Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected With Fraud.AVSecuritySuite


  • This topic is locked This topic is locked
19 replies to this topic

#1 Phil2

Phil2

  • Members
  • 63 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Land Of Angles
  • Local time:07:05 PM

Posted 15 July 2012 - 03:17 PM

The last few weeks Spyboy Search & Destroy has been picking up 'Fraud.AVSecuritySuite' in the scans. These are the two infections they pick up each time around:

--- Search result list ---
Fraud.AVSecuritySuite: [SBI $5587D6DE] Settings (Registry value, nothing done)
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyServer=...http=127.0.0.1:5643...

Fraud.AVSecuritySuite: [SBI $5587D6DE] Settings (Registry value, nothing done)
HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyServer=...http=127.0.0.1:5643...


The problem is Spybot S&D says it has removed them, then when I do a new scan it picks the same two problems up again. I did scans one after the other and after restarting the PC and Spybot still picks up the infections.

There is no redirecting or adds as is usually common with this type of infection. However the performance of the PC has been sluggish for a few months, long before the Fraud.AVSecuritySuite appeared, I assumed this was because of age as this PC has low specs and is nearly 7 years-old. It takes longer to load up, something I've tried to fix using start-up, with no joy. Also takes longer to load web pages and my VLC Media player doesn't work properly anymore, I don't know if these are related or not.

Avast Free Anti-virus, Malwarebytes and SuperAntiSpyware haven't been able to detect the infection.

The OS I use is an XP Home Edition with 76.GB HDD (15.6GB currently used), 500MB of RAM with standard audio and video cards.

CD Emulator Software has been disabled.

All logs included as was asked for in the prep guide.

Pleas Note: The GMER scan may not be accurate. When I double click the programme it starts scanning automatically before I can uncheck IAT/EAT. I also had to disable my Avast Anti-Virus to complete the DDS scan.

