Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

A "program" named CVE-2012-4792 cannot be removed - re: forums/t/486948


  • This topic is locked This topic is locked
15 replies to this topic

#1 JoanneMT

JoanneMT

  • Members
  • 180 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Florida
  • Local time:08:06 PM

Posted 04 March 2013 - 03:47 PM

 A "program" named CVE-2012-4792 cannot be removed. I get an installer error:

"Warning: can't delete value '{a1447a51-d8b1-4e93-bb19-82bd20da6f2}.sdb' under registry key

'Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Custom\iexplore.exe'

 

Nokojon has so kindly been helping me with forums/t/486948, and suggested I open a separate request for this problem.  I think it slithered in with the Java problems, and I did all I could to remove Java from this HP machine. I run XP SP3, MSEssentials which only found something once, when I used Rkill before I ran its scan. It said it removed trojans so I restarted the machine, deleted all previous restore points and made a new one. I use IExplorer 8 and have turned off most add-ons. I use MS Firewall and MS update and Secunia for updates.  I also use Super Anti Spyware which "only" always finds text files to delete or quarantine, now up to about 125.  I didn't understand the Hosts file and I deleted all the entries in it but thanks to Nokojon I will start rebuilding it with one of the utilities he had me run.

 

I will not be able to get back to this until late tomorrow (Wednesday 3/5 or Thurs/Fri).

 

I backed up some important files and ran DDS per Grinler's preparation guide.  Here is the DDS.txt file. And the attach file should be attached.

 

Thank you for your time reading this  You can refer to the other open case for more info, and I think I addressed this problem once trying to get Java off this machine and thought it was clean until the little nasty came back.

 

 

DDS (Ver_2012-11-20.01) - NTFS_x86 
Internet Explorer: 8.0.6001.18702
Run by HP_Owner at 15:04:44 on 2013-03-04
Microsoft Windows XP Home Edition  5.1.2600.3.1252.1.1033.18.1022.538 
 
[GMT -5:00]
.
AV: Microsoft Security Essentials *Enabled/Updated* 
 
{EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
.
============== Running Processes ================
.
c:\Program Files\Microsoft Security Client\MsMpEng.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Google\Update\1.3.21.135\GoogleCrashHandler.exe
C:\Program Files\SUPERAntiSpyware\SASCORE.EXE
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamscheduler.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Secunia\PSI\PSIA.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Cobian Backup 8\Cobian.exe
C:\Program Files\Cobian Backup 8\cbInterface.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Microsoft Security Client\msseces.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Secunia\PSI\psi_tray.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\svchost.exe -k LocalService
.
============== Pseudo HJT Report ===============
.
uStart Page = about:blank
uSearch Bar = hxxp://www.google.com
uSearch Page = hxxp://www.google.com
uDefault_Page_URL = 
 
hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q405&b
 
d=pavilion&pf=desktop&parm1=seconduser
uDefault_Search_URL = 
 
hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q405
 
&bd=pavilion&pf=desktop&parm1=seconduser
mSearch Bar = 
 
hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q405
 
&bd=pavilion&pf=desktop&parm1=seconduser
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
uRun: [CTFMON.EXE] c:\windows\system32\ctfmon.exe
uRunOnce: [FlashPlayerUpdate] 
 
c:\windows\system32\macromed\flash\FlashUtil32_11_6_602_168_Plugin.exe 
 
-update plugin
mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" 
 
-hide -runkey
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [UserFaultCheck] c:\windows\system32\dumprep 0 -u
mRun: [APSDaemon] "c:\program files\common files\apple\apple application 
 
support\APSDaemon.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" 
 
-atboottime
uPolicies-Explorer: NoDriveTypeAutoRun = dword:145
mPolicies-Windows\System: Allow-LogonScript-NetbiosDisabled = dword:1
mPolicies-Explorer: NoDriveTypeAutoRun = dword:145
IE: E&xport to Microsoft Excel - 
 
c:\progra~1\mi1933~1\office11\EXCEL.EXE/3000
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - 
 
{CAFEEFAC-00109-0002-0009-ABCDEFFEDCBC} - <orphaned>
IE: {E2D4D26B-0180-43a4-B05F-462D6D54C789} - 
 
c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,
 
c=us\iebutton\support.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network 
 
Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program 
 
files\messenger\msmsgs.exe
.
INFO: HKCU has more than 50 listed domains.
If you wish to scan all of them, select the 'Force scan all domains' 
 
option.
.
.
INFO: HKLM has more than 50 listed domains.
   If you wish to scan all of them, select the 'Force scan all domains' 
 
option.
.
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - 
 
hxxp://windowsupdate.microsoft.com/windowsupdate/v6/V5Controls/en/x86/cl
 
ient/wuweb_site.cab?1351699699890
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - 
 
hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/
 
muweb_site.cab?1352825319515
DPF: {B479199A-1242-4E3C-AD81-7F0DF801B4AE} - 
 
hxxp://download.microsoft.com/download/C/9/C/C9C3D86D-84AC-4AF0-8584-842
 
756A66467/MicrosoftDownloadManager.cab
DPF: {CAFEEFAC-0017-0000-0009-ABCDEFFEDCBA} - 
 
hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_09-windows-i586.cab
DPF: {CAFEEFAC-0017-0000-0010-ABCDEFFEDCBA} - 
 
hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_10-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - 
 
hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_10-windows-i586.cab
TCP: NameServer = 65.32.5.111 65.32.5.112
TCP: Interfaces\{5FC6C219-7059-4CFB-8EF4-E5889B236DF4} : DHCPNameServer 
 
= 65.32.5.111 65.32.5.112
TCP: Interfaces\{B79CD0E0-7DB7-4724-A9D0-ED3179536593} : DHCPNameServer 
 
= 16.92.3.242 16.92.3.243 16.81.3.243 16.118.3.243
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - 
 
c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class - {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} 
 
- c:\program files\superantispyware\SASSEH.DLL
mASetup: {8A69D345-D564-463c-AFF1-A69D9E530F96} - "c:\program 
 
files\google\chrome\application\25.0.1364.97\installer\chrmstp.exe" 
 
--configure-user-settings --verbose-logging --system-level 
 
--multi-install --chrome
.
============= SERVICES / DRIVERS ===============
.
R0 MpFilter;Microsoft Malware Protection 
 
Driver;c:\windows\system32\drivers\MpFilter.sys [2012-8-30 195296]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys 
 
[2011-7-22 12880]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS 
 
[2011-7-12 67664]
R2 !SASCORE;SAS Core Service;c:\program 
 
files\superantispyware\SASCore.exe [2012-7-11 116608]
R2 MBAMScheduler;MBAMScheduler;c:\program files\malwarebytes' 
 
anti-malware\mbamscheduler.exe [2013-2-3 398184]
R2 Secunia PSI Agent;Secunia PSI Agent;c:\program 
 
files\secunia\psi\psia.exe [2012-11-26 1225312]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys 
 
[2013-2-3 21104]
R3 PSI;PSI;c:\windows\system32\drivers\psi_mf.sys [2010-9-1 15544]
S2 MBAMService;MBAMService;c:\program files\malwarebytes' 
 
anti-malware\mbamservice.exe [2013-2-3 682344]
S2 Secunia Update Agent;Secunia Update Agent;c:\program 
 
files\secunia\psi\sua.exe [2012-11-26 659040]
S3 
 
cpuz134;cpuz134;\??\c:\docume~1\hp_own~1.hp-\locals~1\temp\cpuz134\cpuz1
 
34_x32.sys --> 
 
c:\docume~1\hp_own~1.hp-\locals~1\temp\cpuz134\cpuz134_x32.sys [?]
S3 MFE_RR;MFE_RR;\??\c:\docume~1\hp_own~1.hp-\locals~1\temp\mfe_rr.sys 
 
--> c:\docume~1\hp_own~1.hp-\locals~1\temp\mfe_rr.sys [?]
S3 Revoflt;Revoflt;c:\windows\system32\drivers\revoflt.sys [2013-1-25 
 
27064]
S3 SWDUMon;SWDUMon;c:\windows\system32\drivers\SWDUMon.sys [2013-1-20 
 
13024]
.
=============== Created Last 30 ================
.
2013-03-04 18:34:48    6954968    ----a-w-    c:\documents and 
 
settings\all users\application data\microsoft\microsoft 
 
antimalware\definition 
 
updates\{8a294a35-50dc-4beb-9a3e-d3b1b175a97b}\mpengine.dll
2013-03-04 03:53:05    6954968    ----a-w-    c:\documents and 
 
settings\all users\application data\microsoft\microsoft 
 
antimalware\definition updates\backup\mpengine.dll
2013-03-04 01:14:05    --------    d-----w-    c:\program 
 
files\Cobian Backup 8
2013-03-02 21:52:17    --------    d-----w-    C:\Logfiles from 
 
AdwCleaner
2013-02-28 23:32:23    --------    d-----w-    c:\program 
 
files\Speccy
2013-02-28 19:32:49    --------    d-----w-    
 
C:\8dda547c500dddbefb433da14c06
2013-02-25 11:38:48    --------    d-----w-    c:\documents and 
 
settings\hp_owner.hp-27e1513d96\application data\ParetoLogic
2013-02-25 11:38:48    --------    d-----w-    c:\documents and 
 
settings\hp_owner.hp-27e1513d96\application data\DriverCure
2013-02-25 11:38:27    --------    d-----w-    c:\program 
 
files\ParetoLogic
2013-02-25 11:38:27    --------    d-----w-    c:\documents and 
 
settings\all users\application data\ParetoLogic
2013-02-25 03:22:57    317440    ------w-    
 
