Malware Again, if it all truly was gone before

This is the same computer from this thread: Spyware disabled McAfee Security http://forums.majorgeeks.com/showthread.php?t=192550

I had left that discussion still having some issues about the limited user account I had created. Then I was sidetracked with malware problems on two other computers for much of the next month (don’t worry, rule #4—NOT going to talk about their problems in this thread!) I didn’t know just what to ask in the Software Forum about the weird problems I had on this one, so I decided to go ahead and work through the How to Protect yourself from Malware! sticky and see if things would improve and indeed they seemed to. I installed SP3 and all the Microsoft updates available to me except Silverlight and the Live options.

Yesterday I had just logged on in Firefox searching for airfares, with pages to American, Delta, Bestfares, etc. open, when I got a security alert box on Delta that said, “The name on the security certificate is invalid or does not match the name of the site.” Comodo alerted me that Firefox is trying to make a new directory, then the windows all overlapped and the screen froze. I closed Firefox and tried to run CCleaner. At first it would not open, then 3 windows had it. When I ran it, it said Firefox was still open despite my closing of Firefox and did not remove any of the Firefox temp files. Then a Comodo alert about svchost.exe came up wanting to use port UPNP/SSDP 2869, which I had allowed in the past, I blocked this time. When I closed CCleaner, I got 2 boxes about debug errors and the screen froze. When I tried looking at the Delta airlines page in IE7, I got the same security alert box that said, “The name on the security certificate is invalid or does not match the name of the site,” so I viewed the certificate. It said it was intended for: “Ensures the identity of a remote computer” and Issued to a248e.akamai.net by GTE Cyber Trust Global Root and had a button “Install Certificate” at the bottom. I knew then it was time to do the XP cleaning procedure again.

I’d left SAS as a scanner and had last used it 091809. I had to run it through the alternative start that time because it would not open on clicking the scan button after updating. Nothing was found 091809. Last night SAS would not run after updating. Message box said it was “locked by the system” and Windows crashed.

Malwarebytes ran finding 19 objects infected. I fixed them and rebooted. For comparison, I had run it just routinely on 092509 and found nothing.

Back was the Comodo alert that svchost.exe was trying to receive a connection from the internet on UPNP/SSDP 2869. I blocked it.

I tried running SAS again and it said it updated although it still had the 091809 date on screen.

ComboFix ran OK but took a long time before finally finishing its report.

RootRepeal and MGTools ran OK.

Here are the attachments. I realize all the helpers in the Malware Forum are incredibly busy. Thanks for your help.

 

Page 2 on same post

I really don’t know if the original malware was gone or not. I always thought there was some evil nasty running under the radar that eluded all the scans. I know I continued to be suspicious because of the way the limited user account worked.

On 083109 in the limited user account I found Spyware Terminator HIPS disabled and enabled it. It said it had not been updated since 082809 despite being used on the Admin account that said it was updating 083009. Also said no scan had ever been done despite scans done on the Admin account in the past.

Let me show you what came up on 091909 when Comodo was updating. It is mostly 3 screen shots.

PS I had an awful time getting this post done. I kept getting logged out when I tried to attach attachments and kept getting blank screens when I tried to preview posts.

 

Hi Tim, glad to hear from you.

My computer had been very SLOW, especially in trying to open Add or Remove Programs or Word.

I updated SAS per your instructions. I’ll have to remember to not just update it each time I run it (which is what I have been doing) but to check MG download for a new version of it each time BEFORE I update it and run it.

Ran Malwarebytes—nothing found this time.

I deleted the weird file without an extension. Properties on it said it was created 080409.

Ran MGtools to get the logs.

Let me know what to do next. Thanks.

 

Tim, thanks for your reply. I noticed you guys were working very hard this weekend to try to get caught up with all the Malware Forum posts. Thanks for doing that. Your efforts are appreciated more than I can say. However, I am still having problems. Computer is slow to open programs and Word when I am on the internet.

