Jump to content

Win32.AutoRun.tmp & Spyware.OnlineGames, Two problems now


Kay

Recommended Posts

Hi,

Last night I ran an ESET scan and when I came back to the computer MBAM had run a flash scan and picked up *Spyware.Onlinegames* located at C:\Windows\temp\NOD1.tmp. I quarantined this. MBAM updated to the latest version and the computer was restarted.

I then had a balloon message that some programs were being blocked at startup: MBAM. My Secunia scan indicates that I have two unstable browsers at the following locations:

C:\Program Files\Internet Explorer\iexplore.exe

C:\Windows\ERDNT\cache\iexplore.exe

Windows Defender was enabled for some reason; so I disabled it and have restarted the computer several times. I looked at the temp folder and see that there are a multitude of files starting with NOD... and have no idea what they are.

Here are my MBAM and HJT scans.

__________________________

Malwarebytes' Anti-Malware 1.50

www.malwarebytes.org

Database version: 5289

Windows 6.0.6002 Service Pack 2

Internet Explorer 8.0.6001.18975

12/10/2010 10:12:26 AM

mbam-log-2010-12-10 (10-12-26).txt

Scan type: Quick scan

Objects scanned: 166241

Time elapsed: 3 minute(s), 15 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

_________________________

Logfile of Trend Micro HijackThis v2.0.4

Scan saved at 10:07:54 AM, on 12/10/2010

Platform: Windows Vista SP2 (WinNT 6.00.1906)

MSIE: Internet Explorer v8.00 (8.00.6001.18975)

Boot mode: Normal

Running processes:

C:\Windows\system32\Dwm.exe

C:\Windows\Explorer.EXE

C:\Windows\RtHDVCpl.exe

C:\Program Files\Dell Support Center\bin\sprtcmd.exe

C:\Program Files\Brownie\BrStsWnd.exe

C:\Windows\System32\igfxtray.exe

C:\Windows\System32\hkcmd.exe

C:\Windows\System32\igfxpers.exe

C:\Windows\system32\igfxsrvc.exe

C:\Windows\system32\taskeng.exe

C:\Windows\system32\taskeng.exe

C:\Windows\System32\mobsync.exe

C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe

C:\Program Files\Secunia\PSI\psi.exe

C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe

C:\Program Files\Brother\ControlCenter3\brccMCtl.exe

C:\Program Files\Brownie\brpjp04a.exe

C:\Program Files\ESET\ESET Smart Security\egui.exe

C:\Program Files\Common Files\Java\Java Update\jusched.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe

C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe

C:\Windows\ehome\ehtray.exe

C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

C:\Program Files\Windows Media Player\wmpnscfg.exe

C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE

C:\Windows\ehome\ehmsas.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Windows\system32\Macromed\Flash\FlashUtil10l_ActiveX.exe

C:\Windows\system32\SearchFilterHost.exe

C:\Users\Jane Doe\Desktop\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/a

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

O1 - Hosts: ::1 localhost

O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)

O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.6.5612.1312\swg.dll

O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\Dell\BAE\BAE.dll

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll

O4 - HKLM\..\Run: [RtHDVCpl] "C:\Windows\RtHDVCpl.exe"

O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"

O4 - HKLM\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter

O4 - HKLM\..\Run: [brStsWnd] "C:\Program Files\Brownie\BrstsWnd.exe" Autorun

O4 - HKLM\..\Run: [igfxTray] "C:\Windows\system32\igfxtray.exe"

O4 - HKLM\..\Run: [HotKeysCmds] "C:\Windows\system32\hkcmd.exe"

O4 - HKLM\..\Run: [Persistence] "C:\Windows\system32\igfxpers.exe"

O4 - HKLM\..\Run: [sSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot

O4 - HKLM\..\Run: [indexSearch] "C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe"

O4 - HKLM\..\Run: [PPort11reminder] "C:\Program Files\ScanSoft\PaperPort\Ereg\Ereg.exe" -r "C:\ProgramData\ScanSoft\PaperPort\11\Config\Ereg\Ereg.ini