c:\windows\system32\dllcache\mp4sdecd.dll
2013-02-25 03:18:25    --------    d-----w-    c:\program 
 
files\Windows Media Connect 2
2013-02-25 03:16:43    --------    d-----w-    
 
c:\windows\system32\LogFiles
2013-02-24 20:13:46    --------    d-----w-    c:\documents and 
 
settings\hp_owner.hp-27e1513d96\application data\DefaultTab
2013-02-24 20:13:44    --------    d-----w-    c:\documents and 
 
settings\hp_owner.hp-27e1513d96\local settings\application 
 
data\Updater19962
2013-02-21 12:09:21    --------    d-----w-    c:\documents and 
 
settings\all users\application data\VS Revo Group
2013-02-20 05:43:42    5632    ----a-w-    
 
c:\windows\system32\wbem\snmp\smimsgif.dll
2013-02-20 05:43:42    5632    ----a-w-    
 
c:\windows\system32\wbem\snmp\smierrsy.dll
2013-02-20 05:43:42    5632    ----a-w-    
 
c:\windows\system32\dllcache\smimsgif.dll
2013-02-20 05:43:42    5632    ----a-w-    
 
c:\windows\system32\dllcache\smierrsy.dll
2013-02-20 05:43:42    15872    ----a-w-    
 
c:\windows\system32\wbem\snmp\smierrsm.dll
2013-02-20 05:43:42    15872    ----a-w-    
 
c:\windows\system32\dllcache\smierrsm.dll
2013-02-20 05:43:42    10240    ----a-w-    
 
c:\windows\system32\wbem\snmpstup.dll
2013-02-20 05:43:42    10240    ----a-w-    
 
c:\windows\system32\dllcache\snmpstup.dll
2013-02-15 03:11:50    --------    d-----w-    c:\program 
 
files\Hosts_Anti_Adwares_PUPs
2013-02-04 04:43:30    21104    ----a-w-    
 
c:\windows\system32\drivers\mbam.sys
2013-02-04 04:43:30    --------    d-----w-    c:\program 
 
files\Malwarebytes' Anti-Malware
.
==================== Find3M  ====================
.
2013-02-13 22:42:49    71024    ----a-w-    
 
c:\windows\system32\FlashPlayerCPLApp.cpl
2013-02-13 22:42:49    691568    ----a-w-    
 
c:\windows\system32\FlashPlayerApp.exe
2013-01-30 18:10:40    331805736    ----a-w-    C:\Windows XP 
 
Service Pack 3 Network Installation Package for IT Professionals and 
 
Developers
2013-01-30 18:07:54    5520400    ----a-w-    C:\Windows Search 4.0 
 
for Windows XP (KB940157)
2013-01-30 10:53:21    232336    ------w-    
 
c:\windows\system32\MpSigStub.exe
2013-01-26 03:55:44    552448    ----a-w-    
 
c:\windows\system32\oleaut32.dll
2013-01-20 22:01:28    13024    ----a-w-    
 
c:\windows\system32\drivers\SWDUMon.sys
2013-01-20 20:59:04    195296    ----a-w-    
 
