Win32.AutoRun.tmp & Spyware.OnlineGames, Two problems now

[screen317]

Hi Kay,

I am consulting with our staff and will be back with you as soon as possible.

[screen317]

Hi Kay,

Please navigate to C:\Program Files\Malwarebytes' Anti-Malware and do the following:

• Right-click on mbamgui.exe and select Properties
  
• Click on the Compatibility tab
  
• Make certain that under Privilege Level, Run this program as an administrator is NOT checked, if it us, uncheck it and then click Apply and then click OK
  
• Do the same for mbamservice.exe and mbam.exe
  

Restart your computer and see if the block persists.

[Kay]

Hi Chris,

None of those three files were checked; in fact, I looked at all of the files in the MBAM folder and none are checked. The blocking started after MBAM detected *Spyware.OnlineGames* which I quarantined, MBAM then updated and rebooted and was still blocked at startup.

I currently have Spybot checked for Run this Program as an Administrator as I have been using the Secure Shredder. I'll uncheck this, check Spybot's folder, and reboot and see if that makes a difference.

Edit: I uncheck Administrator by right clicking on the icon and then checked all of the files in Spybot in WinExplorer, rebooted and no change to blocking of MBAM.

Thanks, Kay

Please navigate to C:\Program Files\Malwarebytes' Anti-Malware and do the following:

• Right-click on mbamgui.exe and select Properties
  
• Click on the Compatibility tab
  
• Make certain that under Privilege Level, Run this program as an administrator is NOT checked, if it us, uncheck it and then click Apply and then click OK
  
• Do the same for mbamservice.exe and mbam.exe
  

Restart your computer and see if the block persists.

[screen317]

Hi Kay,

See this site:

http://www.mydigitallife.info/2008/02/22/h...ender-in-vista/

Confirm for me that all aspects of Windows Defender are disabled.

[Kay]

Hi Chris,

I had to turn on Windows Defender to follow this process. I unchecked everything that was checked, saved, rebooted, and MBAM is still blocked.

Kay

See this site:

http://www.mydigitallife.info/2008/02/22/h...ender-in-vista/

Confirm for me that all aspects of Windows Defender are disabled.

[screen317]

So what happens when you click to Run from the Blocked list?

[Kay]

Hi Chris,

The program does work when I click on Run from the Blocked list and updates. I had to uninstall a couple of M$ updates as I seemed to have a few more issues such as Windows Explorer needing to be shut down and restarted after the computer boots.

For a long time, Windows Live Mail has had some issues and I have had to exit and restart. But this was going on long before the MBAM quarantine, blocked startup, and the F/P in Spybot that started about the 10th of December.

Kay,

So what happens when you click to Run from the Blocked list?

[Kay]

Hi Chris,

I was reading another thread in this forum and in msg #3 of this thread: http://forums.malwarebytes.org/index.php?s...=71326&st=0, the author states that MBAM is blocked at startup and has to be manually started. Interesting coincidence.

Thanks, Kay

[AdvancedSetup]

Hi Kay,

I apologize for the delay - was hoping Chris would be able to assist you but he is still under the weather.

Please update me and let me know what your specific issue currently still is and what you're seeing or experiencing.

[Kay]

Hi,

When my computer boots up, MBAM is blocked at startup. I have on click of the icon in the tray that has a ballon msg that Windows has blocked some startup programs and start MBAM and also give permission per UAC. Post #23 has pictures.

I am also experiencing unexpected shutdowns when I leave the computer and come back to it later with a msg that Windows has recovered from an unexpected shutdown. According to the minidump file, these shutdowns started on 12/24/2010.

I started this thread on 12/10 when MBAM detected Spyware.OnlineGames and a couple of days later, Spybot detected what turned out to be a F/P.

Something happened between the 10th and the 24th to start the shutdown problem. I did run sfc /scannow from the command prompt yesterday and there are apparently some files that are corrupted.