O4 - HKLM\..\Run: [brMfcWnd] "C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe" /AUTORUN

O4 - HKLM\..\Run: [ControlCenter3] "C:\Program Files\Brother\ControlCenter3\brctrcen.exe" /autorun

O4 - HKLM\..\Run: [PaperPort PTD] "C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe"

O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET Smart Security\egui.exe" /hide /waitservice

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"

O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript

O4 - HKLM\..\Run: [Malwarebytes' Anti-Malware] "C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray

O4 - HKLM\..\Run: [spySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray

O4 - HKCU\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter

O4 - HKCU\..\Run: [ehTray.exe] "C:\Windows\ehome\ehTray.exe"

O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"

O4 - HKCU\..\Run: [spybotSD TeaTimer] "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe"

O4 - HKCU\..\Run: [WMPNSCFG] "C:\Program Files\Windows Media Player\WMPNSCFG.exe"

O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000

O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll

O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O16 - DPF: {80AEEC0E-A2BE-4B8D-985F-350FE869DC40} (HPDDClientExec Class) - http://h20264.www2.hp.com/ediags/dd/instal...osticsVista.cab

O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

O20 - Winlogon Notify: GoToAssist - C:\Program Files\Citrix\GoToAssist\514\G2AWinLogon.dll

O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\Windows\system32\browseui.dll

O23 - Service: Andrea RT Filters Service (AERTFilters) - Andrea Electronics Corporation - C:\Windows\system32\AERTSrv.exe

O23 - Service: ESET HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET Smart Security\EHttpSrv.exe

O23 - Service: ESET Service (ekrn) - ESET - C:\Program Files\ESET\ESET Smart Security\ekrn.exe

O23 - Service: GoToAssist - Citrix Online, a division of Citrix Systems, Inc. - C:\Program Files\Citrix\GoToAssist\514\g2aservice.exe

O23 - Service: Google Update Service (gupdate1c994805743b364) (gupdate1c994805743b364) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe

O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe

O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe

O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe

O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe

O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. (www.webroot.com) - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

O23 - Service: Webroot Client Service (WRConsumerService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRConsumerService.exe

--

End of file - 8410 bytes

I bolded what appears to be duplicate entries; but do not know if this is significant.

Thanks, Kay

Link to post
Share on other sites

  • Replies 80
  • Created
  • Last Reply

Top Posters In This Topic

Top Posters In This Topic

Posted Images

Hi,

I know this is a no-no to post a second time; but after I posted my first message (http://forums.malwarebytes.org/index.php?showtopic=69993), I ran Spybot S&D which detected Win32.AutoRun.tmp. I fixed this :) and now have the two problems going. I don't know if they are independent of each other or if they are somehow connected. I have rebooted after MBAM quarantines Spyware.OnlineGames; but this doesn't get the job done--maybe because of the other infection. ESET & Spysweeper (Webroot) have not picked up either infection.

I have some problems a couple of weeks ago with Spysweeper going thru a list of websites that it blocked (http://forums.malwarebytes.org/index.php?showtopic=68751) that appeared to be fixed, but now I'm not sure what is going on.

________________________

DDS (Ver_10-12-12.01) - NTFSx86

Run by Jane Doe at 17:54:00.61 on Sat 12/11/2010

Internet Explorer: 8.0.6001.18975

Microsoft

Attach.zip

ark.zip

Link to post
Share on other sites

  • Staff

Hi and welcome to Malwarebytes.

For future reference, please post all logs directly into your reply instead of attaching them.

Please update MBAM, run a Quick Scan, and post its log.

Next, please visit this webpage for instructions for running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

  • When the tool is finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt along with a new DDS log so we may continue cleaning the system.

-screen317

Link to post
Share on other sites

Thanks for your help. Here is the MBAM log after updating this morning. I will work on the DDS and ComboFix and post those next.