c:\windows\system32\drivers\MpFilter.sys
2013-01-09 06:30:39    3645    ----a-w-    
 
c:\windows\viassary-hp.reg
2013-01-07 01:19:45    2148864    ----a-w-    
 
c:\windows\system32\ntoskrnl.exe
2013-01-07 00:37:01    2027520    ----a-w-    
 
c:\windows\system32\ntkrnlpa.exe
2013-01-04 01:20:00    1867264    ----a-w-    
 
c:\windows\system32\win32k.sys
2013-01-02 06:49:10    148992    ----a-w-    
 
c:\windows\system32\mpg2splt.ax
2013-01-02 06:49:10    1292288    ----a-w-    
 
c:\windows\system32\quartz.dll
2012-12-26 20:16:29    916480    ----a-w-    
 
c:\windows\system32\wininet.dll
2012-12-26 20:16:28    43520    ----a-w-    
 
c:\windows\system32\licmgr10.dll
2012-12-26 20:16:28    1469440    ----a-w-    
 
c:\windows\system32\inetcpl.cpl
2012-12-24 06:40:59    385024    ----a-w-    
 
c:\windows\system32\html.iec
2012-12-16 12:23:59    290560    ----a-w-    
 
c:\windows\system32\atmfd.dll
2012-12-04 20:58:41    499712    ----a-w-    
 
c:\windows\system32\msvcp71.dll
.
============= FINISH: 15:06:07.53 ===============
 
~~~~~~~~~~~~~~~~Thank you

Attached Files


Edited by JoanneMT, 04 March 2013 - 03:53 PM.


BC AdBot (Login to Remove)

 


#2 1972vet

1972vet

  • Malware Response Team
  • 1,698 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Midwest U.S.A.
  • Local time:06:06 PM

Posted 06 March 2013 - 07:05 AM

Greetings JoanneMT and Welcome to the Forums,

CVE is an acronym which stands for common vulnerabilities and exposures. The particular CVE notice you are referencing relates to vulnerabilities in Internet Explorer that were addressed by Microosft in the updates, available Here. It's not necessary to uninstall it but it's also not necessary to keep either, once the updates are in place. As I understand it, there was a "fix-it" that Microsoft issued, as a stop gap measure, prior to those updates. I believe that's what you are wrestling with.

The best thing I believe you should do is to leave the Microsoft "fix-it" where it is...and, since you are still using Windows XP, try getting familiar with FireFox instead for use as your web browser.

Windows XP users are unable to upgrade IE beyond IE8, which still leaves them in dire straights as to security concerns, so shoring up security by means of an alternate browser is a much better plan.

 

Are you having any issues we can help you with?


Disabled Veteran, U.S.C.G. 1972 - 1978
mvpsigpic.jpg
2009 - 2013

Member: U.N.I.T.E.
Performance and Maintenance for Windows XP, Windows Vista and Windows Seven


#3 JoanneMT

JoanneMT
  • Topic Starter

  • Members
  • 180 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Florida
  • Local time:08:06 PM

Posted 06 March 2013 - 09:25 PM

Thank you for the info, 1972Vet. I am so paranoid with these PCs; SuperAntiSpyware always finds tons of files (only) to delete and quarantine. I have liked the way Chrome works, but I will be happy to try Firefox.   I hope searching the forums is the best place to look if an item has already been addressed. I will set "Chrome" to be the default browser for now, and download Firefox, but I am still getting that blank window (Everything looks like I Explorer, but IE does not appear in the usual header area and nothing happens, when it is called by another program or link.).  If you think the browser is the problem, then I guess this topic can be closed. I wish there was a way to know if it is safe to logon to the bank on my pc. Thank you again.



#4 1972vet

1972vet

  • Malware Response Team
  • 1,698 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Midwest U.S.A.
  • Local time:06:06 PM

Posted 07 March 2013 - 09:02 AM

My apologies beforehand, for this lengthy read...

I saw your private message and thank you for the sentiments, but I must insist I'm no hero...those would be my brothers and sisters who were there. Mine was the Vietnam war, so I'm not that far in age from you. And, although I took no part in real combat, I can only imagine how my contribution affected lives, both friend and foe, from behind my typewriter. No, my disability has nothing to do with any war time injury. It relates to multiple sclerosis which had been exacerbated by military service. And, while it seems counter-intuitive, such veterans are also granted the same entitlements as the  "disabled" combat veteran if their disability reaches that level, and is determined, by the V.A. to have occurred during military service at the time of a "war" campaign.

 

If that criteria is met, the disabled veteran is awarded some compensattion as a measure of comfort and recognition.

 

As such, I proudly wear the badge titled, "disabled veteran" along with my brothers and sisters who DID receive some type of disabling combat injury. Those deserving of the highest recognition, respect and awe, are those who served, whether called or not, and did not come back. Those are my heroes...they and their families are those who've paid the dearest price for which there is no compensation or comfort! Now, on to business...

While I don't find anything particularly disturbing in those logs, I wouldn't hang my hat on just that either...we can look into things a bit deeper. And, please don't get me wrong, IE is still just fine to use, it's just that your level of protection with it will be diminished somewhat due to it's vulnerabilities. Compensating for that in other ways, aside from using FireFox (or Chrome, either one) can be accomplished but installation of additional add-ons would be required, along with vigilance from the user. Let me know if using IE still interests you and I'll try to walk you through installation of certain add-ons which I believe would be helpful to achieve that end.

Having looked at your security setup though, I'd say it appears to me that you are doing quite well with it. I should add, while many folks believe that "some" is good, so "more" must be better, nothing could be further from the truth.

