HPService
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\system32\nlssrv32.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2011\avp.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2011\klwtblfs.exe
C:\Documents and Settings\Arclight\My Documents\Data\1-download-here-first\1-bleeping computer\DDS\dds.scr

============== Pseudo HJT Report ===============

uStart Page = about:blank
uSearch Page = hxxp://www.google.com/
mStart Page = about:blank
uInternet Settings,ProxyOverride = *.local
mSearchAssistant = hxxp://www.google.com/
mCustomizeSearch = hxxp://www.google.com/
BHO: HP Print Enhancer: {0347c33e-8762-4905-bf09-768834316c61} - c:\program files\hp\digital imaging\smart web printing\hpswp_printenhancer.dll
BHO: IEVkbdBHO Class: {59273ab4-e7d3-40f9-a1a8-6fa9cca1862c} - c:\program files\kaspersky lab\kaspersky internet security 2011\ievkbd.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: FilterBHO Class: {e33cf602-d945-461a-83f0-819f76a199f8} - c:\program files\kaspersky lab\kaspersky internet security 2011\klwtbbho.dll
BHO: HP Smart BHO Class: {ffffffff-cf4e-4f2b-bdc2-0e72e116a856} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
EB: HP Smart Web Printing: {555d4d79-4bd2-4094-a395-cfc534424a05} - c:\program files\hp\digital imaging\smart web printing\hpswp_bho.dll
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [AVP] "c:\program files\kaspersky lab\kaspersky internet security 2011\avp.exe"
mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
IE: Add to Anti-Banner - c:\program files\kaspersky lab\kaspersky internet security 2011\ie_banner_deny.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {38E51477-DDB4-4aed-9D61-D0C193E10749} - {38E51477-DDB4-4aed-9D61-D0C193E10749} {38E51477-DDB4-4aed-9D61-D0C193E10749} - {38e51477-ddb4-4aed-9d61-d0c193e10749}\inprocserver32 does not exist!
IE: {4248FE82-7FCB-46AC-B270-339F08212110} - {4248FE82-7FCB-46AC-B270-339F08212110} - c:\program files\kaspersky lab\kaspersky internet security 2011\klwtbbho.dll
IE: {CCF151D8-D089-449F-A5A4-D9909053F20F} - {CCF151D8-D089-449F-A5A4-D9909053F20F} - c:\program files\kaspersky lab\kaspersky internet security 2011\klwtbbho.dll
IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1275451588953
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1275451580703
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {C7DB51B4-BCF7-4923-8874-7F1A0DC92277} - hxxp://office.microsoft.com/officeupdate/content/opuc4.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Notify: klogon - c:\windows\system32\klogon.dll
AppInit_DLLs: c:\progra~1\kasper~1\kasper~1\mzvkbd3.dll, c:\progra~1\kasper~1\kasper~1\kloehk.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
IFEO: taskmgr.exe - "c:\documents and settings\arclight\my documents\data\core security programs\sysinternals\PROCEXP.EXE"

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\arclight\applic~1\mozilla\firefox\profiles\ys9rzyin.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com
FF - component: c:\documents and settings\arclight\application data\mozilla\firefox\profiles\ys9rzyin.default\extensions\{16f796dd-a279-4548-9b3a-393d1eef31df}\platform\winnt\components\imageassistant.dll
FF - component: c:\program files\mozilla firefox\extensions\kavantibanner@kaspersky.ru\components\abhelperxpcom.dll
FF - component: c:\program files\mozilla firefox\extensions\linkfilter@kaspersky.ru\components\kavlinkfilter.dll
FF - plugin: c:\program files\google\update\1.2.145.5\npGoogleOneClick8.dll
FF - plugin: c:\program files\microsoft research\hd view\nphdview.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npFoxitReaderPlugin.dll
FF - plugin: c:\windows\system32\superadblocker.com\npsabffx.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Kaspersky URL Advisor: linkfilter@kaspersky.ru - c:\program files\mozilla firefox\extensions\linkfilter@kaspersky.ru
FF - Ext: Anti-Banner: KavAntiBanner@Kaspersky.ru - c:\program files\mozilla firefox\extensions\KavAntiBanner@Kaspersky.ru
FF - Ext: NoScript: {73a6fe31-595d-460b-a920-fcc0f8843232} - %profile%\extensions\{73a6fe31-595d-460b-a920-fcc0f8843232}
FF - Ext: DownThemAll!: {DDC359D1-844A-42a7-9AA1-88A850A938A8} - %profile%\extensions\{DDC359D1-844A-42a7-9AA1-88A850A938A8}
FF - Ext: Image Assistant: {16f796dd-a279-4548-9b3a-393d1eef31df} - %profile%\extensions\{16f796dd-a279-4548-9b3a-393d1eef31df}
FF - Ext: 1-Click YouTube Video Downloader: YoutubeDownloader@PeterOlayev.com - %profile%\extensions\YoutubeDownloader@PeterOlayev.com
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension

