Adware.180solutions

[mariewt]

it still seems to be finding it. However, when I clicked on the delete.bad icon it opened and then closed itself before the scan ran... I tried to open it a couple of times beacuase I thought that was the point, but it refused. this is the log anyway.

when I did the run combofix it wanted the virus off again, so i did. will turn it back on now...

you are my hero. and you have a very cute dog

Malwarebytes' Anti-Malware 1.36

Database version: 2043

Windows 5.1.2600 Service Pack 3

2009-04-29 18:52:03

mbam-log-2009-04-29 (18-52-03).txt

Scan type: Full Scan (C:\|)

Objects scanned: 267235

Time elapsed: 2 hour(s), 28 minute(s), 33 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 1

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_CLASSES_ROOT\lmgr180.wmdrmax.1 (Adware.180Solutions) -> Quarantined and deleted successfully.

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

[miekiemoes]

Hi,

when I clicked on the delete.bad icon it opened and then closed itself before the scan ran

It wasn't supposed to do anything else anyway

Let's ignore this entry for now in Malwarebytes. As I said, don't worry about it.

I hope I can reproduce it some day. If I can - then I'll certainly let you know via PM here

[mariewt]

ok, then we will ignore this part and be very grateful all the other nasties are gone now!

I will look out for a pm and leave you alone so you can help other victims who need some expert help. again, I really REALLY appreciate all the help. Hope I don't need to avail myself of your expertise again, but it is quite reassuring to know where to go next time!

[miekiemoes]

You're most welcome.

[mariewt]

I really hate to be back already, but there seems to be a snag. After my last update everything was fine until I downloaded an E-ID from the bank and tried to use it at the Swedish tax site. After a reboot I got to the desktop but it wouldn't let me do anything. ie nothing will open. I am wondering if MBAM is trying to run a scan in the background and that is why, since when it was scanning before it was similiar in not wanting anything else to happen.... it is not telling me anything to that effect, though, as the desktop is just as "normal." ie no window indicating anything is going on. I tried several reboots to see if it would snap out of it (!) but no. It seems to act normally as far as getting me to the desktop and setting things up, but then it won't let me open anything. If I am quick I can get something to start to open, but it seems like after the MBAM icon comes up at the bottom it freezes. I finally gave up and turned it off completely - had to use the off button as it wouldn't let me click on the start button to turn it off. This morning I turned it on and got to the desktop and it acted the same, so I decided i would leave it alone and see if it was doing a background scan and it would be ok after a couple hours. If it is a scan, is this normal behaviour for the version that I registered, and something that the computer will continue to do without any notice? Can it be a memory issue ie that it takes too much to do a background scan and therefore won't let me start anything else?

If it is not just a background scan, how can I resolve the issue if I can't click on anything?

[miekiemoes]

Hi,

This rather looks like a compatibility issue. Not sure if mbam causes this though...

It worked fine before right? That E-ID thingie, is this a program that you had to install? And then it started?

Let's disable the Realtime protection and see how your Windows behaves, so rightclick the mbam icon and uncheck "start with windows" and "enable protection".

Then reboot.

Also, can you rescan with HijackThis and post a new log here ? (after the reboot)

[mariewt]

The E-id was a program to run the drive routines etc, but after the reboot that it required, it was working for awhile without issue. It started after the next reboot when the swedish tax site didn't accept my e-id- So it may well be connected and be a compatability with that program. Happy to remove it after I do my taxes.... but Re unchecking the start on windows, that sounds wise, but if it won't let me click on the icons I can't do that.... if I start it in safe mode instead, might that work?

[miekiemoes]

if I start it in safe mode instead, might that work?

Yes, but the icon won't be present there.

In safe mode, open Malwarebytes, click the "protection" tab and there uncheck to start up with Windows.

I think it's rather an issue with your F-secure and that program and not with Mbam, because I've seen this quite often with F-secure that it acts like that though..

[miekiemoes]

The E-id was a program to run the drive routines etc, but after the reboot that it required, it was working for awhile without issue.

It started after the next reboot when the swedish tax site didn't accept my e-id- So it may well be connected and be a compatability with that program.

That's also why I rather suspect F-secure the cause of it, because F-secure has the capacity to block this as it may see it as a suspicious behavior (HIPs function) and because if that, it may cause further problems.

[mariewt]

ok, i will do that as soon as I get home and update the log. Then we can see what I need to do next, maybe I can disable f-secure while I do my taxes and then delete the bank programs? or get something else instead of f-secure.....which evidently has issues or I wouldn't be here to start with....

although I suppose nothing is perfect...

[miekiemoes]

I don't know how the Bank program launches - if it has a startup reference or not. That would be odd if the banking program starts up with Windows though. That's why I also need a HijackThislog to see if that one has a startup reference.