Using Microsoft Security Essentials is actually what I recommend for home users, but coupling that with several other anti-malware programs is both unnecessary and cumbersome...and please don't get me wrong about that either, as I ALWAYS recommend a second opinion. As to security, I believe your setup is sufficient using MSE along with MBAM. The best "next step" would only be to obtain a usage license from MBAM so as to take advantage of the real-time protection and auto update feature. That isn't absolutely critical either, but it is quite a convenience so it's really up to you as you consider your own comfort level. Then, while using those two programs in real time, (or two similar type programs as those two), a user would do well to configure one of them to ignore the activity of the other. MSE, and MBAM though, do get along quite well together, but taking the safe and logical approach is always much better than happenstance.

...and for your second opinion, it also appears that you're right on the mark as I see you have used the ESET online scanner. That scan is excellent for use as your occasional "second opinion".

And one last comment I should add regarding the use of security programs, users should tackle each, one at a time. That is, while one program (such as MSE) may complain of some file it found to be offensive, the user should act on that right away. Such that, a thorough research of the finding should be performed so as to determine whether or not, the finding is valid or a "false positive". Then...acting on that information, users should either allow the program to delete said offensive file, or to "restore" it, based upon the users findings. Of course, if the file is found to be a "false positive" result, then it should be restored. Again, and of course, if it is found to be offensive, then the software should be used to "delete" it. The above detailed steps should be carried out for each security program at the time that it complains of some offensive file.

You might be surprised just how many users don't do this, then later complain of some feature of Windows, or some program perhaps, that isn't performing properly. This would be the reason why!

Users should keep on board and maintain an anti-virus solution which runs real time protection, along with a reputable anti-malware scanner such as MBAM. You have done just that, but I see SuperAnti-Spyware is also installed. While it's also a very good program, it must be weighed against MBAM as to advantages vs. disadvantages and considering size, performance, and intrusiveness, MBAM wins out, hands down.

So...to sum up, if I were you, I would keep just MSE and MBAM, and uninstall any others. Using the ESET online scanner on occasion is also recommended.

...now, 'nuff said 'bout all that. I'd like to see next, a log file result from an online scan at ESET. Please do this:
Please disable your on board antivirus product and scan with ESET Here. Click the Run ESET Online Scanner button. Another window will open...here, please accept the agreement, then click the Start button.

When prompted, install the needed software to perform the scan . When it finishes with the install, make sure to check the box titled Scan archives (the Remove found threats box should already be checked by default. Please remove the check from that box for now).

Next, click the "Advanced Settings" link. Please make sure all THOSE boxes are checked except for "Use custom proxy settings". then click the Start button.

When it completes, use notepad to open the log file located at C:\Program Files\EsetOnlineScanner\log.txt
Copy and paste that log with your next reply, along with a description of any remaining problems. Thanks!

 


Disabled Veteran, U.S.C.G. 1972 - 1978
mvpsigpic.jpg
2009 - 2013

Member: U.N.I.T.E.
Performance and Maintenance for Windows XP, Windows Vista and Windows Seven


#5 JoanneMT

JoanneMT
  • Topic Starter

  • Members
  • 180 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Florida
  • Local time:08:06 PM

Posted 07 March 2013 - 02:54 PM

Greetings!  I like long letters, you wouldn't believe how many sentences I deleted from the PM I sent you. Yes, VietNam was what i was referring to...

 

Thank you for the instructions on ESET. I had the link on my PC and it saves download time b/c it remembers where the updates left off. I'd never turned off the scanner before so looky what we found! (They are not deleted as you requested).

 

 

C:\Documents and Settings\HP_Owner.HP-27E1513D96\Local Settings\Application Data\Updater19962\Updater19962.exe a variant of Win32/Toolbar.CrossRider.C application
C:\Documents and Settings\HP_Owner.HP-27E1513D96\My Documents\Downloads\ARO2012_tbt (1).exe a variant of Win32/Bundled.Toolbar.Ask application
C:\Documents and Settings\HP_Owner.HP-27E1513D96\My Documents\Downloads\ARO2012_tbt.exe a variant of Win32/Bundled.Toolbar.Ask application
 
Also, last night, I looked at the "users" set up on this PC.  Guess what, there is a user that I did not define and does not show up on the start-up page.  One has way more megs of files than the other. What shall we do next?


#6 1972vet

1972vet

  • Malware Response Team
  • 1,698 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Midwest U.S.A.
  • Local time:06:06 PM

Posted 07 March 2013 - 05:48 PM

It's fine to use the ESET version that you downloaded some time ago, as long as you remembered to run an update anew. If that's what you did, then go ahead and allow the software to delete those quarantined items. Once you delete them, you should reboot the system to allow Windows the opportunity to record the changes to the hard disk (that being, the system, minus those pieces of software which includes related registry entries). When the system comes back up, post back and let us know how the system behaves now and what issues may remain. Thanks!


Disabled Veteran, U.S.C.G. 1972 - 1978
mvpsigpic.jpg
2009 - 2013

Member: U.N.I.T.E.
Performance and Maintenance for Windows XP, Windows Vista and Windows Seven


#7 JoanneMT

JoanneMT
  • Topic Starter

  • Members
  • 180 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Florida