I was able to access the CBS.Log; but of course, it is gigantic and I don't understand it anyway. I have it saved on the desktop.

I apologize for the delay in responding - I had to watch the BCS game since I am originally from Oregon.

Thanks, Kay

[AdvancedSetup]

Okay let's take MBAM out of the picture temporarily.

Please uninstall MBAM from the menu or programs and reboot. Then download this tool to your desktop and right click and choose "Run as administrator" and reboot your computer once again.

mbam-clean.exe

Then follow the directions here to run a full disk check of your system.

How to Run Check Disk at Startup in Vista

Please use TFC to clear temporary files:

Run TFC by OldTimer to clear temporary files:

• Please download TFC from here or here and save it to your desktop.
  
• Close any open programs and Internet browsers.
  
• Double click TFC.exe to run it and once it opens click on the Start button on the lower left of the program to allow it to begin cleaning.
  
• Please be patient as clearing out temp files may take a while.
  
• Once it completes you may be prompted to restart your computer, please do so.
  
• Once it's finished you may delete TFC.exe from your desktop or save it for later use for the cleaning of temporary files.
  

Then run the DDS scanner once again so that I can review any current entries as well as current errors from the Event Logs.

Download

DDS

and save it to your desktop

http://download.bleepingcomputer.com/sUBs/dds.scr

Disable any script blocker if your Anti-Virus/Anti-Malware has it.

Once downloaded you can disconnect from the Internet and disable your Ant-Virus temporarily if needed.

Then double click

dds.scr

to run the tool.

When done, the

DDS.txt

will open.

Click Yes at the next prompt for Optional Scan.

When done, DDS will open two (2) logs:

1. DDS.txt
   
   
2. Attach.txt
   
   

• Save both reports to your desktop
  
  
• Please include the following logs in your next reply:
  DDS.txt
  and
  Attach.txt
  
  

[AdvancedSetup]

Just checking in to see if you've had time to run this yet or not.

[Kay]

I am sorry I didn't see your reply with scan requests until just now. I was gone all day and will get right on this.

Just checking in to see if you've had time to run this yet or not.

Thanks, Kay

[Kay]

I ran chkdsk and the only thing I saw was 48 reparse records processed in stage 1 and the disk was clean.

TFC removed 16 mb and here are the two logs:

DDS (Ver_10-12-12.02) - NTFSx86

Run by Jane Doe at 21:40:50.04 on Wed 01/12/2011

Internet Explorer: 8.0.6001.18999

Microsoft

DDS.txt

Attach.txt

[Kay]

I took a screen shot of the event viewer and have googled up Event ID 41. This seems to be a somewhat common problem; but there doesn't seem to be one answer that will clear up this event from what I have seen so far on the internet. But this is what is causing the unexpected shutdown. There are some other warnings that a couple of MS updates are not appropriate for my computer. I'll have to do a little checking on the updates.

Thanks, Kay

[AdvancedSetup]

I see you're running ESET Smart Security which includes the following

Antivirus | Antispyware | Firewall | Antispam

I also see that you have a ton of McAfee Anti-Virus drivers installed.

Which AV product do you want to use and run? You can only run one as they will conflict with each other.

You're also running what appears to be 2 Anti-Malware products that may be the paid versions that are also running services which may or may not conflict with each other.

You have an old Daemon Tools driver also installed yet I don't see it in the Add/Remove for programs.

You should download and run the following tool to remove all left over pieces of McAfee as you do not appear to have it insalled yet it is still loading drivers for it.

http://download.mcafee.com/products/licens...atches/MCPR.exe

Make sure you right click and chose "Run as administrator"

You can go here and find the FAQ on how to remove the Daemon Tools SPTD driver

http://www.duplexsecure.com/en/faq

How can I remove SPTD driver on 32-bit OS?

Once you've done the above two procedures then download and run a new DDS scan and post back the new logs please.

[AdvancedSetup]

You do not appear to be alone on that issue. It sure seems to be driver related though but finding the actual driver might not be so easy.