============= SERVICES / DRIVERS ===============

R0 hotcore3;hotcore3;c:\windows\system32\drivers\hotcore3.sys [2008-2-26 38432]
R0 KL1;kl1;c:\windows\system32\drivers\kl1.sys [2010-6-9 132184]
R1 GearAspiSys;GearAspiSys;c:\windows\system32\drivers\GEARASPISYS.SYS [2008-4-12 53412]
R1 kl2;kl2;c:\windows\system32\drivers\kl2.sys [2010-6-9 11352]
R1 KLIF;Kaspersky Lab Driver;c:\windows\system32\drivers\klif.sys [2010-12-23 475736]
R2 AVP;Kaspersky Anti-Virus Service;c:\program files\kaspersky lab\kaspersky internet security 2011\avp.exe [2010-7-1 352976]
R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2010-12-23 363344]
R2 nlsX86cc;Nalpeiron Licensing Service;c:\windows\system32\nlssrv32.exe [2010-10-4 66560]
R2 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2009-10-20 50704]
R3 appliandMP;appliandMP;c:\windows\system32\drivers\appliand.sys [2010-6-24 28256]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\drivers\klim5.sys [2010-5-7 32856]
R3 klmouflt;Kaspersky Lab KLMOUFLT;c:\windows\system32\drivers\klmouflt.sys [2009-11-2 19472]
R3 Mach3;Mach3 Pulseing Service;c:\windows\system32\drivers\Mach3.sys [2007-5-9 107648]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2010-12-23 20952]
R3 SndTAudio;SndTAudio;c:\windows\system32\drivers\SndTAudio.sys [2008-11-8 23096]
R3 SndTVideo;SndTVideo;c:\windows\system32\drivers\SndTVideo.sys [2008-11-8 3768]
S1 TVicPort64;TVicPort64;\??\c:\windows\syswow64\drivers\tvicport64.sys --> c:\windows\syswow64\drivers\TVicPort64.sys [?]
S3 ALSysIO;ALSysIO; [x]
S3 appliand;Applian Network Service;c:\windows\system32\drivers\appliand.sys [2010-6-24 28256]
S3 CEUSBAUD;DigiTech USB MIDI Driver (MIDI);c:\windows\system32\drivers\ceusbaud.sys [2008-4-12 17920]
S3 epppdt;EPSON 1394.3 Class;c:\windows\system32\drivers\epppdt.sys [2008-3-20 31269]
S3 epppdtpr;EPSON 1394.3 Printer Class;c:\windows\system32\drivers\epppdtpr.sys [2008-3-20 14457]
S3 ICDUSB2;Sony IC Recorder (P);c:\windows\system32\drivers\IcdUsb2.sys [2011-3-5 39048]
S3 nosGetPlusHelper;getPlus® Helper 3004;c:\windows\system32\svchost.exe -k nosGetPlusHelper [2007-7-27 14336]
S3 SoundMovieServer;SoundMovieServer;c:\windows\system32\snmvtsvc.exe [2008-11-8 200704]
S3 USB18PRG;mikroElektronika USB18F Device (x86 Platform);c:\windows\system32\drivers\USB18PRG.sys [2008-11-12 39424]
S4 gupdate1c98fdc349f2480;Google Update Service (gupdate1c98fdc349f2480);c:\program files\google\update\GoogleUpdate.exe [2009-2-15 133104]