  • Local time:08:06 PM

Posted 07 March 2013 - 11:31 PM

Hi - I have a link on my desktop, and it updates from the point at which I last used it. I feel sure I marked it not to delete, but before I ran it again, I deleted all my restore points and used ATF cleaner, and guess what ESET couldn't find those badfiles again. It's late now, I am not sure how to make sure they are gone. I also made chrome the default browser but need to test if explorer will come up from another link. Best wishes and thank you!



#8 1972vet

1972vet

  • Malware Response Team
  • 1,698 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Midwest U.S.A.
  • Local time:06:06 PM

Posted 08 March 2013 - 06:31 AM

,..I am not sure how to make sure they are gone. I also made chrome the default browser but need to test if explorer will come up from another link. Best wishes and thank you!

One way to determine if those entries are gone is to run ESET again. Uninstalling the copy of ESET you already have, then downloading it again from the online free scanner isn't so hard and won't take but a minute. Following the instructions for running ESET that I already posted, allow the scan to complete and post back THAT scan log. Please don't run any other programs, including cleaning programs, unless instructed here, until we finish. Doing so can sometimes cause you more problems than you had when you came here to request assistance...as an example, there are some malware that will copy and retain (although renamed) needed files, and store them in temporary folder(s) that could be deleted from running such cleaning programs.

 

As to the Chrome browser testing...once you have designated a browser as default, it should indeed be the browser that opens when clicking a link. If not, then you didn't save the changes you made to the default browser settings.


Disabled Veteran, U.S.C.G. 1972 - 1978
mvpsigpic.jpg
2009 - 2013

Member: U.N.I.T.E.
Performance and Maintenance for Windows XP, Windows Vista and Windows Seven


#9 JoanneMT

JoanneMT
  • Topic Starter

  • Members
  • 180 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Florida
  • Local time:08:06 PM

Posted 08 March 2013 - 05:02 PM

Hello again, your instructions are right on! I deleted all Eset programs, Revo helped me get it out of the registry too. I set the switches you said, had online scanner turned off, and during the scan it had found FOUR problems. But before the scan ended, the power in the house fluctuated and shut down the PC. AARRGHHH!!!

 

So I will uninstall Eset again if needed (I emptied the trash before I ran Eset as well and when I got to Eset online, it thought it was running for the first time! I haven't uninstalled all the other anti-malware programs I've installed yet, that must be why the Eset scan takes so long but I will obey the Forum rules and not run anything but Eset until we get those nasties out of here.  

 

Thanks so much with staying with me.  All the moderators and analysts have been so kind.  I'll get back with you after eset does its thing, and post the log.



#10 JoanneMT

JoanneMT
  • Topic Starter

  • Members
  • 180 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Florida
  • Local time:08:06 PM

Posted 08 March 2013 - 07:03 PM

ESET ran to completion and did not find anything. The fourth program it found was called something like "unfriend", which I now recognize as a popup I have been seeing to buy software to tell me when someone on facebook un-friends me. I'll surf now and see if it pops up again.  I hope maybe ESET deletes the malware as it runs... Thank you.



#11 1972vet

1972vet

  • Malware Response Team
  • 1,698 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Midwest U.S.A.
  • Local time:06:06 PM

Posted 09 March 2013 - 08:46 AM

...I hope maybe ESET deletes the malware as it runs... Thank you.

Well, it won't do that if you followed the instruction where I said to remove the check from the box labeled:

...Remove found threats"

By removing the check from that box, it will PREVENT the utility from removing them...which is precisely why I need to see the resulting scan log. Please post that when the scan completes. Thanks!


Disabled Veteran, U.S.C.G. 1972 - 1978
mvpsigpic.jpg
2009 - 2013

Member: U.N.I.T.E.
Performance and Maintenance for Windows XP, Windows Vista and Windows Seven


#12 JoanneMT

JoanneMT
  • Topic Starter

  • Members
  • 180 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Florida
  • Local time:08:06 PM

Posted 09 March 2013 - 10:39 AM

Hello again, No, no -  I followed your latest instructions where you said to let it remove the threats. I am so sorry I didn't clarify. I know you are helping lots of people and probably have a life too :-)  . So yes I had it set to remove the threats and it had found four before the power went out.  When I re-ran it (fresh) again yesterday and it completed, it found nothing and no scan log popped up (I had checked the box to uninstall itself so I didn't have to go through that again) There is nothing in C:\Program Files\EsetOnlineScanner\log.txt. Both times I used it I started from Chrome.

 

Shall I shall run it again, starting from IExplorer?. I have had Hosts Anti Adware/PUPS running for the last week and it missed the pop-up that ESET found (which I haven't seen again).  I still have all those other programs I picked up from watching Bleeping that had similar problems to mine. 

 

As you suggested, I will keep MBAM, MS MSE, and a link to ESET.  But I have always found that Super Anti Spyware finds lots of "programs" to quarantine and delete.

 

What do you suggest next?

 

Thank you again for your time and interest, 1972 VET.


Edited by JoanneMT, 09 March 2013 - 01:24 PM.


#13 1972vet

1972vet

  • Malware Response Team
  • 1,698 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Midwest U.S.A.
  • Local time:06:06 PM

Posted 09 March 2013 - 06:18 PM