Not specifically for Vista but should fall into the same category

Windows Kernel event ID 41 error in Windows 7 or in Windows Server 2008 R2:

[Kay]

I ran the McAfee removal tool successfully but had problems with removing SPTD.

I tried to run as administrator on the first go:

and just clicked on it the second time:

So I have not run DDS again. I will give it another go tomorrow.

Thanks, Kay

[AdvancedSetup]

Let's go ahead and run Combofix and it can recheck if anything is there as well as help us to remove stubborn drivers if needed.

1. Download ComboFix from below:
   Combofix download
   * IMPORTANT !!! Place combofix.exe on your Desktop
   
2. Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with ComboFix.
   You can get help on disabling your protection programs here
   
3. Right click on combofix.exe & and choose Run as administrator and follow the prompts.
   
4. Your desktop may go blank. This is normal. It will return when ComboFix is done. ComboFix may reboot your machine. This is normal.
   
5. When finished, it will produce a log for you. Post that log in your next reply. You can also locate this file here c:\combofix.txt
   Note:
   Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
   ---------------------------------------------------------------------------------------------
   
6. Ensure your AntiVirus and AntiSpyware applications are re-enabled.
   ---------------------------------------------------------------------------------------------
   

[Kay]

I ran across this a couple of days ago:

Clicking on the first item gives a warning about ESET driver

That report was done on 12/01/2010. So I uninstalled ESET because there was a newer version that I installed 0n 01/11/2011. I don't know, of course, if this is the source of the unexpected shutdowns. And I don't know how to renew the report.

Here is the ComboFix log - I also disabled Teatimer:

ComboFix 11-01-12.04 - Jane Doe 01/13/2011 10:54:48.5.4 - x86

Microsoft

ComboFix.txt

[AdvancedSetup]

Okay since you have a wealth of Security software installed and you're having issues with the system why don't we sort of start from scratch and clean up the system some and see where we're at from that point.

Make sure you have the ID, Key, Registration required for all products and then let's uninstall all of them temporarily.

If any of them give you problems removing them then download the manual removal tool for them.

DO NOT browse the Web or go reading email while your AV and Security Tools are removed.

Once done, run a NEW DDS scan and post back those logs and if all is good then I'll have you install the latest ESET Smart Security 4.x if that is your chosen AV and we'll continue from there.

Ultimate List of Uninstallers

http://uninstallers.blogspot.com/

Please visit this link to permanently disable Windows Defender

http://www.howtogeek.com/howto/15788/how-t...ow-turn-it-off/

Here is a tool to fully remove Webroot SpySweeper

http://download.webroot.com/SSCCleanup.exe

If you do want to use it then I would make sure that you're using the lastest version of the product

http://www.webroot.com/En_US/consumer-prod...spysweeper.html

How do I manually uninstall my ESET security product?

http://kb.eset.com/esetkb/index?page=content&id=SOLN2289

How do I uninstall or reinstall ESET Smart Security/ESET NOD32 Antivirus? (4.x)

http://kb.eset.com/esetkb/index?page=content&id=SOLN2116

If you're not using the Dell Support Center stuff then I'd remove it from running myself but that's up to you.

You can use either HijackThis or Autoruns to safely disable the program from starting. Myself I like Autoruns for that.

http://free.antivirus.com/hijackthis/

http://www.trendmicro.com/ftp/products/hij.../HijackThis.exe

Autoruns for Windows v10.06

http://technet.microsoft.com/en-us/sysinternals/bb963902

http://download.sysinternals.com/Files/Autoruns.zip

dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2008-03-11 16384]

"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2009-05-21 206064]

I don't see a need to always load the ScanSoft OmniPage auto updater. I would remove it from startup as well and only run it once in a while to check for updates if needed.