Malwarebytes' Anti-Malware 1.50

www.malwarebytes.org

Database version: 5302

Windows 6.0.6002 Service Pack 2

Internet Explorer 8.0.6001.18975

12/12/2010 9:46:18 AM

mbam-log-2010-12-12 (09-46-18).txt

Scan type: Quick scan

Objects scanned: 166962

Time elapsed: 3 minute(s), 41 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 1

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

c:\Windows\temp\NOD1.tmp (Spyware.OnlineGames) -> Quarantined and deleted successfully.

______________________________

I thought I was following Advanced Setup's instructions when I attached the two text logs.

Kay

Link to post
Share on other sites

  • Staff

Hi,

Next, please run a free online scan with the ESET Online Scanner

Note: You will need to use Internet Explorer for this scan.

  1. Tick the box next to YES, I accept the Terms of Use.
  2. Click Start
  3. When asked, allow the ActiveX control to install
  4. Click Start
  5. Make sure that the options Remove found threats and the option Scan unwanted applications is checked
  6. Click Scan
    Wait for the scan to finish
  7. Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
  8. Copy and paste that log as a reply to this topic

Next, download my Security Check from here or here.

  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

Let me know how things are running now and what issues remain.

-screen317

Link to post
Share on other sites

Hi,

I ran the two programs you requested:

________________________________

ESETSmartInstaller@High as CAB hook log:

OnlineScanner.ocx - registred OK

(Is this all there is to this scan?)

________________________________

Results of screen317's Security Check version 0.99.6

Windows Vista Service Pack 2 (UAC is enabled)

Internet Explorer 8

``````````````````````````````

Antivirus/Firewall Check:

Windows Firewall Disabled!

ESET Smart Security

WMI entry may not exist for antivirus; attempting automatic update.

```````````````````````````````

Anti-malware/Other Utilities Check:

Malwarebytes' Anti-Malware

CCleaner

Java 6 Update 22

Adobe Flash Player

Adobe Reader 9.4.1

````````````````````````````````

Process Check:

objlist.exe by Laurent

Malwarebytes' Anti-Malware mbamservice.exe

Malwarebytes' Anti-Malware mbamgui.exe

Spybot Teatimer.exe is disabled!

````````````````````````````````

DNS Vulnerability Check:

Request Timed Out (Wireless Internet connection/Disconnected Internet/Proxy?)

``````````End of Log````````````

I do not have a wireless internet connection. I am hooked up thru a Linksys router and am independent of the other computer on the Linksys router.

_____________________________________

When I turn the computer on, MBAM is being blocked from starting up by Windows.

I ran a quick MBAM scan and *Spyware.Online.Games* is not showing up. One down...

I ran Spybot S & D and it is still detecting *Win32.AutoRun.tmp*:

Win32.AutoRun.tmp: [sBI $751B1850] Settings (Registry value, fixed)

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlonon\Taskman

I also ran a secunia scan and it is still shows two IE8 and there are two icons on the desktop:

C:\Windows\ERDNT\cache\iexplore.exe

C:\Program Files\Internet Explorer\iexplore.exe

___________________________________

We volunteered at the winter homeless shelter last night and I am about to leave for some volunteer work at the local hospital; so I will gone for the afternoon. I will work on this when I get home.

Thanks, Kay

Link to post
Share on other sites

  • Staff

Hi,

Please try this online scanner instead:

Next, please use the Internet Explorer browser and click here to use the F-Secure Online Scanner.

  • Click Start Scanning.
  • You should get a notification bar (on top) to install the ActiveX control.
  • Click on it and select to install the ActiveX.
  • Once the ActiveX is installed, you should accept the License terms by clicking OK below to start the scan.
  • In case you are having problems with installing the ActiveX/starting the scan, please read here.
  • Click the Full System Scan button.
  • It will start to download scanner components and databases. This can take a while.
  • The main scan will start.
  • Once the scan has finished scanning, click the Automatic cleaning (recommended) button
  • It could be possible that your firewall gives an alert - allow it, because that's a connection you establish to submit infected files to F-Secure.
  • The cleaning can take a while, so please be patient.
  • Then click the Show report button and Copy/Paste what is present under results in your next reply.

Next, what version of Spybot - Search & Destroy do you have installed? If it's not up to date, there isn't much point in keeping it..

I also ran a secunia scan and it is still shows two IE8 and there are two icons on the desktop:

C:\Windows\ERDNT\cache\iexplore.exe

C:\Program Files\Internet Explorer\iexplore.exe

Why do you suspect that that's a problem?

Which icons are you referring to?

Please open Notepad. Copy and paste the following text (starting with @echo off) into the Notepad document.

Navigate to File --> Save As..., and save the file as RegExport.bat (make sure the Save As Type is set to All Files).

Save it to your Desktop.

@echo off
REGEDIT.exe /E "%userprofile%\DESKTOP\winlogonnotify.reg" "HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify"
EXIT

Now navigate to your Desktop, and double click RegExport.bat

A black window will open and close quickly. This is normal.

Now, open Notepad, navigate to your Desktop, and open winlogonnotify.reg. Post its contents in your reply.

-screen317

Link to post
Share on other sites

Hi,

*Next, what version of Spybot - Search & Destroy do you have installed? If it's not up to date, there isn't much point in keeping it..*

My version of Spybot - Search & Destroy is 1.6.2, which I believe is the latest one.

_________________________________

Scanning Report

Monday, December 13, 2010 18:36:30 - 19:09:09

Computer name: JANEDOE-PC

Scanning type: Scan system for malware, spyware and rootkits

Target: C:\ D:\

--------------------------------------------------------------------------------