________________________________________________________________________________________-
.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_31
Run by User at 8:05:46 on 2012-07-15
Microsoft Windows XP Home Edition 5.1.2600.3.1252.44.1033.18.447.209 [GMT 1:00]
.
AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\ctfmon.exe
svchost.exe
C:\Program Files\SUPERAntiSpyware\SASCORE.EXE
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Alwil Software\Avast5\AvastUI.exe
C:\WINDOWS\system32\wscntfy.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.mytalktalk.co.uk/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Settings,ProxyOverride = <local>
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Canon Easy-WebPrint EX BHO: {3785d0ad-bfff-47f6-bf5b-a587c162fed9} - c:\program files\canon\easy-webprint ex\ewpexbho.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: avast! WebRep: {8e5e2654-ad2d-48bf-ac2d-d17f00898d06} - c:\program files\alwil software\avast5\aswWebRepIE.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: avast! WebRep: {8e5e2654-ad2d-48bf-ac2d-d17f00898d06} - c:\program files\alwil software\avast5\aswWebRepIE.dll
TB: Canon Easy-WebPrint EX: {759d9886-0c6f-4498-bab6-4a5f47c6c72f} - c:\program files\canon\easy-webprint ex\ewpexhlp.dll
TB: {871F91FD-3A92-4988-A842-16AB2CFF5AF1} - No File
TB: {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - No File
EB: Canon Easy-WebPrint EX: {21347690-ec41-4f9a-8887-1f4aee672439} - c:\program files\canon\easy-webprint ex\ewpexhlp.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - c:\progra~1\micros~4\office14\ONBttnIE.dll/105
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: DhcpNameServer = 192.168.1.1
TCP: Interfaces\{9CD50C06-13EB-47A8-96ED-561DE9847D39} : DhcpNameServer = 192.168.1.1
TCP: Interfaces\{B94024F4-50C9-415D-BFE1-82CB199F4C1C} : DhcpNameServer = 192.168.1.1
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
Hosts: 127.0.0.1 www.spywareinfo.com
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\user\application data\mozilla\firefox\profiles\w3xj68ml.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.talktalk.co.uk/
FF - plugin: c:\program files\adobe\reader 10.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\canon\easy-photoprint ex\NPEZFFPI.DLL
FF - plugin: c:\program files\common files\motive\npMotive.dll
FF - plugin: c:\program files\java\jre6\bin\plugin2\npdeployJava1.dll
FF - plugin: c:\program files\java\jre6\bin\plugin2\npjp2.dll
FF - plugin: c:\program files\microsoft silverlight\5.1.10411.0\npctrlui.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: c:\windows\system32\macromed\flash\NPSWF32_11_3_300_265.dll
.
============= SERVICES / DRIVERS ===============
.
R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [2011-5-13 721000]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2010-12-1 353688]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2011-7-22 12880]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2011-7-12 67664]
R2 !SASCORE;SAS Core Service;c:\program files\superantispyware\SASCore.exe [2011-8-12 116608]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2010-12-1 21256]
R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast5\AvastSvc.exe [2010-12-1 44808]
R2 cpuz135;cpuz135;c:\windows\system32\drivers\cpuz135_x32.sys [2012-1-16 21992]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\macromed\flash\FlashPlayerUpdateService.exe [2012-4-6 250056]
S3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files\mozilla maintenance service\maintenanceservice.exe [2012-3-18 113120]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
S3 ZD1211BU(TP-LINK);TL-WN322G/WN322G+ Wireless USB Adapter Driver(TP-LINK);c:\windows\system32\drivers\ZD1211BU.sys [2010-6-3 500736]
.
=============== Created Last 30 ================
.
2012-07-10 18:42:10 208896 ----a-w- c:\windows\MBR.exe
2012-07-10 18:42:09 98816 ----a-w- c:\windows\sed.exe
2012-07-10 18:42:09 518144 ----a-w- c:\windows\SWREG.exe
2012-07-10 18:42:09 256000 ----a-w- c:\windows\PEV.exe
.
==================== Find3M ====================
.
2012-07-09 13:55:39 70344 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-07-09 13:55:39 426184 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-07-03 16:21:53 721000 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2012-07-03 16:21:32 41224 ----a-w- c:\windows\avastSS.scr
2012-07-03 12:46:44 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-06-13 13:19:59 1866112 ----a-w- c:\windows\system32\win32k.sys
2012-06-05 15:50:25 1372672 ------w- c:\windows\system32\msxml6.dll
2012-06-05 15:50:25 1172480 ----a-w- c:\windows\system32\msxml3.dll
2012-06-04 04:32:08 152576 ----a-w- c:\windows\system32\schannel.dll
2012-06-02 14:19:44 22040 ----a-w- c:\windows\system32\wucltui.dll.mui
2012-06-02 14:19:38 219160 ----a-w- c:\windows\system32\wuaucpl.cpl
2012-06-02 14:19:38 15384 ----a-w- c:\windows\system32\wuaucpl.cpl.mui
2012-06-02 14:19:34 15384 ----a-w- c:\windows\system32\wuapi.dll.mui
2012-06-02 14:19:30 17944 ----a-w- c:\windows\system32\wuaueng.dll.mui
2012-06-02 14:18:58 275696 ----a-w- c:\windows\system32\mucltui.dll
2012-06-02 14:18:58 214256 ----a-w- c:\windows\system32\muweb.dll
2012-06-02 14:18:58 17136 ----a-w- c:\windows\system32\mucltui.dll.mui
2012-05-31 13:22:09 599040 ----a-w- c:\windows\system32\crypt32.dll
2012-05-16 15:08:26 916992 ----a-w- c:\windows\system32\wininet.dll
2012-05-11 14:42:33 43520 ----a-w- c:\windows\system32\licmgr10.dll
2012-05-11 14:42:33 1469440 ------w- c:\windows\system32\inetcpl.cpl
2012-05-11 11:38:02 385024 ----a-w- c:\windows\system32\html.iec
2012-05-06 22:08:13 25992 ----a-w- c:\windows\system32\pgdfgsvc.exe
2012-05-04 13:12:30 2192640 ----a-w- c:\windows\system32\ntoskrnl.exe
2012-05-04 12:32:19 2069120 ----a-w- c:\windows\system32\ntkrnlpa.exe
2012-05-02 13:46:36 139656 ----a-w- c:\windows\system32\drivers\rdpwd.sys
.
============= FINISH: 8:06:57.26 ===============

Thank you for any help rendered! :)

- Phil

Attached Files


Edited by Phil2, 15 July 2012 - 03:34 PM.


BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 40,197 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:03:05 PM

Posted 20 July 2012 - 10:19 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps.
===

Your Hosts file was compromised.
How do I reset the hosts file back to the default?
http://support.microsoft.com/kb/972034

Use the Fix it button on the page.
===

Please download ComboFix from one of these locations:

Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop

  • Disable your Anti-Virus and Anti-Spyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
  • Close any open browsers, and all other programs working. Make sure you save your file if working on a document.
  • Do not install any other programs until this if fixed.[/b]
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
  • Some Rookit infection may damage your boot sector. The Windows Recovery Console may be needed to restore it. Do not bypass this installation. You may regret it.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Note: If you have difficulty properly disabling your protection programs, refer to this link --> http://www.bleepingcomputer.com/forums/topic114351.html

Do not mouse click ComboFix's window while it's running. That may cause it to stall
===

Third party programs if not up to date can be the cause of infiltration an infection.

Please run this security check for my review.

Download Security Check by screen317 from here.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.
===

Note: If after running ComboFix you get this error message "Illegal operation attempted on a registry key that has been marked for deletion." when attempting to run a program all you need to do is restart the computer to reset the registry.

Please post the logs and let me know if the problem persists.

#3 Phil2

Phil2
  • Topic Starter

  • Members
  • 63 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Land Of Angles
  • Local time:07:05 PM

Posted 20 July 2012 - 09:28 PM

Hello nasdaq!

I did all you said and what you requested is posted below. However, I have a few questions for you, if that's OK?