Ah, the memory. Worse than it was last time. I added 512x2 just in February or March after AT&T made me switch from CA to McAfee to use their security. CA took very little in the way of resources, but McAfee was a real hog. This bunch of programs may be too.

I have Avast as my AV program. Comodo Internet Security allowed me to install just the firewall part of it when I installed it. I said no to installation of the AV part of it. My configuration of Comodo shows that I do not have Antivirus Security. I have Firewall Security—updated, Internet Security, Proactive Security and Firewall Security showing in my configuration when I click the Comodo shield. Are you seeing otherwise on my logs?

Besides, Avast is no longer working. It has been disabled. I suspect Avast has been disabled since the day I first posted. I tried to run it offline (never tried before) on 100409 and got the Unknown Error message “Application cannot load skin. Function usiGetSkin Failed”. Avast would not open.

Plus I got a spam. On 100509 I found a spam email (subject Posters) both to and from my email address I use with Majorgeeks, but the name on it was Stacee Noteboom, which is of course not my name. There quite probably would have been more spam, but I don’t use Outlook or Outlook Express and I purposely do not add names to Address books in webmail. I figured if I ever got a spambot, I was not going to make it easy for them to bother anyone I know.

See the next couple items from 100809. I’d written it in anticipation of getting back to you sooner.

Tim, since a picture is worth a thousand words, I wish I could send you what today (100809) has been like since logging on—but my screenshots all exceed your allowable space for attachments. (I have to learn how to do those thumbnails!) I was greeted with the folder MGTools and 11 logs from it on my desktop. They were not there when I logged off yesterday (100709) and I did not try to save them there. They are just there.

When I went on internet, I got MS Visual C++ Debug Assertion Failed on HPbootop.exe. I had gotten that Debug Assertion Failed also last night (100709) while I was uninstalling SAS. When I installed the new SAS, IE7 opened on its own and then crashed when I tried to close it. Forgot to mention that to you when I posted last. And I wasn’t about to add another post and create a bump, knowing how busy you guys are.

Then I noticed red x shield re Windows Security and found Avast Antivirus was called out of date. Almost immediately then 4 identical Firefox pages popped up about Avast problem—all saying “I have installed avast 4 Home and every time I try to open it, I get an error message stating” “unknown error message”, “Application cannot load skin. Function usiGetSkin Failed”. How can I fix this?” A fix using Start--Run was provided: C:\Windows\system32\regsvr.exe actskin4.ocx, but fix did not work and I got RegSvr32 error box that said “LoadLibrary (actskin4.ocx) failed. The specified module could not be found.” Avast “Resume provider” is greyed out when I click Avast in systray. Avast iAVS update said it worked, but Avast Program update was unresponsive-would not open. Then Avast Resident Protection page opened and avast.setup modifying the contents of avast.setup appeared as a Comodo alert and I allowed it—looked like it was trying to reinstall the whole thing? Boxes said Avast setup—Downloading packages 48,108 bytes complete, then Installation Progress 14,688,375 bytes complete. When it seemed just about done, I got message Firefox was closing, then Word, then everything was closing and machine rebooted with me just watching it and not doing a thing.

After that reboot I checked and Avast “Resume provider” was still greyed out. That tells me it is still disabled.

I ran Spyware terminator scan, googled and removed 2 tracking cookies:
Remove Tacoda.net Tracking Cookie - Tracking Cookie Removal ...
Apr 3, 2009 ... Tacoda.net is a Tracking Cookie program that can also display pop-up advertisements in your browser while it is connected to the Internet. ...
www.securemost.com/support/rm_tacoda_cookie.htm

apmebf.com | McAfee SiteAdvisor Software – Website Safety Ratings ...
apmebf.com is a new route for the Valueclick network, which can host tracking cookies, pop-up ads, phishing scams, and potentially browser exploits. ...
www.siteadvisor.com/sites/apmebf.com


Would you please look again at my HJT log from MGTools. Aren’t there some things there that need to be removed? Like the R3, the O9 Messengers, and the O23 MHFRE?