=============== Created Last 30 ================

2011-03-10 03:44:38 -------- d-----w- C:\My WinHttrack Web Sites
2011-03-10 03:41:58 -------- d-----w- c:\program files\WinHTTrack
2011-03-06 00:42:33 9200 ------w- c:\windows\system32\drivers\cdralw2k.sys
2011-03-06 00:42:33 9072 ------w- c:\windows\system32\drivers\cdr4_xp.sys
2011-03-06 00:42:33 45200 ------w- c:\windows\system32\drivers\PxHelp20.sys
2011-03-06 00:42:33 125424 ------w- c:\windows\system32\pxinsi64.exe
2011-03-06 00:42:33 123888 ------w- c:\windows\system32\pxcpyi64.exe
2011-03-06 00:42:29 31744 ----a-w- c:\windows\system32\drivers\ICDSX.sys
2011-03-06 00:41:59 39048 ----a-w- c:\windows\system32\drivers\IcdUsb2.sys
2011-03-06 00:41:57 26409 ----a-w- c:\windows\system32\drivers\Icdusb.sys
2011-03-06 00:41:57 122880 ------w- c:\windows\system32\trc.dll
2011-02-16 20:05:15 -------- d-----w- c:\docume~1\arclight\locals~1\applic~1\Jaksta_Technologies_Pty_L
2011-02-16 20:04:14 -------- d-----w- c:\docume~1\arclight\applic~1\Replay Media Catcher 4
2011-02-16 20:04:10 -------- d-----w- c:\program files\Applian Technologies
2011-02-16 19:53:35 -------- d-----w- c:\program files\Replay Converter 4

==================== Find3M ====================

2011-02-04 00:53:44 227840 ----a-w- c:\windows\system32\Deco_32.dll

============= FINISH: 19:27:15.20 ===============

Attached Files


Edited by Digitalrust, 15 March 2011 - 07:22 PM.


BC AdBot (Login to Remove)

 


#2 Casey_boy

Casey_boy

    Bleeping physicist


  • Malware Response Team
  • 7,765 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:08:00 AM

Posted 19 March 2011 - 07:47 AM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

Please take note:

  • If you have since resolved the original problem you were having, we would appreciate you letting us know.
  • If you are unable to create a log because your computer cannot start up successfully please provide detailed information about your installed Windows Operating System including the Version, Edition and if it is a 32bit or a 64bit system.
    • If you are unsure about any of these characteristics just post what you can and we will guide you.
  • Please tell us if you have your original Windows CD/DVD available.
  • If you are unable to perform the steps we have recommended please try one more time and if unsuccessful alert us of such and we will design an alternate means of obtaining the necessary information.
  • If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.
  • Upon completing the steps below another staff member will review your topic an do their best to resolve your issues.
  • If you have already posted a DDS log, please do so again, as your situation may have changed.
  • Use the 'Add Reply' and add the new log to this thread.

We need to see some information about what is happening in your machine. Please perform the following scan again:

  • Download DDS by sUBs from one of the following links if you no longer have it available. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE


We also need a new log from the GMER anti-rootkit Scanner.

Please note that if you are running a 64-bit version of Windows you will not be able to run GMER and you may skip this step.

Please first disable any CD emulation programs using the steps found in this topic:

Why we request you disable CD Emulation when receiving Malware Removal Advice

Then create another GMER log and post it as an attachment to the reply where you post your new DDS log. Instructions on how to properly create a GMER log can be found here:

How to create a GMER log


Thanks and again sorry for the delay.

Casey

If I have been helping you and I do not reply within 48hours, feel free to send me a PM.


* My Website * Am I Infected? * Malware Removal Help * If you'd like to say thanks *


#3 Digitalrust

Digitalrust
  • Topic Starter

  • Members
  • 70 posts
  • OFFLINE
  •  
  • Local time:01:00 AM

Posted 20 March 2011 - 06:03 PM

Thanks for responding Casey_boy,

I am still experiencing the same problems as described in my initial post.

1 Applications are using interfaces of other applications.
2 Outlook express started on its own yesterday
3 windows open an close unexpectedly.
4. applications trying to access protected password storage
etc.

I have attached the DDS files you requested, except for the the ark.txt gmer.log.

I tried to attach the latest ark.txt but it exceeds my 512k global upload quota.
The third ark log I made is attached to mu initial post.

I still need help.

Thank you.

Attached Files



#4 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,648 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:10:00 AM

Posted 25 March 2011 - 11:12 AM

Hello, and sorry for the delay.