After the Combofix scan and a re-start Firefox was not my prefered browser and I had to make it so. Is this normal for after a Combofix scan?

You say my Hosts file was compromised? You mean it actually was before I did the Combofix scan or that it was and the Combfix is just to make sure the problem's gone?

It said in the security check that my Hard drive needs defragging? I check this once a month and it never says it needs it. Why?

COMBOFIX LOG RESULTS:

ComboFix 12-07-20.02 - User 20/07/2012 14:48:44.3.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.44.1033.18.447.50 [GMT 1:00]
Running from: c:\documents and settings\User\My Documents\Downloads\ComboFix.exe
AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
.
.
((((((((((((((((((((((((( Files Created from 2012-06-20 to 2012-07-20 )))))))))))))))))))))))))))))))
.
.
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-07-09 13:55 . 2012-04-06 12:34 426184 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-07-09 13:55 . 2011-05-16 19:33 70344 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-07-03 16:21 . 2010-12-01 12:01 54232 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2012-07-03 16:21 . 2011-05-13 16:53 721000 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2012-07-03 16:21 . 2010-12-01 12:01 21256 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2012-07-03 16:21 . 2010-12-01 12:01 353688 ----a-w- c:\windows\system32\drivers\aswSP.sys
2012-07-03 16:21 . 2010-12-01 12:01 35928 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2012-07-03 16:21 . 2010-12-01 12:01 97608 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2012-07-03 16:21 . 2010-12-01 12:01 89624 ----a-w- c:\windows\system32\drivers\aswmon.sys
2012-07-03 16:21 . 2010-12-01 12:01 25256 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2012-07-03 16:21 . 2010-12-01 12:00 41224 ----a-w- c:\windows\avastSS.scr
2012-07-03 16:21 . 2010-12-01 12:00 227648 ----a-w- c:\windows\system32\aswBoot.exe
2012-07-03 12:46 . 2010-08-13 14:16 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-06-13 13:19 . 2004-08-04 12:00 1866112 ----a-w- c:\windows\system32\win32k.sys
2012-06-05 15:50 . 2008-10-26 23:21 1372672 ------w- c:\windows\system32\msxml6.dll
2012-06-05 15:50 . 2004-08-04 12:00 1172480 ----a-w- c:\windows\system32\msxml3.dll
2012-06-04 04:32 . 2004-08-04 12:00 152576 ----a-w- c:\windows\system32\schannel.dll
2012-06-02 14:19 . 2008-06-09 09:29 22040 ----a-w- c:\windows\system32\wucltui.dll.mui
2012-06-02 14:19 . 2008-06-09 09:29 15384 ----a-w- c:\windows\system32\wuaucpl.cpl.mui
2012-06-02 14:19 . 2006-11-28 15:04 329240 ----a-w- c:\windows\system32\wucltui.dll
2012-06-02 14:19 . 2006-11-28 15:04 219160 ----a-w- c:\windows\system32\wuaucpl.cpl
2012-06-02 14:19 . 2006-11-28 15:04 210968 ----a-w- c:\windows\system32\wuweb.dll
2012-06-02 14:19 . 2008-06-09 09:29 15384 ----a-w- c:\windows\system32\wuapi.dll.mui
2012-06-02 14:19 . 2006-11-28 15:04 53784 ----a-w- c:\windows\system32\wuauclt.exe
2012-06-02 14:19 . 2006-11-28 15:04 35864 ----a-w- c:\windows\system32\wups.dll
2012-06-02 14:19 . 2005-05-26 04:16 45080 ----a-w- c:\windows\system32\wups2.dll
2012-06-02 14:19 . 2004-08-04 12:00 97304 ----a-w- c:\windows\system32\cdm.dll
2012-06-02 14:19 . 2008-06-09 09:29 17944 ----a-w- c:\windows\system32\wuaueng.dll.mui
2012-06-02 14:19 . 2006-11-28 15:04 577048 ----a-w- c:\windows\system32\wuapi.dll
2012-06-02 14:19 . 2006-11-28 15:04 1933848 ----a-w- c:\windows\system32\wuaueng.dll
2012-06-02 14:18 . 2009-12-02 11:27 275696 ----a-w- c:\windows\system32\mucltui.dll
2012-06-02 14:18 . 2009-12-02 11:27 214256 ----a-w- c:\windows\system32\muweb.dll
2012-06-02 14:18 . 2009-12-02 11:27 17136 ----a-w- c:\windows\system32\mucltui.dll.mui
2012-05-31 13:22 . 2004-08-04 12:00 599040 ----a-w- c:\windows\system32\crypt32.dll
2012-05-16 15:08 . 2004-08-04 12:00 916992 ----a-w- c:\windows\system32\wininet.dll
2012-05-11 14:42 . 2004-08-04 12:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
2012-05-11 14:42 . 2004-08-04 12:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
2012-05-11 11:38 . 2004-08-04 12:00 385024 ----a-w- c:\windows\system32\html.iec
2012-05-06 22:08 . 2011-12-23 04:41 25992 ----a-w- c:\windows\system32\pgdfgsvc.exe
2012-05-04 13:12 . 2004-08-04 12:00 2192640 ----a-w- c:\windows\system32\ntoskrnl.exe
2012-05-04 12:32 . 2004-08-03 22:59 2069120 ----a-w- c:\windows\system32\ntkrnlpa.exe
2012-05-02 13:46 . 2006-11-28 15:02 139656 ----a-w- c:\windows\system32\drivers\rdpwd.sys
2012-07-10 20:14 . 2012-06-13 00:58 136672 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((( SnapShot@2012-07-10_18.58.01 )))))))))))))))))))))))))))))))))))))))))
.