And Tim, listen to me. I want you to read the following blurb about false positives and false negatives and I want you to think about situations in which false negatives could occur. Confer with Chaslang if you like. I need to send him some information also.

Malware --The term false positive is also used when antivirus software wrongly classifies an innocuous file as a virus. The incorrect detection may be due to heuristics or to an incorrect virus signature in a database. Similar problems can occur with antitrojan or antispyware software.
A false negative is when there actually is a disease (or other condition) but the results come back as negative. A finding of no cancer, when there actually ...


Tim, I am hoping to hear back from you soon. Thanks.

 

Hi Tim, I had not forgotten this thread—I just could not do anything on this computer while I was out of town. Before I left, on 101809 I decided to see what I could do myself in the way of a major cleanup of this Compaq before I asked for more help. I began doing everything offline. This is wordy and long, and I know you are busy, so if you want to send me to the Software Forum that is fine. If you would, please just look at the attached logs (selected ones) first.

Because none of these three things seemed to be working any longer, I uninstalled A-squared, WinPatrol, then Windows Defender. The last two had once been showing in systray but stopped some time ago. Then I ran Ccleaner and then Ccleaner on registry and got off about 70 items—mostly uninstaller issues.

Then I rebooted and ran analyse.exe—I decided to fix R3, O9 and O23. I uninstalled Windows Messenger.

I googled O4 cftmon.exe, and it seemed to be something I could live without. I noticed microphone and some other things turned on in the bar at bottom of my screen. (I don’t remember ever consciously turning them on.) I found I could turn them off, so I did the two fixes from http://www.howtogeek.com/howto/windows-vista/what-is-ctfmon.exe-and-why-is-it-running/ that I found to disable it. I went into MS Office 2003 and Regions and Languages and turned off advanced text svcs.

I looked at all the Avast Shields—at first it looked like the Standard shield might be running but then I realized it does not look like anything is. Avast looks totally disabled.

Since TeeCee had shown me that I have services and they are associated with O23, I decided to compare services on this computer with services on my other computer. I disabled Clipbook by Run services.msc since it is Disabled on my other computer; I did not like that it could store information and share it with remote computers. I noted that Remote access auto connection mgr is Disabled here but Manual on my other computer. I stopped MHRFE (the O23 in HJT) in services and disabled its startup type because I did not know what it is and nothing came up in Google.

On 102009 still offline, on start Windows Security icon in systray is red and Avast is out of date.

I went back to services and changed MHRFE some more--disabled its hardware profile and unchecked “Allow svc to interact w desktop” under Log on as local system acct.

Word is faster to open now.

I ran RootRepeal with all security disabled—11 hidden files found.

I ran Combofix with security disabled—after message about scan time may be longer than 10 min, said it ran step 49, then was deleting 2 Iadhide files, then got an error box catchme.cfxe, then Windows was rebooting, then it was getting the log took long time and all the systray items populated, finally icons disappeared from screen and log was complete message, then finally log appeared as txt file.

Online now, I tried to update Avast, and setup seemed to reinstall whole thing again!

Combofix ran 1-50 this time; catchme.cfxe error box popped up just before reboot. It took 15 min to finally do report.

Back after two weeks, on 110409 I went online. Avast wanted to update and I allowed when Comodo defense alert said avast.setup is trying to modify a protected file or directory. It installed 968 MB. I kept getting “Unknown error--Skin is not complete” despite trying both skin choices offered. So I uninstalled Avast.

I uninstalled Crawler toolbar, Smart Draw and Spyware Terminator. In Windows Explorer I saw not all of Avast was removed, so I ran Alwil uninstall utility.

I then installed Avira and ran AV scan--found 5 Trojans (false positives? and in system restore.)

I used CCleaner on ltd accts and in ltd user Janice acct got run32.dll error and then box that “Windows is in the middle of a long operation.”

Back to admin acct, I updated SpywareBlaster, ran Spybot—found 2 tracking cookies and ran all 5 MG Read & Run Me First scans (just in case those Trojans were not false positives). MBAM and SAS—nothing. Rootrepeal still had that .fcs file.