1 malware found

TrackingCookie.Yieldmanager (spyware)

System (Disinfected)

--------------------------------------------------------------------------------

Statistics

Scanned:

Files: 59595

System: 3967

Not scanned: 43

Actions:

Disinfected: 1

Renamed: 0

Deleted: 0

Not cleaned: 0

Submitted: 0

Files not scanned:

C:\PAGEFILE.SYS

C:\HIBERFIL.SYS

C:\WINDOWS\SYSTEM32\SSIEFR.EXE

C:\WINDOWS\SYSTEM32\WRLZMA.DLL

C:\WINDOWS\SYSTEM32\CONFIG\COMPONENTS

C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT

C:\WINDOWS\SYSTEM32\CONFIG\SAM

C:\WINDOWS\SYSTEM32\CONFIG\SECURITY

C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE

C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM

C:\WINDOWS\SYSTEM32\CONFIG\REGBACK\COMPONENTS

C:\WINDOWS\SYSTEM32\CONFIG\REGBACK\DEFAULT

C:\WINDOWS\SYSTEM32\CONFIG\REGBACK\SOFTWARE

C:\WINDOWS\SYSTEM32\CONFIG\REGBACK\SAM

C:\WINDOWS\SYSTEM32\CONFIG\REGBACK\SECURITY

C:\WINDOWS\SYSTEM32\CONFIG\REGBACK\SYSTEM

C:\WINDOWS\SYSTEM32\CATROOT2\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\CATDB

C:\WINDOWS\SYSTEM32\CATROOT2\{127D0A1D-4EF2-11D1-8608-00C04FC295EE}\CATDB

C:\USERS\JANE DOE\APPDATA\LOCAL\TEMP\LOW\HSPERFDATA_JANE DOE\5736

C:\USERS\JANE DOE\APPDATA\LOCAL\TEMP\HSPERFDATA_JANE DOE\5300

C:\SYSTEM VOLUME INFORMATION\{0306825D-FF18-11DF-8D7F-00219B046ED5}{3808876B-C176-4E48-B7AE-04046E6CC752}

C:\SYSTEM VOLUME INFORMATION\{030682DA-FF18-11DF-8D7F-00219B046ED5}{3808876B-C176-4E48-B7AE-04046E6CC752}

C:\SYSTEM VOLUME INFORMATION\{030683AD-FF18-11DF-8D7F-00219B046ED5}{3808876B-C176-4E48-B7AE-04046E6CC752}

C:\SYSTEM VOLUME INFORMATION\{03068448-FF18-11DF-8D7F-00219B046ED5}{3808876B-C176-4E48-B7AE-04046E6CC752}

C:\SYSTEM VOLUME INFORMATION\{050B2AA9-061B-11E0-8DD4-00219B046ED5}{3808876B-C176-4E48-B7AE-04046E6CC752}

C:\SYSTEM VOLUME INFORMATION\{27204B4A-06F0-11E0-8C55-00219B046ED5}{3808876B-C176-4E48-B7AE-04046E6CC752}

C:\SYSTEM VOLUME INFORMATION\{3BABDBB9-0483-11E0-8F66-00219B046ED5}{3808876B-C176-4E48-B7AE-04046E6CC752}

C:\SYSTEM VOLUME INFORMATION\{74DAF61A-FCA8-11DF-97E7-00219B046ED5}{3808876B-C176-4E48-B7AE-04046E6CC752}

C:\SYSTEM VOLUME INFORMATION\{74DAF68D-FCA8-11DF-97E7-00219B046ED5}{3808876B-C176-4E48-B7AE-04046E6CC752}

C:\SYSTEM VOLUME INFORMATION\{8FB87130-F6CA-11DF-B0D9-00219B046ED5}{3808876B-C176-4E48-B7AE-04046E6CC752}

C:\SYSTEM VOLUME INFORMATION\{8FB87150-F6CA-11DF-B0D9-00219B046ED5}{3808876B-C176-4E48-B7AE-04046E6CC752}

C:\SYSTEM VOLUME INFORMATION\{9C66325B-F1BD-11DF-982D-00219B046ED5}{3808876B-C176-4E48-B7AE-04046E6CC752}

C:\SYSTEM VOLUME INFORMATION\{9C6632E6-F1BD-11DF-982D-00219B046ED5}{3808876B-C176-4E48-B7AE-04046E6CC752}

C:\SYSTEM VOLUME INFORMATION\{9C663341-F1BD-11DF-982D-00219B046ED5}{3808876B-C176-4E48-B7AE-04046E6CC752}

C:\SYSTEM VOLUME INFORMATION\{9FFA592C-F850-11DF-B901-00219B046ED5}{3808876B-C176-4E48-B7AE-04046E6CC752}

C:\SYSTEM VOLUME INFORMATION\{DA4240E7-FA70-11DF-9151-00219B046ED5}{3808876B-C176-4E48-B7AE-04046E6CC752}

C:\SYSTEM VOLUME INFORMATION\{E8977C5D-ED56-11DF-828A-00219B046ED5}{3808876B-C176-4E48-B7AE-04046E6CC752}

C:\SYSTEM VOLUME INFORMATION\{E8977DA9-ED56-11DF-828A-00219B046ED5}{3808876B-C176-4E48-B7AE-04046E6CC752}

C:\QOOBOX\BACKENV\SETPATH.BAT

C:\QOOBOX\BACKENV\VIKPEV00

C:\PROGRAMDATA\MICROSOFT\CRYPTO\RSA\MACHINEKEYS\18D43B2A5561917EDB018D5795E74BE9_22DD6D1D-8BC4-4442-8796-C0749D5CF793

C:\PROGRAMDATA\MICROSOFT\CRYPTO\RSA\MACHINEKEYS\BCDAA4EAC609DE99860FBEAB35E1F939_22DD6D1D-8BC4-4442-8796-C0749D5CF793

C:\BOOT\BCD

--------------------------------------------------------------------------------

Options

Scanning engines:

Scanning options:

Scan defined files: COM EXE SYS OV? BIN SCR DLL SHS HTM HTML HTT VBS JS INF VXD DO? XL? RTF CPL WIZ HTA PP? PWZ P?T MSO PIF . ACM ASP AX CNV CSC DRV INI MDB MPD MPP MPT OBD OBT OCX PCI TLB TSP WBK WBT WPC WSH VWP WML BOO HLP TD0 TT6 MSG ASD JSE VBE WSC CHM EML PRC SHB LNK WSF {* PDF ZL? XML XXX ANI AVB BAT CMD JOB LSP MAP MHT MIF PHP POT SWF WMF NWS TAR

Use advanced heuristics

--------------------------------------------------------------------------------

Interesting that F-Secure only found one spyware cookie. I don't think I rebooted after I ran Spybot S & D this morning.

* I also ran a secunia scan and it is still shows two IE8 and there are two icons on the desktop:

C:\Windows\ERDNT\cache\iexplore.exe

C:\Program Files\Internet Explorer\iexplore.exeWhy do you suspect that that's a problem?

Which icons are you referring to?*

There two IE icons now when I used to have one. I did a little checking on ERDNT and if I am reading correctly this is a registry backup item from ComboFix. I could be wrong on that as I was trying to just read on websites that I was familiar with.

_____________________________________

I had some problems with the RegExport.bat. When I double clicked on the winlogonnotigy.reg on the desktop, it indicated that it would make some changes and I said yes. It took a while to figure out how to get the text into notepad; but I finally figured it out.

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]

"DLLName"="C:\\Program Files\\Citrix\\GoToAssist\\514\\G2AWinLogon.dll"

"Logoff"="G2ALogoff"

"Asynchronous"=dword:00000000

"Logon"="G2ALogon"

"Startup"="G2AStartup"

"Impersonate"=dword:00000000

"Shutdown"="G2AShutdown"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\igfxcui]

@=""

"DLLName"="igfxdev.dll"

"Asynchronous"=dword:00000001

"Impersonate"=dword:00000001

"Unlock"="WinlogonUnlockEvent"

________________________________________

I am going to reboot the computer and see if MBAM is still blocked on startup and also run Spybot S&D to see what it detects.

Thanks, Kay

Link to post
Share on other sites

Hi,

I rebooted the computer and MBAM is still being blocked at startup by Windows. I ran Spybot S & D; it detected Win32.AutoRun.tmp and I closed the program without trying a fix since it comes back on rebooting. I then ran F-Secure again and it detected nothing.

So is there some glitch in Spybot? I think I will uninstall it and do a reinstall and see what happens from there.

I do need to get MBAM from being blocked at startup.

Thanks, Kay

Link to post
Share on other sites

  • Staff

Hi Kay,

* I also ran a secunia scan and it is still shows two IE8 and there are two icons on the desktop:

C:\Windows\ERDNT\cache\iexplore.exe

C:\Program Files\Internet Explorer\iexplore.exeWhy do you suspect that that's a problem?

Which icons are you referring to?*

There two IE icons now when I used to have one.

Yes ERDNT is ComboFix's backup. Please don't touch it quite yet.

Take a screenshot of your Desktop and post it here. What is displayed when you right-click each icon?

I am going to reboot the computer and see if MBAM is still blocked on startup and also run Spybot S&D to see what it detects.

Thanks, Kay

What do you mean blocked on startup?? Are you running the Pro version of MBAM? Can you get a report from Spybot to see where its detection is occurring?
Link to post
Share on other sites

Hi,

It took some googling to figure out how to add the picture.

post-2329-1292360276_thumb.jpg

When I right click on each icon, there primarily two dialog boxes that come up. The first one is the most common one and most of the others differ in how many choices there are:

post-2329-1292360370_thumb.jpg

and the second one is the right box from the second IE icon:

post-2329-1292360390_thumb.jpg

I am running the paid version of MBAM, if that is what you mean by PRO version.

The following is the Spybot log after I ran it and fixed Win32.AutoRun.tmp:

--- Report generated: 2010-12-14 13:27 ---

Win32.AutoRun.tmp: [sBI $751B1850] Settings (Registry value, fixed)

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Taskman

--- Spybot - Search & Destroy version: 1.6.2 (build: 20090126) ---

2009-01-26 blindman.exe (1.0.0.8)

2009-01-26 SDFiles.exe (1.6.1.7)

2009-01-26 SDMain.exe (1.0.0.6)

2009-01-26 SDShred.exe (1.0.2.5)

2009-01-26 SDUpdate.exe (1.6.0.12)

2009-01-26 SDWinSec.exe (1.0.0.12)

2009-01-26 SpybotSD.exe (1.6.2.46)

2009-03-05 TeaTimer.exe (1.6.6.32)

2010-12-13 unins000.exe (51.49.0.0)

2009-01-26 Update.exe (1.6.0.7)

2009-11-04 advcheck.dll (1.6.5.20)

2007-04-02 aports.dll (2.1.0.0)

2008-06-14 DelZip179.dll (1.79.11.1)

2009-01-26 SDHelper.dll (1.6.2.14)

2008-06-19 sqlite3.dll

2009-01-26 Tools.dll (2.1.6.10)

2009-01-16 UninsSrv.dll (1.0.0.0)

2010-06-29 Includes\Adware.sbi (*)

2010-11-30 Includes\AdwareC.sbi (*)

2010-08-12 Includes\Cookies.sbi (*)

2010-09-22 Includes\Dialer.sbi (*)

2010-11-30 Includes\DialerC.sbi (*)

2010-01-25 Includes\HeavyDuty.sbi (*)

2010-11-30 Includes\Hijackers.sbi (*)

2010-11-30 Includes\HijackersC.sbi (*)

2010-09-15 Includes\iPhone.sbi (*)

2010-08-02 Includes\Keyloggers.sbi (*)

2010-11-30 Includes\KeyloggersC.sbi (*)

2004-11-29 Includes\LSP.sbi (*)

2010-09-13 Includes\Malware.sbi (*)

2010-12-07 Includes\MalwareC.sbi (*)

2010-05-18 Includes\PUPS.sbi (*)

2010-10-12 Includes\PUPSC.sbi (*)

2010-01-25 Includes\Revision.sbi (*)

2009-01-13 Includes\Security.sbi (*)

2010-11-30 Includes\SecurityC.sbi (*)

2008-06-03 Includes\Spybots.sbi (*)

2008-06-03 Includes\SpybotsC.sbi (*)

2010-06-29 Includes\Spyware.sbi (*)

2010-11-30 Includes\SpywareC.sbi (*)

2010-03-08 Includes\Tracks.uti

2010-11-01 Includes\Trojans.sbi (*)

2010-11-30 Includes\TrojansC-02.sbi (*)

2010-11-30 Includes\TrojansC-03.sbi (*)

2010-11-30 Includes\TrojansC-04.sbi (*)

2010-12-07 Includes\TrojansC-05.sbi (*)

2010-11-30 Includes\TrojansC.sbi (*)

2008-03-04 Plugins\Chai.dll

2008-03-05 Plugins\Fennel.dll

2008-02-26 Plugins\Mate.dll

2007-12-24 Plugins\TCPIPAddress.dll

__________________________________________

14.12.2010 13:15:02 - ##### check started #####

14.12.2010 13:15:02 - ### Version: 1.6.2

14.12.2010 13:15:02 - ### Date: 12/14/2010 1:15:02 PM

14.12.2010 13:15:05 - ##### checking bots #####

14.12.2010 13:18:22 - found: Win32.AutoRun.tmp Settings

14.12.2010 13:26:58 - ##### check finished #####

____________________________________________

There is another longer Spybot report that I will post in the msg.

Thanks, Kay

post-2329-1292359665_thumb.jpg

Link to post
Share on other sites

  • Staff

Hi,

The second icon you described is a normal IE icon. The first is a shortcut which you can delete. Does it not delete fine?

Something is restoring Spybot's detection and I have a feeling that it's TeaTimer.

I suggest you to disable it because it can interfere with the changes you'll make on your system.

When everything is done and your log is clean again, you can enable it again.

If teatimer gives you a warning afterwards that some changes were made, allow this instead of blocking it.

How to disable TeaTimer during HijackThis Cleanup

Then, download ResetTeaTimer.bat.

Double click ResetTeaTimer.bat to remove all entries set by TeaTimer.

After all of the fixes are complete it is very important that you enable TeaTimer again.

Next, update Spybot, run its scan, and remove anything found.

Restart the computer twice.

Enable TeaTimer after the second restart.

Let me know if the detection persists.

Link to post
Share on other sites

Hi,

MBAM is blocking: downloads.subratam.org/ResetTeaTimer.bat (64.74.223.37).

I have to leave for an hour and will work on this when I get back