+ 2012-07-20 13:40 . 2012-07-20 13:40 16384 c:\windows\temp\Perflib_Perfdata_6c.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2012-07-03 16:21 121528 ----a-w- c:\program files\Alwil Software\Avast5\ashShell.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2011-07-19 113024]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2011-05-04 17:54 551296 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AvgUninstallURL]
start http://www.avg.com/ww.special-uninstallation-feedback-app?lic=OQBJAEMAQQBNADEANQAtAEEAWgBZADQAOAAtAFQATAA2AFkAOAAtADkAVQBCAFUAUgAtADcAVABHAFYAUwAtADQARgBTAFUANgA&inst=NwA2AC0ANQAyADcANgAyADIAOQA3ADUALQBYAE8AMwA2ACsAMQAtAE4AMQBEACsAMQAtAFAATAArADkA&prod=92&ver=9.0.872 [?]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
c:\windows\system32\dumprep 0 -k [X]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2012-01-03 07:37 843712 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CanonMyPrinter]
2009-10-19 02:12 1983816 ----a-w- c:\program files\Canon\MyPrinter\BJMYPRT.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CanonSolutionMenu]
2009-09-04 01:43 767312 ----a-w- c:\program files\Canon\SolutionMenu\CNSLMAIN.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 00:12 15360 ----a-w- c:\windows\system32\ctfmon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Malwarebytes' Anti-Malware (reboot)]
2012-07-03 12:46 973488 ----a-w- c:\program files\Malwarebytes' Anti-Malware\mbam.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
2010-04-16 21:12 3872080 ----a-w- c:\program files\Windows Live\Messenger\msnmsgr.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2012-01-18 14:02 254696 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware]
2012-06-14 20:34 3905920 ----a-w- c:\program files\SUPERAntiSpyware\SUPERANTISPYWARE.EXE
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\BT Broadband Desktop Help\\btbb\\BTHelpBrowser.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"135:TCP"= 135:TCP:TCP Port 135
"5000:TCP"= 5000:TCP:TCP Port 5000
"5001:TCP"= 5001:TCP:TCP Port 5001
"5002:TCP"= 5002:TCP:TCP Port 5002
"5003:TCP"= 5003:TCP:TCP Port 5003
"5004:TCP"= 5004:TCP:TCP Port 5004
"5005:TCP"= 5005:TCP:TCP Port 5005
"5006:TCP"= 5006:TCP:TCP Port 5006
"5007:TCP"= 5007:TCP:TCP Port 5007
"5008:TCP"= 5008:TCP:TCP Port 5008
"5009:TCP"= 5009:TCP:TCP Port 5009
"5010:TCP"= 5010:TCP:TCP Port 5010
"5011:TCP"= 5011:TCP:TCP Port 5011
"5012:TCP"= 5012:TCP:TCP Port 5012
"5013:TCP"= 5013:TCP:TCP Port 5013
"5014:TCP"= 5014:TCP:TCP Port 5014
"5015:TCP"= 5015:TCP:TCP Port 5015
"5016:TCP"= 5016:TCP:TCP Port 5016
"5017:TCP"= 5017:TCP:TCP Port 5017
"5018:TCP"= 5018:TCP:TCP Port 5018
"5019:TCP"= 5019:TCP:TCP Port 5019
"5020:TCP"= 5020:TCP:TCP Port 5020
.
R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [13/05/2011 17:53 721000]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [01/12/2010 13:01 353688]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [22/07/2011 17:27 12880]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [12/07/2011 22:55 67664]
R2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCore.exe [12/08/2011 00:38 116608]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [01/12/2010 13:01 21256]
R2 cpuz135;cpuz135;c:\windows\system32\drivers\cpuz135_x32.sys [16/01/2012 22:32 21992]
S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [06/04/2012 13:34 250056]
S3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files\Mozilla Maintenance Service\maintenanceservice.exe [18/03/2012 04:16 113120]
S3 ZD1211BU(TP-LINK);TL-WN322G/WN322G+ Wireless USB Adapter Driver(TP-LINK);c:\windows\system32\drivers\ZD1211BU.sys [03/06/2010 13:49 500736]
.
Contents of the 'Scheduled Tasks' folder
.
2012-07-20 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-06 13:55]
.
2012-07-20 c:\windows\Tasks\avast! Emergency Update.job
- c:\program files\Alwil Software\Avast5\AvastEmUpdate.exe [2012-06-27 16:21]
.
2012-07-20 c:\windows\Tasks\User_Feed_Synchronization-{D5840A57-2511-4A89-8F9F-E7227BBC4218}.job
- c:\windows\system32\msfeedssync.exe [2007-08-13 03:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.mytalktalk.co.uk/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Settings,ProxyOverride = <local>
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - c:\progra~1\MICROS~4\Office14\ONBttnIE.dll/105
TCP: DhcpNameServer = 192.168.1.1
FF - ProfilePath - c:\documents and settings\User\Application Data\Mozilla\Firefox\Profiles\w3xj68ml.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.talktalk.co.uk/
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-07-20 15:00
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(660)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\WININET.dll
.
- - - - - - - > 'explorer.exe'(3840)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
Completion time: 2012-07-20 15:04:49
ComboFix-quarantined-files.txt 2012-07-20 14:04
ComboFix2.txt 2012-07-10 19:03
.
Pre-Run: 65,679,343,616 bytes free
Post-Run: 65,678,557,184 bytes free
.
- - End Of File - - 26D17AC2C0D4F2A70D30BF6D85042D9A