It's ok...I think you may have gotten rattled a bit because the instruction I gave would have resulted in a scan log which would have shown us what files the scanner considered as suspicious but would not have removed them. It's only because I wanted to have a look at what it found FIRST, before I would have requested that you rescan, and remove those items that it complained of.

 

But, it's ok if you already had the scan remove them as it seems not to have been anything wrongly identified. Are you having any other issues at this time?


Disabled Veteran, U.S.C.G. 1972 - 1978
mvpsigpic.jpg
2009 - 2013

Member: U.N.I.T.E.
Performance and Maintenance for Windows XP, Windows Vista and Windows Seven


#14 JoanneMT

JoanneMT
  • Topic Starter

  • Members
  • 180 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Florida
  • Local time:08:06 PM

Posted 09 March 2013 - 08:14 PM

Greetings. The short answer to your question, no.  The long form follows if you could review, otherwise you can close this case as I have a plan documented below. Thank you for your time.

 

:\Documents and Settings\HP_Owner.HP-27E1513D96\Local Settings\Application Data\Updater19962\Updater19962.exe a variant of Win32/Toolbar.CrossRider.C application
C:\Documents and Settings\HP_Owner.HP-27E1513D96\My Documents\Downloads\ARO2012_tbt (1).exe a variant of Win32/Bundled.Toolbar.Ask application
C:\Documents and Settings\HP_Owner.HP-27E1513D96\My Documents\Downloads\ARO2012_tbt.exe a variant of Win32/Bundled.Toolbar.Ask application
 
 

 

1972Vet,

Thiis was the log file produced when I ran the first ESET scan without the remove option selected.  All your instructions were clear and applicable and patient and kind. The "screw up" happened when my power went out during the ESET scan when it WAS set to remove  and it found (I believe) the above 3 files AND another one, a popup that I recognized seeing.  I did a search (including hidden files) of the C: drive of "a variant of Win32" and it didn't find anything.  So apparently ESET did clean them as it found them when the power went out , that's why I didn't have another logfile; and maybe there are more for it to find as I clean the machine.

 

SO, I'd like to uninstall all the cleaners I've installed and keep the ones you suggested, and then re-install ESET and see if it finds anything else.  If it doesn't, I'll uninstall and re-install and run MBAM and then run MSSE. My habit  prior to running full scans is to delete all old restore points and create a new one (unless I see trouble), and run ATF cleaner (and make note of anything it has to stop), start the program and let it update, get to the "Start" window and close down the browser, and then turn off the auto-scanning of m/s security essentials.  I also update MSSE whenever I start a new session and do restarts when a problem has been cleared.

 

I hope the above is good practice, I've pieced it together from what I've learned from you and other Bleepers and what seems logical to me.. I hope  I'm not "warning" a badfile to hide itself before a scan. I'll post a scan log if I find anything and stop until I hear from you. or else I will say it all ran ok.   If that plan is ok and you all want to close this case that is fine and if I find anything I cannot resolve I'll open a case in the forums. Okeedokee?

 

Thank you again, for all your kind assistance and training.



#15 1972vet

1972vet

  • Malware Response Team
  • 1,698 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Midwest U.S.A.
  • Local time:06:06 PM

Posted 10 March 2013 - 04:22 AM

Your plan sounds fine by itself, but you might be interested in a few more options that I'll detail below. You can delete the DDS utility if you want, and it's associated logs.

 

Now that your system is clean and running the way you expect, let's create a new restore point you can refer to should the need arise at some point in the future.

Please click "Start->Programs->Accessories->System Tools->System Restore". In the new window, check the 'Create a restore point' in the right pane and click "Next". In the "Restore point description" textbox, name your restore point to something you will easily recognize. I recommend something like yyyymmdd_Clean (ex. 20110101_Clean) Click "Create" and reboot your computer.

To assist in the prevention of malicious software intrusion and infections, you can begin by reading "How to boost your malware defense and protect your PC"...

Please remember to keep antivirus software on board and always use it's real time protection feature. Run a complete system scan at least once a week...preferably in Safe mode.

A word of caution
Security vendors, in recent years, have partnered with "Ask.com" in providing the "Ask Toolbar" bundled with their download(s).

Although the toolbar is considered to be a Legitimate program, it is nonetheless questionable as to it's behavior. It is alleged to be spyware/adware as the behavior of this application tracks a user's history and sends "search" information to it's servers in order to provide a user with targeted search results, many of these results may also be for questionable web sites. In fairness, one should keep in mind, google does the same thing regarding search results.

This tracking is considered by many of us in the security field, to be offensive.

Some of the "Download links" that I may provide, may also contain this program bundled with it. If you choose not to use it, the bundled software will always contain an "Opt Out" measure via some checkbox. The user can check (or uncheck) this box to prevent the download.

If a user isn't cautious and may have mistakenly installed this program, it can easily be removed via the "Uninstall" string provided with the software. Detailed instructions how to remove the program can be found Here.

If your antivirus program is a licensed version that is about to expire, you can consider using one of these available free on the public domain:

Microsoft Security Essentials
AntiVir Personal Edition Classic
Avast! 4 Home Edition