Edit: Also SpySweeper Internet Communication shield is blocking to a multitude of websites starting with numeric and then A-Z. So I will wait until this is done in about half an hour. I had this happen a couple of weeks ago (msg #68751) and once the site go thru Z, then the process stops. I think this psssibly has something to do with SpyBot.

Thanks, Kay

Link to post
Share on other sites

Well, that took longer than I remembered...2 hours for Spy Sweeper to go thru the list of websites it was blocking. The program then updated its definitions.

MBAM is still blocking the *downloads.subratam.org/ResetTeaTimer.bat* as a malicious site. I'll go ahead without this step and let you know what happens.

Thanks, Kay

Link to post
Share on other sites

And everything is as it was...

MBAM is still blocked at startup:

A balloon comes up from the tray: Windows has blocked some startup programs. Windows blocks programs that require permission to run when windows starts. Click to view blocked programs. Choices are:

Show or remove blocked startup program

Run blocked program

View Help

Exit

When I click on Show or remove blocked startup programs, I get the System configuration window with 5 tabs: General, Boot, Services, Startup and Tools.

Looking at the Startup and Services tabs, MBAM is shown as enabled and running -- which it is not because I have not yet selected Run blocked program. Then I have to give permission for MBAM to run.

I disabled TeaTimer and SDHelper, but I could not access the *ResetTeaTimer.bat* since MBAM blocks it as a malicious site. So I rebooted the computer twice, re-enabled TeaTimer, ran Spybot which detected Win32.AutoRun.tmp and I removed it again.

At least, the MBAM scan comes up clean... :)

Thanks, Kay

Link to post
Share on other sites

Hi Chris,

I did not give permission to MBAM after startup and clicked on your link for *ResetTeaTimer.bat* and came with a website that had a message that the domain *subratam.org* is for sale. Is there another site for the .bat file? MBAM says it blocked the subratam.org site; so apparently the startup message about MBAM being blocked is faulty.

I will reset TeaTimer on for now and wait for more instructions.

thanks, Kay

Link to post
Share on other sites

  • Staff

Hi Kay,

My apologies for the delay.

Yes that link is outdated. Ignore that part for now.

Please delete your copy of ComboFix, download the latest version from here, and save it to your Desktop. Do not run it yet.

Next, please open Notepad - don't use any other text editor than notepad or the script will fail.

Copy/paste the text in the quotebox below into Notepad:

Registry::

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Taskman]

KILLALL::

Save this as CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

CFScriptB-4.gif

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new DDS log.

-screen317

Link to post
Share on other sites

Hi Chris,

I went ahead and rebooted the computer and ran Spybot S & D and it is still detecting Win32.AutoRun.tmp. I did not fix it this time and maybe I should re-run ComboFix with the script that you provided or maybe a new one.

Also when the computer starts up, it is still showing the message about blocked startup items: MBAM.

Kay

Link to post
Share on other sites

Hi Chris,

Here are two screen shots of what appears each time the computer is booted up and what I mentioned in a previous msg:

post-2329-1292696398_thumb.jpg

post-2329-1292696425_thumb.jpg

On another note, I was reading another thread: http://forums.malwarebytes.org/index.php?showtopic=70419, msg #19

and I noticed that Maniac has a different link for resetting TeaTimer: *ResetTeaTimer.exe*.

Thanks, Kay

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.

Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.