SECURITY CHECK LOG:

Results of screen317's Security Check version 0.99.43
Windows XP Service Pack 3 x86
Internet Explorer 8
``````````````Antivirus/Firewall Check:``````````````
Windows Firewall Enabled!
avast! Free Antivirus
`````````Anti-malware/Other Utilities Check:`````````
SpywareBlaster 4.6
Spybot - Search & Destroy
SUPERAntiSpyware
Malwarebytes Anti-Malware version 1.62.0.1300
CCleaner
Java™ 6 Update 31
Java version out of Date!
Adobe Flash Player 11.3.300.265
Adobe Reader X (10.1.3)
Mozilla Firefox (14.0)
````````Process Check: objlist.exe by Laurent````````
Alwil Software Avast5 AvastSvc.exe
Alwil Software Avast5 AvastUI.exe
`````````````````System Health check`````````````````
Total Fragmentation on Drive C:: 16% Defragment your hard drive soon!
````````````````````End of Log``````````````````````

I will defrag my hard drive right now and update the progammes that need it. I did usualy update this PC but as I don't use it much anymore I left it to family and they hadn't looked after it like they said they would. So thank you for helping me out here.

Thank you very much! :)

- Phil

#4 nasdaq

nasdaq

  • Malware Response Team
  • 40,197 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:03:05 PM

Posted 21 July 2012 - 10:12 AM

After the Combofix scan and a re-start Firefox was not my prefered browser and I had to make it so. Is this normal for after a Combofix scan?


This is normal. ComboFix start Internet Explorer to check some settings. It happens that the default browser is not reset.

===

Nothing was removed with ComboFix. Your log is clean.

The OS I use is an XP Home Edition with 76.GB HDD (15.6GB currently used), 500MB of RAM with standard audio and video cards.

If you intent to keep this computer you should increase the RAM. I'm ssure you will see some improvement.
Defraging the computer may help.

If still getting the Spybot false/positive I would remove the application with the Add/Remove programs.

Restart the computer and install the latest version.
===

Please let me know what problem persists.

#5 Phil2

Phil2
  • Topic Starter

  • Members
  • 63 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Land Of Angles
  • Local time:07:05 PM

Posted 22 July 2012 - 12:37 PM

Two things really,

(1) I updated everything that needed updating and defraged the HDD. Things are a little better after the defrag, but still not as good as a year ago. I've been meaning to get more RAM but have been busy and a little strapped for cash. However, I had the same stats as I do now a year ago and it worked great and it was fast, I had no problems. I can only assume it's because of use.

(2) After the combofix scan the 2 Fraud.AVSecuritySuite problems were still there. So I uninstalled the old Spybot S&D and installed a new version. I performed 3 scans (And 3 removals) and the problems are still there. Is this just a false positive?

- Phil

#6 nasdaq

nasdaq

  • Malware Response Team
  • 40,197 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:03:05 PM

Posted 23 July 2012 - 08:32 AM

Please download MiniToolBox to Desktop and run it.

Check mark the following boxes:
  • Flush DNS
  • Report IE Proxy Settings
  • Reset IE Proxy Settings
  • Report FF Proxy Settings
  • Reset FF Proxy Settings
  • List content of Hosts
  • List IP configuration
Click Go and copy/paste the log (Result.txt) into your next post.

Note: When using "Reset FF Proxy Settings" option Firefox should be closed.
===

A good number of ports are open.
They are listed in the combofix log under this section.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"135:TCP"= 135:TCP:TCP Port 135
"5000:TCP"= 5000:TCP:TCP Port 5000
"5001:TCP"= 5001:TCP:TCP Port 5001
"5002:TCP"= 5002:TCP:TCP Port 5002
"5003:TCP"= 5003:TCP:TCP Port 5003
etc...


Go to this page and follow the directives.

Using Netstat to find applications using up Internet bandwidth in Windows XP, Vista and 7
http://support.sasktel.com/app/answers/detail/a_id/11365/~/using-netstat-to-find-applications-using-up-internet-bandwidth-in-windows-xp,

Find out from the PID which program is using them. If it's from an unknown source let me know the name.
===

Download Revo Uninstaller
http://majorgeeks.com/Revo_Uninstaller_d5706.html

Revo Uninstaller helps you to remove any unwanted application installed on your computer.

Remove all traces of the old Java version.
===

#7 Phil2

Phil2
  • Topic Starter

  • Members
  • 63 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Land Of Angles
  • Local time:07:05 PM

Posted 26 July 2012 - 11:26 AM

Downloaded MiniToolBox and did as directed. Here are the results:

MiniToolBox by Farbar Version: 23-07-2012
Ran by User (administrator) on 25-07-2012 at 15:39:59
Microsoft Windows XP Home Edition Service Pack 3 (X86)
Boot Mode: Normal
***************************************************************************

========================= Flush DNS: ===================================