Last night I came across a post by Chaslang, telling someone to fix these with HJT. So I have gotten rid of them. I’d been wondering about them anyway.
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')

Today I noticed in My Documents I have a Drive_C.dat and Drive_C.xml that were both created 081709. I don’t know where they came from or why they are there.

When I googled this O23 item, I got redirected to a page with a purple box that said, “Hello Googler…We noticed that you searched on Google for O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe, but this page is about driver install macrovision manager service table. Click here to fix this” Not in a million years would I click on that!

My available memory does seem better. Now for my questions.

Does it mean anything that these files keep showing up in ComboFix?
c:\docume~1\COMPAQ~1\LOCALS~1\Temp\IadHide5.dll
c:\documents and settings\Compaq_Owner\Local Settings\Temp\IadHide5.dll

It looks like ctfmon.exe is back on the HJT log despite my turning it off. Can I just fix it with HJT? I’d like to fix some of those other O4’s also. Does fixing them leave the program and just get rid of the autostart at startup? I’m also considering fixing the below entries. What do you think?
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet
Settings,ProxyOverride = 127.0.0.1;*.local (not on my other computer, might be OK w/o ;*.local)
O4 - HKLM\..\Run: [YBrowser] C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe (I use Mozilla instead)
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" (no urgent need to share photos)
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe" (I can wait for it to open)
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript (no realtime protection, I’ll run manually)
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" –quiet (I don’t IM anyone)
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe (no realtime protection, I’ll run manually)
O4 - .DEFAULT User Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'Default user') (who is default user—not sure I like this at all)
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000 (I don’t have Excel, so what is being exported?)
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe (just reinstall to run again)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe (just reinstall to run again)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL (just looks unnecessary)

Why was Clipbook turned on in services? After I used my other computer for comparison, I found Black Viper’s recommendations and the default is Disabled. I just rechecked it and it said Manual, so I changed it back to Disabled again. I am the only person using this computer, so how is this happening?

I noticed in My Documents I have a Drive_C.dat and Drive_C.xml that were both created 081709. I don’t know where they came from or why they are there.

My initial problem of McAfee Security (what I had at the time) being disabled dates back to April when all my problems started. Seems odd that now Avast has been disabled too.

I know I cannot prove there is now or has been any malware doing these things, but it just seems mighty suspicious that they happened. I wish I could come up with a scan that would show what I’d like to know.

 

Chaslang and Tim,

With all due respect to both of you, please look at the logs in Trojans, What Else? and you will see this is not the same computer as in the thread Malware Again, if it all truly was gone before (that was my Compaq). This is my Lenovo, and I have not been doing anything to it other than the updates that come from Microsoft, Java, Firefox, etc. It is the computer TeeCee helped me with in the Software Forum and I have had no problems with it until yesterday. You’ll know what I have been doing when you see the logs; I know I can’t hide anything there from you.

Chaslang, I started a new thread for a different computer since I know Rule No. 4 says NOT to talk about two different computers in the same thread!

I was out of town for about two weeks at the end of October. Tim, you helped me with Personal Antivirus, Trojans and iNetProtector and Rogue:ErrorFix--Anything Else? while I was out of town. I was just about to reply to Tim tonight when I saw he had replied to the Malware Again post and tell him I was finishing his final instructions and he could close the thread; I didn’t reply earlier today because I was busy with the Lenovo and wanted to get that post done. But instead, I saw you, Chaslang, had already replied to the post I just did, and I knew you were taking several days to get to the new ones. I was very surprised to see you had answered and then very sad :crythat you would think I would start a new thread on that same computer instead of replying back to the one I already had.

I really admire both you guys so much. Believe me, I am not trying to purposely irritate you or make you mad at me. And, believe me, I am not purposely trying to find extra malware just so I can send you messages about it. But I know, of all the forums, that MajorGeeks is the best and you two are the best at malware removal, so that’s why I ask for your help. There is more I could say, but that might best be done privately.

Sincerely,

Janice