Exploit/mhtredir.gen and Adware: cws, ieplugin, ist.istbar

Hello,

Thank you for making yourselves available. After days of using various malware removal tools, antispyware and antivirus scans, and manually locating and removing identified malware in the Windows Registry, I’m only partially successful. Panda Active Scan (free online scan) is the only antivirus scan (out of 8 free online antivirus scans) identifying the same malware on my computer: Hacktool mhtredir.gen and Adware cws, Adware ieplugin, and Adware ist.istbar. I do get an occasional popup, but I’m unable to locate and remove the four identified threats by Panda Active Scan given the references I researched. I’m also wondering if these are false positives or real malware in windows registry and IE bookmark? Here is what I have done so far:

For adware/ieplugin: Symantec’s FxIeplgn.exe removal tool for IE Plugin deleted 19 files and fixed 7 registry entries, but I was unable to find any of the identified .dll and the multi-page modified registry entries for this adware to follow through with the manual removal to its completion (tedious and no progress - gave up).

For adware/ist.istbar: Symantec’s FxIstbar.exe removal tool did not find the adware Ist.istbar on my computer identified by Panda Active Scan. I also searched and didn’t see any of the half of the multi-page subkey values identified by Symantec (tedious and no progress - gave up).

For adware/cws: I ran Trendmicro CWShredder, but there was no unwanted bookmarks or insidious browser hijackers identified.

For Exploit-mhtredir.gen: I followed Symantec's manual removal instructions for this malware, which is identified as backdoor.nibu.d trojan horse, but the instructions do not apply in my case. I could neither loate the relevant .exe files nor find the matching changes made to the registry to reverse them.

Three different updated anti-spyware scans found only the usual cookies and none of the four identified threats. The up-to-date adware scans I used were: Ad-Aware SE (Safe Mode), AVG (Safe Mode), and Superantispyware (Normal Mode as instructed).

Eight free online antivirus scans was used, and Panda Active Scan was the only one to identify the same infected files. The seven online antivirus scans I used in addition to Panda Active Scan were: Symantec, Trendmicro, McAfee, BidDefender, F-Secure, Kaspersky, and AVG Antivirus (new build as of 2/18).

Various spyware removal tools used: Microsoft, McAfee, and Panda Quick Remover Top Spyware

In addition to the above steps, I’ve done all the required preparatory work as per majorgeeks.com before scanning and posting the hijackthis log. Would you kindly take a look at my six required logs by you and advise what I should do with these real or false positive threats? Attached are the first three of the six logs.


AVG Antispyware log
BitDefender log
Panda Free Online Active Scan log

 

See the last three required attached logs.

~End of Report~
Thanks

 

Thanks for your assistance, Tim.

I uninstalled:
J2SE 5.0 Updates 10 and 11.
Viewpoint Media Player

I installed: Java Runtime 6.0

Edited registry as per fixMe.reg.

Fixed 2 items in HijackThis as instructed.

Attached 3 files:
* GetRunKey
* ShowNew
* HJT

 

FYI: I ran CCleaner and 3 antispyware in Safe Mode and 3 online antivirus scans (AVG, Pandasoftware, and Trendmicro) immediately after posting the logs above. Subsequently, Panda did not detect Exploit mhtredir.gen, so we just have the three remaining adware cws, ieplugin, and ist.istbar left to remove.

I reconfigured CCleaner to remove Old Prefetch Data. Could you tell if Exploit mhtredir.gen was removed due to the changes made in the registry, or was it resolved by uninstalling Viewpoint Media Player or removing the old prefetch files?

 

Hello Tim,

I was waiting for removal instructions on the following infections:

Adware:adware/cws
Not disinfected
C:\Documents and Settings\Owner\Favorites\Health

Adware:adware/ieplugin
Not disinfected
Windows Registry

Adware:adware/ist.istbar
Not disinfected
Windows Registry

Thanks

 

I ran updated Ad-Aware SE, AVG Antispyware, Spybot, and Superantiyspyware several times in Safe Mode over the last week, and none of them found or confirmed the threats.

Panda's free Quick Remover for special top spyware could not find the three infections identified by its Active Scan; however, I couldn't follow through the scans exactly as the written instruction, because I couldn't very well restart my computer to run the subsequent scan (looks like it's the online Active Scan) after running its pqremove.com as directed if the option to restart the computer before the scan was not made available in the same dialog box.

So, my HijackThis log looks clean as well?

I deleted C:\Documents and Settings\Owner\Application Data\Viewpoint, but I haven't removed Major Geek's tools yet.

I googled Logitech Desktop Messenger but could not confirm that its a spyware. Should I delete the following in my HijackThis log:

O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file) and
multi-pages of O18 - Protocol: bw+0 - {AC1FB698-4CDD-4E2A-B4F7-08C134563D28} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

What should be done with the remaining 3 adware?