Windows IP Configuration



Successfully flushed the DNS Resolver Cache.


========================= IE Proxy Settings: ==============================

Proxy is not enabled.
No Proxy Server is set.

"Reset IE Proxy Settings": IE Proxy Settings were reset.

========================= FF Proxy Settings: ==============================


"Reset FF Proxy Settings": Firefox Proxy settings were reset.

========================= Hosts content: =================================


127.0.0.1 localhost
127.0.0.1 www.007guard.com
127.0.0.1 007guard.com
127.0.0.1 008i.com
127.0.0.1 www.008k.com
127.0.0.1 008k.com
127.0.0.1 www.00hq.com
127.0.0.1 00hq.com
127.0.0.1 010402.com
127.0.0.1 www.032439.com
127.0.0.1 032439.com
127.0.0.1 www.0scan.com
127.0.0.1 0scan.com
127.0.0.1 1000gratisproben.com
127.0.0.1 www.1000gratisproben.com
127.0.0.1 1001namen.com
127.0.0.1 www.1001namen.com
127.0.0.1 www.100888290cs.com
127.0.0.1 100888290cs.com

There are 15248 more lines starting with "127.0.0.1"

========================= IP Configuration: ================================

SiS 900-Based PCI Fast Ethernet Adapter = Local Area Connection (Connected)


# ----------------------------------
# Interface IP Configuration
# ----------------------------------
pushd interface ip


# Interface IP Configuration for "Local Area Connection"

set address name="Local Area Connection" source=dhcp
set dns name="Local Area Connection" source=dhcp register=PRIMARY
set wins name="Local Area Connection" source=dhcp


popd
# End of interface IP configuration




Windows IP Configuration



Host Name . . . . . . . . . . . . : user-22234df5e4

Primary Dns Suffix . . . . . . . :

Node Type . . . . . . . . . . . . : Unknown

IP Routing Enabled. . . . . . . . : No

WINS Proxy Enabled. . . . . . . . : No



Ethernet adapter Local Area Connection:



Connection-specific DNS Suffix . :

Description . . . . . . . . . . . : SiS 900-Based PCI Fast Ethernet Adapter

Physical Address. . . . . . . . . : 00-13-8F-46-C7-6C

Dhcp Enabled. . . . . . . . . . . : Yes

Autoconfiguration Enabled . . . . : Yes

IP Address. . . . . . . . . . . . : 192.168.1.3

Subnet Mask . . . . . . . . . . . : 255.255.255.0

Default Gateway . . . . . . . . . : 192.168.1.1

DHCP Server . . . . . . . . . . . : 192.168.1.1

DNS Servers . . . . . . . . . . . : 192.168.1.1

Lease Obtained. . . . . . . . . . : 25 July 2012 11:11:40

Lease Expires . . . . . . . . . . : 26 July 2012 11:11:40

Server: UnKnown
Address: 192.168.1.1

Name: google.com
Addresses: 173.194.41.132, 173.194.41.136, 173.194.41.129, 173.194.41.137
173.194.41.134, 173.194.41.130, 173.194.41.131, 173.194.41.142, 173.194.41.133
173.194.41.135, 173.194.41.128



Pinging google.com [173.194.41.132] with 32 bytes of data:



Reply from 173.194.41.132: bytes=32 time=23ms TTL=54

Reply from 173.194.41.132: bytes=32 time=27ms TTL=54



Ping statistics for 173.194.41.132:

Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 23ms, Maximum = 27ms, Average = 25ms

Server: UnKnown
Address: 192.168.1.1

Name: yahoo.com
Addresses: 98.139.183.24, 209.191.122.70, 72.30.38.140



Pinging yahoo.com [98.139.183.24] with 32 bytes of data:



Reply from 98.139.183.24: bytes=32 time=150ms TTL=49

Reply from 98.139.183.24: bytes=32 time=205ms TTL=49



Ping statistics for 98.139.183.24:

Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 150ms, Maximum = 205ms, Average = 177ms

Server: UnKnown
Address: 192.168.1.1

Name: bleepingcomputer.com
Address: 208.43.87.2



Pinging bleepingcomputer.com [208.43.87.2] with 32 bytes of data:



Reply from 208.43.87.2: Destination host unreachable.

Reply from 208.43.87.2: Destination host unreachable.



Ping statistics for 208.43.87.2:

Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 0ms, Maximum = 0ms, Average = 0ms



Pinging 127.0.0.1 with 32 bytes of data:



Reply from 127.0.0.1: bytes=32 time<1ms TTL=128

Reply from 127.0.0.1: bytes=32 time<1ms TTL=128



Ping statistics for 127.0.0.1:

Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 0ms, Maximum = 0ms, Average = 0ms

===========================================================================
Interface List
0x1 ........................... MS TCP Loopback interface
0x2 ...00 13 8f 46 c7 6c ...... SiS 900-Based PCI Fast Ethernet Adapter - Packet Scheduler Miniport
===========================================================================
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.1.1 192.168.1.3 20
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
192.168.1.0 255.255.255.0 192.168.1.3 192.168.1.3 20
192.168.1.3 255.255.255.255 127.0.0.1 127.0.0.1 20
192.168.1.255 255.255.255.255 192.168.1.3 192.168.1.3 20
224.0.0.0 240.0.0.0 192.168.1.3 192.168.1.3 20
255.255.255.255 255.255.255.255 192.168.1.3 192.168.1.3 1
Default Gateway: 192.168.1.1
===========================================================================
Persistent Routes:
None