COMBOFIX
---------------
Please download ComboFix from one of these locations:
Bleepingcomputer
ForoSpyware
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Combofix.exe and follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, or if you are running Vista, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\Combofix.txt in your next reply.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft

 

animinionsmalltext.gif


#5 Digitalrust

Digitalrust
  • Topic Starter

  • Members
  • 70 posts
  • OFFLINE
  •  
  • Local time:01:00 AM

Posted 27 March 2011 - 12:27 AM

Hi elise025,

It is really great you are willing to help me.

I stopped kaspersky, and all other runing programs that I could.
the I ran combo fix.
It installed the ms recovery console
Then combofix kicked my a** ... (so to speak)

Combofix deleted my "start - programs - av directory!

That contained the shortcuts to many of my programs dealing with audio programs, DVD creation, CNC machining programs, and video editing support programs and a bunch of related programs. About half of the programs that I use to supplement my income. Does that mean that I cant use the programs any more? Were the short cuts infected?

I'm really stunned, I hope you can help.

Attached Files

  • Attached File  log.txt   26.85KB   6 downloads


#6 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,648 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:10:00 AM

Posted 27 March 2011 - 02:35 AM

Hi, my guess is that they were deleted based on the foldername "AV". However, don't worry, we can restore them.

If AV is a folder you created yourself, just let me know and I'll post a script to restore all these items.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft

 

animinionsmalltext.gif


#7 Digitalrust

Digitalrust
  • Topic Starter

  • Members
  • 70 posts
  • OFFLINE
  •  
  • Local time:01:00 AM

Posted 27 March 2011 - 12:50 PM

Hi elise025,

Yes, I made the AV folder myself as a place to keep audio visual related programs. Would you please post a repair script to bring back my AV folder

I have noticed something new, a warning message pops up from Kaspersky Internet Security Suite when I click on outlook express or firefox.

I clicked on outlook express and then on the detailed report link in the Kaspersky warning pop up. The detailed report says at 3/27/2011 11:37:50 AM Outlook Express triggered Kaspersky Self-Defense which denied Modify of "REGISTRY\USER\S-1-5-21-1659004503-484763869-839522115-1003\SOFTWARE\KASPERSKYLAB\PROTECTED\AVP11"

When I open Firefox Kaspersky warns that at 3/27/2011 11:31:16 AM a WebToolBar component triggered Kaspersky Self-Defense which Denied Open of C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2011\avp.exe




#8 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,648 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:10:00 AM

Posted 27 March 2011 - 01:16 PM

Hi, the script below ought to dequarantine the items. Please verify afterwards if everything is in place.

Please uninstall FreeCorder toolbar using Add/Remove programs. This is a questionable application with possible tracking behavior.

CF-SCRIPT
-------------
We need to execute a CF-script.
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Click Start > Run and in the box that opens type notepad and press enter. Copy/paste the text in the codebox below into it:
DeQuarantine::
c:\documents and settings\All Users\Start Menu\Programs\AV
c:\documents and settings\Arclight\Start Menu\Programs\AV
Quit::

Save this as CFScript.txt, in the same location as ComboFix.exe

Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft

 

animinionsmalltext.gif


#9 Digitalrust

Digitalrust
  • Topic Starter

  • Members
  • 70 posts
  • OFFLINE
  •  
  • Local time:01:00 AM

Posted 27 March 2011 - 02:58 PM

I removed freecorder
then put
DeQuarantine::
c:\documents and settings\All Users\Start Menu\Programs\AV
c:\documents and settings\Arclight\Start Menu\Programs\AV
Quit::
in a file called CFScript.txt in the c:\ directory where combo fix is located.

dragged the CFScript.tx combofix
waited
The start, programs, AV directory has not been restored
I have attached the log2.txt file

I have a clone of the drive made just prior to running combo fix.
I could restore that and be back to square one.
Should I do that?

Attached Files

  • Attached File  log2.txt   13.39KB   2 downloads


#10 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,648 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:10:00 AM

Posted 27 March 2011 - 03:06 PM

The files are quarantined in the c:\qoobox\quarantine\c\documents and settings\ subfolders. You can copy those back, but you'll have to rename all files (they will be renamed to .vir file).

Do you still get the warning when Firefox starts?