To be honest, I don't think that disabling F-secure (Telia S

[mariewt]

ok, I will try that instead then. I guess i go into safe mode and uninstall F-secure from there, reboot and see what happens. If everything works then I will know it was that. if it doesn't I will try unchecking the windows start up for malwarebytes. either way I can do the hijack this log afterwards and post it with an update as to the results.

[miekiemoes]

That's ok - I'll read you later

[mariewt]

back again... removed the virus program, rebooted and it seems fine again, other than not having a virus program.

this is the hijack log.. what do you think?

maybe the best thing now is to download Avira - does it play nicely with e-ids?

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 19:05:03, on 2009-04-30

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16827)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Skype\Phone\Skype.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe

C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

C:\Program Files\SmartTrust\SmartTrust Personal\Csp\SmartCertmover.exe

C:\Program Files\Personal\bin\Personal.exe

C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe

C:\Program Files\OpenOffice.org 2.4\program\soffice.exe

C:\Program Files\OpenOffice.org 2.4\program\soffice.BIN

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\system32\PnkBstrA.exe

C:\WINDOWS\system32\PnkBstrB.exe

C:\WINDOWS\system32\RioMSC.exe

C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe

C:\WINDOWS\system32\Smartscaps.exe

C:\Program Files\Telia\Supportassistent\bin\sprtsvc.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\wscntfy.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Skype\Plugin Manager\skypePM.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\internet explorer\iexplore.exe

C:\WINDOWS\system32\wuauclt.exe

C:\WINDOWS\SoftwareDistribution\Download\c2605fe2baba03346e8868859fbe2ead\update\update.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://se.yahoo.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://search.yahoo.com/search?p=%s

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.euro.dell.com/countries/se/sve/gen/default.htm

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

O1 - Hosts: y modified by Norman Malware Cleaner

O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SearchHelper.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll

O2 - BHO: Windows Live inloggningshj

[miekiemoes]

Hi,

Good we found the main culprit.

maybe the best thing now is to download Avira - does it play nicely with e-ids?

Yes, I'm sure of that.

It's not mbam after all, because mbam is still up and running here and no issues anymore =)

[mariewt]

I downloaded avira from the link on this site, but can't get it to install. the install guide is in flash and for some reason flash won't install on this pc. Have been trying various trouble shooting on that for quite some time, with no success. is there a non- flash install guide for avira? when I click on the icon from the download it wants to know what program to open it with, and I don't know.... should I be doing something else with it to make it install?

[mariewt]

avira_antivir_personal_en

is what the download says it is....

[miekiemoes]

Hi,

This is the link to the download: http://download.cnet.com/Avira-AntiVir-Per...cdlPid=11012914

Just click the "download now" button there.

For your Flash, it could have been your Fsecure previously blocking it, so you can try to reinstall it again: http://get.adobe.com/flashplayer/

Also, are you using any 3rd party tools where it has the option to block flash? For example; I know Spywareblaster has this option as well.

[mariewt]

yes, that is where I was, and it downloads fine, but when I ask it to run it goes to the "what do you want to open it with?" window instead of just going into an install process which was what I would expect.

also tried to install flash again, but it is still giving me the same error message as before, and none of the trouble shooting there has worked before, altho it might work now that f-secure is not on. will work on that after I get the avira working I guess.... I don't have any other third party tools as far as I know, and it has never worked on this particular pc. there is a lot of trouble shooting things on the adobe site, and I have tried all of them I think other than one that specifically says you have to be sure and back up everything in case you have to reformat your hard drive after, and I found that one too scary to try before i had backed up all my pictures properly....

[miekiemoes]

Hi,

Please download the installer for Avira to your desktop and launch it from your desktop. It should be an exe file present on your desktop. Then doubleclick the exe file in order to install it. If you get an error, let me know for what exactly it gives an error.

Also, what exact error do you get for your flash if you want to install it? You always had problems with it?

From what I read here - many problems in general, install problems etc etc - have you ever tried to create another useraccount?

[mariewt]

avira doesn't seem to think it is an exe file - it says it is simply

avira_antivir_personal_en

it is 28,6 MB (30

[mariewt]

and this is the same error that flash has had before

[miekiemoes]

Hi,

It looks like it's an incomplete download (Avira)

Please uninstall the Windows Live Toolbar, because this version you are having may cause this.

Then redownload Avira again to your desktop.

For adobe flash player, can you follow the steps here? http://kb2.adobe.com/cps/191/tn_19166.html

What I also want you to do is (apart from testing in another useraccount), is to install Firefox and see if it works in your Firefox.

[mariewt]

in the change programs I can't find anything called windows live toolbar- there is a windows live essentials, windows live login assistant, windows live sync, and windows live update tool. is it in the live essentials, so I should remove it?

[miekiemoes]

there is a windows live essentials, windows live login assistant, windows live sync, and windows live update tool.

You may actually uninstall all 4 of them. It won't affect your Windows live messenger.

I've noticed that those extra additions are still buggy anyway.