**** End of log ****

I used Netstat, however I wasn't really sure what I was looking at. From what I seen there are a few repeted PID's. I took a screen shot and will attach it along with this reply. Posted Image

When I used Taskmanager I couldn't view the PID's because I use windows XP on this machine and the pictures on the 'tut' page look like Vista or 7. I will attach a screen shot of the task manger for you to view to show you what I mean. Posted Image

I also ran revouninstaller, I stopped three processes from running at start up; windows live messenger, Adobe reader & acrobat manager and Java Update Scheduler. I know it's ok to stop WLM from running but is it ok to stop the others and only update them manually?

#8 nasdaq

nasdaq

  • Malware Response Team
  • 40,197 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:03:05 PM

Posted 27 July 2012 - 08:39 AM

I also ran revouninstaller, I stopped three processes from running at start up; windows live messenger, Adobe reader & acrobat manager and Java Update Scheduler. I know it's ok to stop WLM from running but is it ok to stop the others and only update them manually?


It is but make certain that you update every month other wise you may be running a version that has know flaw and you may be open for some intrusions.
===

Im getting to think that the items found by Spybot are remant items in the registry.

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2


If your operating system is 64 bit download this tool:
SystemLook_x64.exe
  • Double-click SystemLook.exe to run it.
  • Copy and paste the content of the following bold text into the main textfield:


    :reg
    HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyServer
    HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyServer

  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt

#9 Phil2

Phil2
  • Topic Starter

  • Members
  • 63 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Land Of Angles
  • Local time:07:05 PM

Posted 29 July 2012 - 08:41 PM

Hi, Nasdaq.

Here's the result of the SystemLook scan:

SystemLook 30.07.11 by jpshortstuff
Log created at 02:26 on 29/07/2012 by User
Administrator - Elevation successful

No Context: HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyServer

No Context: HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyServer

-= EOF =-

Thanks for the advice on the updates, I will do it personally every month on this PC from now on.

"Im getting to think that the items found by Spybot are remant items in the registry."


So I was infected at somepoint? Does this mean it's not dangerous and I should just leave it?

Thanks,

- Phil

#10 nasdaq

nasdaq

  • Malware Response Team
  • 40,197 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:03:05 PM

Posted 01 August 2012 - 07:28 AM

Sorry for this long delay.
I had some techincal difficulties. I'm back.
===

So I was infected at somepoint? Does this mean it's not dangerous and I should just leave it?


It's not dangerous.

If TeaTimer is enable it may be interferring with these removal.
Check it out.

So please disable TeaTimer by doing the following:
1) Run Spybot-S&D
2) Go to the Mode menu, and make sure "Advanced Mode" is selected
3) On the left hand side, choose Tools -> Resident
4) Uncheck "Resident TeaTimer" and OK any prompts
When everything is done and your log is clean again, you can enable it again.
If teatimer gives you a warning afterwards that some changes were made, allow this instead of blocking it.
Then, Download ResetTeaTimer.bat.
Double click ResetTeaTimer.bat to remove all entries set by TeaTimer.
In Windows Vista Right click on the ResetTeaTimer.bat and select Run As Administrator.
===

#11 nasdaq

nasdaq

  • Malware Response Team
  • 40,197 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:03:05 PM

Posted 08 August 2012 - 08:35 AM

The topic is reopened.

Quoted from your PM.

Sorry for the late reply but I've been busy and it seems you've closed my topic.

It was this one: http://www.bleepingcomputer.com/forums/topic460801.html/page__pid__2765376#entry2765376

In it you asked me to turn the Spyboy S&D teatimer off, but it was never on, I left it off because it would take up resources. So this isn't causing the problem I keep getting on scanning. I'm just wondering if I need to proceed.

Also, my Avast Internet security icon is not showing on start up in the task bar. It also will not work unless I actively click the desktop icon. Yet when I look in Taskmanager it is running in 'processes'.

I'm not sure if these are connected or not, but I would like your advice.

Thanks,


Try this and see if you Spybot and destroy is still reporting the issues.

Go Posted Image > run box and type cmd and hit OK
type
ipconfig /flushdns <-- (The space between g and / is needed) press the Enter key.

repeat with
ipconfig /renew

Then type Exit, hit the Enter key
*/*

Also, my Avast Internet security icon is not showing on start up in the task bar