I also don't see a need for it to index the files (again that is me and the choice to disable is up to you)

"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2006-10-25 210472]

"IndexSearch"="c:\program files\ScanSoft\PaperPort\IndexSearch.exe" [2007-01-30 46632]

"PPort11reminder"="c:\program files\ScanSoft\PaperPort\Ereg\Ereg.exe" [2007-02-01 255528]

Do you still have a Brother Printer or similar device you're using? Do you need these utilities always loading?

"BrStsWnd"="c:\program files\Brownie\BrstsWnd.exe" [2008-01-08 864256]

"PPort11reminder"="c:\program files\ScanSoft\PaperPort\Ereg\Ereg.exe" [2007-02-01 255528]

"BrMfcWnd"="c:\program files\Brother\Brmfcmon\BrMfcWnd.exe" [2007-02-07 622592]

"ControlCenter3"="c:\program files\Brother\ControlCenter3\brctrcen.exe" [2006-07-19 65536]

"PaperPort PTD"="c:\program files\ScanSoft\PaperPort\pptd40nt.exe" [2007-01-30 30248]

The Sun Java updater is good to have as long as it does work and keeps your Java up to date but again it is another utility that does not always need to load as long as you periodically check for updates yourself.

"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]

These Adobe programs also don't need to load and run all the time unless you use them all the time.

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-09-23 35760]

"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]

Same thing with all the Google tools - I would only run them when you want to and not leave them running as a service taking up resources for no reason

You can use the The Secunia Personal Software Inspector to help assist you in keeping your programs up to date if you like when we're done here. http://secunia.com/vulnerability_scanning/personal

The Secunia PSI is aFREE security tool designed to detectvulnerable andout-dated programs and plug-ins which expose your PC to attacks. Attacks exploiting vulnerable programs and plug-ins are rarely blocked by traditional anti-virus and are therefore increasingly "popular" among criminals.

[AdvancedSetup]

Recent Versions:

ESET Smart Security - version 4.2.67.10

http://kb.eset.com/esetkb/index?page=content&id=SOLN758

[Kay]

OK, so I unchecked the following using AutoRun. It was a little unnerving since I have never used AutoRun before - hopefully I didn't uncheck too much:

Edit: Should I have saved the changes under File>Save??

CurrentVersion\Run:

AdobeARM

AdobeReader

BrMfcwnd

BrStswnd

ControlCenter3

DellSupport

Dscaactivate

IndexSearch

PaperPortPTD

PPort11reminder

SSBkgdupdate

Programs\StartUp:

OneNote

CurrentVersion\Run:

DellSupportCenter

swg

BHO: GoogleToolbar

I have a Brother laser printer, HP deskjet and a Brother FAX/scan/copier all connected to my computer.

I have never used Daemon Tools, so I don

DDS.txt

Attach.txt

[AdvancedSetup]

Hi Kay,

No you shouldn't need to save. Just uncheck what you don't want to run and then you can quit the program.

It shows you still have Spybot as a service still installed.

SBSDWSCService;SBSD Security Center Service;c:\program files\spybot - search & destroy\SDWinSec.exe

You also have Google as a Service

gupdate1c994805743b364;Google Update Service (gupdate1c994805743b364);c:\program files\google\update\GoogleUpdate.exe

Otherwise it looks pretty good. Please leave it runing without browsing the Web and see if it shuts down on it's own still and let me know if you have any other Malware related issues as well.

Thanks

[Kay]

OK, I will let it run and I will remove the other two items.

thanks, Kay

No you shouldn't need to save. Just uncheck what you don't want to run and then you can quit the program.

It shows you still have Spybot as a service still installed.

SBSDWSCService;SBSD Security Center Service;c:\program files\spybot - search & destroy\SDWinSec.exe

You also have Google as a Service

gupdate1c994805743b364;Google Update Service (gupdate1c994805743b364);c:\program files\google\update\GoogleUpdate.exe

Otherwise it looks pretty good. Please leave it runing without browsing the Web and see if it shuts down on it's own still and let me know if you have any other Malware related issues as well.

Thanks