Those of us in the online safety/security community have tried and tested these programs to determine their abilities. Having in mind, nothing is ever a guarantee regarding computer security, these programs nevertheless, combined with the rest of these recommendations are certain to have an impact in helping to keep your system running free and clear. I personally have been satisfied from having tested and used each one of those at one time or another.

Immunize your browser by installing Spywareblaster. What does it do?

  • Prevents the installation of ActiveX-based spyware, adware, browser hijackers, dialers, and other potentially unwanted software.
  • Blocks spyware/tracking cookies in Internet Explorer and Mozilla/Firefox.
  • Restricts the actions of potentially unwanted sites in Internet Explorer.

Keep your anti-virus and spyware definitions up to date. Be sure to scan often.

Web of Trust, (WOT,) warns you about risky websites that try to scam visitors, deliver malware or send spam. Protect your computer against online threats by using WOT as your front-line layer of protection when browsing or searching in unfamiliar territory. WOT's color-coded icons show you ratings for 21 million websites, helping you avoid the dangerous sites:

  • Green to go
  • Yellow for caution
  • Red to stop

WOT has an add-on available for both Firefox and IE.

Install the Winpatrol security monitor utility. WinPatrol will alert you to hijackings, malware attacks and critical changes made to your computer without your permission. What I hear most from users is how much they like the startup control feature and it's ease of use. Need help understanding something about Winpatrol? Here it is.

Below you can choose from several of the freeware Firewalls available on the public domain. Even though you may have a Firewall already installed, keep this list handy should you choose not to renew your subscription for whatever reason. However, I might add that Windows on board firewall is, by it's default settings, usually just fine for home users.

If you should choose to install a firewall, then choose one (but not more than one)...and of these types of third party firewalls, below are those that I would recommend with the few caveats mentioned:

Zone Alarm...Windows 2k/XP/Vista

Outpost Free

Comodo...I highly recommend this firewall, but it may just be best suited for advanced users.

Stay updated with the most recent Windows patches using Microsoft's Windows Update. Make it easy on yourself, and set this feature to Automatic.

Keep your installed software up to date by downloading the free FileHippo Update Checker. Double-click the FHSetup.exe file to install it. When the install completes, you'll find the Update Checker shortcut on the desk top.

Double-click on it and a scan begins with the results showing in your browser. Any software it finds to be out of date, will be presented in your browser. Just click on the download link provided there to download your software updates. Ignore the beta software unless you want that...during the scanner initialization, you can click the settings link, then click the results tab and check the box "Hide beta versions". After clicking the OK button, click the "Retry" link to continue the scan with those settings.

Using an alternate browser can reduce your chance of certain infections installing themselves. I recommend installing Mozilla Firefox. If you don't already have "Firefox", please consider installing and using this browser for surfing.

If you still wish to use Internet Explorer, please make sure you install SpywareBlaster (from above) to protect you from most ActiveX infections.

Run CCleaner often. Please avoid using the "registry" cleaning feature of this utility unless you consider yourself an expert. Contrary to popular thought, the Windows Registry has no need of any "cleaning". I personally challenge anyone to show a substantial benefit from having used any of these "registry cleaning" programs. There is none. Any difference at all is so miniscule that it's nearly impossible to calculate.

On the flip side, rather than any benefit, there is the possibility of slicing out enough pieces of the registry to render things useless...and that includes the operating system.

By default, CCleaner will ask you if you want to backup what is removed, and I suggest you do just that. If you have already used this option and found that something no longer works properly, please find the backup that was created and use it to restore that particular item. Remember, using this to clean the disk is absolutely useful and beneficial. A novice needs only to use the disk cleaning feature...and avoid the registry cleaning aspect. It's not difficult...just don't bother to click the Registry button on the menu.

CCleaner is an excellent...and fast disk cleaning utility that can easily be configured to suit your needs. Often, users find a simple reboot resolves a quirky performance issue which can come about as a result of the collection of temp files while browsing the web...and if you configure CCleaner to run on start up, then your system could be kept running fast and clean with each new user session.

The Yahoo Toolbar is included by default during the installation of the CCleaner utility...if you DO NOT WANT IT, be sure to remove the check from the "Add CCleaner Yahoo! Toolbar and use CCleaner from your browser" option during installation setup or else just download the Slim version (no toolbar...last download link at the bottom of that page)...

Or if you just want to run your on board Disk Cleanup ("Start--> Programs-->Accessories-->System Tools-->Disk Cleanup" ), just open the utility and check off the following:
Downloaded Program Files, Temporary Internet Files, Recycle Bin, and Temporary Files.

So how did I get infected in the first place?
Regards, and Happy Surfing!

 


Disabled Veteran, U.S.C.G. 1972 - 1978
mvpsigpic.jpg
2009 - 2013

Member: U.N.I.T.E.
Performance and Maintenance for Windows XP, Windows Vista and Windows Seven





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users