Right click on the Icon and see if it's referencing the application.

#12 Phil2

Phil2
  • Topic Starter

  • Members
  • 63 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Land Of Angles
  • Local time:07:05 PM

Posted 09 August 2012 - 08:21 PM

Hiya Nasdaq,

First of all, sorry for being late replying last time.

I did what you said for the first thing and scanned the PC again with Spybot, it still found the same two anomalies.

I right clicked the Avast icon the first time it happened and everything is still there, 'Open, 'Run as' etc. Yet if I try to scan a file it says Avast isn't running. Not only that but I'm wondering if the time display in taskbar, that doesn't auto set to my local time even when I've fixed it, and the screen display that wont stay what I set it at, are connected in someway.

Firefox has also been running funny. Once a day when no windows are open and I open a new window it says Firefox is already running and that I must close it before starting. So I open Task Manager and end the process. It usualy works fine after that.

Things are just becoming odd with this PC, I'm not sure what to do or if it's safe to use.

Any thoughts and advice would be welcomed.

Thanks,

- Phil

Edited by Phil2, 09 August 2012 - 08:25 PM.


#13 nasdaq

nasdaq

  • Malware Response Team
  • 40,197 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:03:05 PM

Posted 10 August 2012 - 08:01 AM

Download the AVAST Uninstall Utility
http://www.avast.com/uninstall-utility
Do not remove it just yet.

Download Microsoft Security Essentials.

http://www.microsoft.com/security/pc-security/mse.aspx

Install the program.

Run the AVAST Uninstall Utility.

===

Not only that but I'm wondering if the time display in taskbar, that doesn't auto set to my local time even when I've fixed it,
If you set the time and date correctly does it continue to keep the time while the computer is powered - ON?

Or is the date/time is changed when you start the computer?
If the latter is the case then the small battery on your MotherBoad is bad and should be changed.

Let me know.
===

What are the remaining issues?

#14 Phil2

Phil2
  • Topic Starter

  • Members
  • 63 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Land Of Angles
  • Local time:07:05 PM

Posted 14 August 2012 - 04:28 PM

I don't understand, why am I installing MS Security and un-installing Avast? Is this just temporary and I can install Avast again later on?

By the way, the error I get when I try to scan anything with Avast is as follows: "Avast UI process (AvastUI.exe) is currently not running. Please run the application before starting a scan."

"If you set the time and date correctly does it continue to keep the time while the computer is powered - ON?"

Yes it does.

"Or is the date/time is changed when you start the computer?"

Yes, it falls behind. I will assume it is the battery you mentioned. How much do these batteries cost and are they hard to remove and install?

"What are the remaining issues?"

The Spybot S&D problem is still there, but I'm assuming it isn't harmful?

My Firefox browser will not open a window when I click on it, it says the programme is already running and I must close the programme to proceed. When I turn it off via taskmanager I can run it.

#15 nasdaq

nasdaq

  • Malware Response Team
  • 40,197 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:03:05 PM

Posted 15 August 2012 - 08:27 AM

I don't understand, why am I installing MS Security and un-installing Avast? Is this just temporary and I can install Avast again later on?

You will be able to install Avast when all is well.
===

"If you set the time and date correctly does it continue to keep the time while the computer is powered - ON?"

Yes it does.

"Or is the date/time is changed when you start the computer?"

Yes, it falls behind. I will assume it is the battery you mentioned. How much do these batteries cost and are they hard to remove and install?


The battery is also required to keep your BIOS settings.
If you need to check further on this start a new topic in the Internal hardware forum.
http://www.bleepingcomputer.com/forums/forum7.html

===

Open your Autoexec.bat file with NotePad.

(If the file does not exist create one)

Add these two commands

DATE
TIME


Save the file.

Next time you start the computer you will be given an opportunity and a reminder to fix the Date and Time each time you start the computer.

===

The Spybot S&D problem is still there, but I'm assuming it isn't harmful?
Not harmful and and hoping the MS Security will take care of it.
===

My Firefox browser will not open a window when I click on it, it says the programme is already running and I must close the programme to proceed. When I turn it off via taskmanager I can run it.

Something is preventing Firefox to exist completely.
Here again I hope that MS security can find it.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users