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft

 

animinionsmalltext.gif


#11 Digitalrust

Digitalrust
  • Topic Starter

  • Members
  • 70 posts
  • OFFLINE
  •  
  • Local time:01:00 AM

Posted 27 March 2011 - 03:56 PM

I restored the missing shortcuts. Thank you!

Yes, when loading firefox
The kaspersky self defense module denies web toolbar component open 3/27/2011 1:47:42 PM WebToolBar component Self-Defense Denied Open C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2011\avp.exe

also when loading outlook express:
The kaspersky self defense module denied modification of the registry 3/27/2011 1:47:14 PM Outlook Express Self-Defense Denied Modify REGISTRY\USER\S-1-5-21-1659004503-484763869-839522115-1003\SOFTWARE\KASPERSKYLAB\PROTECTED\AVP11


When I was restoring the shortcuts i found something I have never seen
C:\Qoobox\Quarantine\C\Documents and Settings\Arclight\Application Data\EurekaLog
I left it alone.

Edited by Digitalrust, 27 March 2011 - 04:03 PM.


#12 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,648 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:10:00 AM

Posted 27 March 2011 - 04:06 PM

If you do a full system scan with Kaspersky, does anything come up?

Please click Start > Programs > Mozilla Firefox, and select the Firefox (safe mode) option. Does the warning still come up? If not, one of the installed add-ons is causing this. Try to enable them one at a time to see which one is causing the warning and uninstall that one.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft

 

animinionsmalltext.gif


#13 Digitalrust

Digitalrust
  • Topic Starter

  • Members
  • 70 posts
  • OFFLINE
  •  
  • Local time:01:00 AM

Posted 27 March 2011 - 04:43 PM

The latest updated version of Kaspersky found nothing.

There is no warning if I open the firefox safe mode.

Run Firefox = get warning
Disable first add on in the list "Anti-Banner 11.0.2.556" = no warning
Enable "Anti-Banner 11.0.2.556" = no warning!
The addon is not labled kaspersky but it has a Kaspersky Icon.

restart firefox = no warning
restart firefox = no warning
restart firefox = warning!!!
Disable "Anti-Banner 11.0.2.556" = no warning.

What??? the *

Now I restart firefox with "Anti-Banner 11.0.2.556" diabled = get warning???
I don't understand what is going on.

So I deleted the antibanner 11.0.2.556
rebooted
start firefox and the warning pops up.
Now I've deleted the anti-banner thing and I don;t know how to get it back.

Edited by Digitalrust, 27 March 2011 - 05:24 PM.


#14 Digitalrust

Digitalrust
  • Topic Starter

  • Members
  • 70 posts
  • OFFLINE
  •  
  • Local time:01:00 AM

Posted 28 March 2011 - 12:44 AM

Hi Elise,

I uninstalled every add on in firefox including the two kaspersky add-ons.
All except the kaspersky anti-banner and the kaspersky URL advisor were re-installed one at a time.
reboot for each install, firefox load for each install, no warning messages from kaspersky.

So I decided that the problem generating the warning message must be in the the kaspersky add-ons. Right? That's all that was left.
To add them back to firefox I asked kaspersky to repair itself from the add/remove console.

Both kaspersky add-ons were added, reboot, load firefox, no warning messages.

I don't understand why.

When I load Outlook express it still tries to modify the kaspersky registry entry.
3/27/2011 10:02:46 PM Outlook Express Self-Defense Denied Modify REGISTRY\USER\S-1-5-21-1659004503-484763869-839522115-1003\SOFTWARE\KASPERSKYLAB\PROTECTED\AVP11

Remember it was outlook express opening while I was just sitting in front of my computer, not touchig the keyboard, Outlook express all on its own started sending outgoing data. Then a bunch of windows started opening and closing so rapidly I could not tell what they were. Wierdness with OE made me seek bleepingcomputer help 13 or so days ago.

What should I do next?

#15 Digitalrust

Digitalrust
  • Topic Starter

  • Members
  • 70 posts
  • OFFLINE
  •  
  • Local time:01:00 AM

Posted 28 March 2011 - 12:52 AM

Elise,

Arrrg! Bleeping computer is right!!!!!!!!

I just opened firefox and the blankety-blank kaspersky warning message appeared. AGAIN
After not appearing for ten firefox boots!

I feel like charlie brown trying to kick the football Lucy is holding. Over and over and over.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users