 

What do you mean "make a backup when prompted"? CCleaner doesn't prompt me for backup when I run it in Safe Mode before I run antispyware. Am I suppose to configure CCleaner a certain way other than default? I usually run CCleaner before I run the antispyware scans, so my temp folder should be clean, right?

Kaspersky online scan didn't previously report any malware, but I will run Kaspersky as instructed and post the result.

After I check the items to be fixed in Hijackthis, do you want another HJT log, too?

 

I fixed the O2 and O18 in Hijackthis. Reboot PC. Scanned and created a new HJT log.

I ran CCleaner to delete temporary files and Issues to fix registry and file integrity in Normal Mode. Under Issues, I created a backup and elected to fix all selected items (65 unused files). I hope "fix all" was the correct action.

I ran 4 online antivirus scans (Kaspersky, Pandasoftware, McAfee, and Bitdefender) after the latest fixes and 1 real-time AVG AV that completed just before the start of the latest fixes. Panda active scan is still the only AV detecting the three malware. The result of Kaspersky AV scan: "no malware has been detected".

3 Attached files:
HJT log
Kaspersky AV log
ShowNew

 

Sounds good, so do you think adware cws/ieplugin, ist.istbar are false positives? Adware cws seems to be located somewhere in my Health bookmark. Trendmicro free Housecall scan had a similar detection in the same location about a while back but not recently.

I'm using IE 6.0 SP2. How do I remove IEPlugs-ins and extensions? And after I'm done testing, do I need to restore these IEPlug-ins and extensions? I don't know what these things are or where they are located.

Not too much (once every 4 months at most). Gateway sends the latest security patches, software application updates, virus scans and other programs via BigFix to keep the computer up to date. I could uninstall it since I'm not getting many updates from BigFix that I couldn't get from other online AV scans and Microsoft, but because this computer is only two years old, do you think the computer may get more regular software updates for as techonology advances?

 

Just realized something about adware.ieplugin and adware.istbar. IEPlugin is not a false positive because Symantec's FxIeplgin.exe removal tool deleted 19 files and fixed seven registry entries (see my first post); however, I could not locate any of the .exe, .dll, .ico, and .pst files identified and most of the values in the registry subkeys by Symantec. Is it worth my time then to go over and delete the Windows registry manually? They are multi-page registry entries for both Adware.IEPlugin and Adware.Istbar.

 

Thank Tim. I will leave out uninstalling BigFix for now, at least until the computer is clean.

I will test out removing the IEPlugins first and if that doesn't work then I'll post symantec's removal instructions for Adware.IEPlugin and Istbar. Could you give me a link or the instructions on how to both remove and reinstall the IEPlugins and extensions?

 

RE: More discoveries about Adware.IEPlugin from Symantec.

Quoting Symantec: "Adware.IEPlugin displays an advertisement when it sees a targeted keyword. It will also install a running process to update itself by contacting servers every few minutes. This adware may also add bookmarks to the Favorites menu."

Could this be the same Favorites menu or related to the CWS infection detected in my Health bookmark folder?

See Manual Removal for deletion of subkey values in the registry at Adware.IEPlugin, http://sarc.com/avcenter/venc/data/adware.ieplugin.html

RE: Adware Ist.Istbar

I just searched for the relevant .dll and .exe for istbar and none was found on my computer. I ran Symantec's removal tool for Istbar again and the result was the same as the first finding - "Adware.istbar has not been found on your computer." Do you think adware ist.istbar is a false positive then or may disappear (as well as adware.cws) if we could fix Adware.IEPlugin?

See values added in the registry for istbar at, http://www.symantec.com/security_response/writeup.jsp?docid=2003-091913-2632-99&tabid=3

What should I do next?

 

Dear Tim,

I am still working my way through testing IEPlugins, but could you walk me through how to rename (release or delete) a Word file name from the command prompt or any other way you see fit? I noticed from a few different logs that the same Word documents weren't scanned due to long path (or file names) with the following notices: "(WARNING: not scanned, path to long)". I also can't rename, move, or delete them via Windows Explorer. These long file name or path problems may not be directly related to the Adware IEPlugin problem, but they did show up in the FxIeplgn.log, and these lacked documents need to be resolved even if the previous log reported that Adware.IEPlugin had been successfully removed from my computer before I run the Adware.IEPlugin removal tool again. Thanks.

 

RE: Viewpoint Media Player references and folder found on my computer:

1. C:\Documents and Settings\All Users\Application Data\Viewpoint\AxMetaStream_Win

Should I delete this Viewpoint folder? Source: McAfeee, http://vil.nai.com/vil/content/v_137262.htm

2. CLSID for AxMetaStream_Win associated with Viewpoint Media Player found in my Windows registry. I found the same CLSID in the following registry subkeys on my computer, should I do anything to it? Source: http://www.spywaredata.com/spyware/malware/axmetastream_03000f10.dll.php

HKEY_USERS\S-1-5-21-717021609-1707896527-2994540852-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{03F998B2-0E00-11D3-A498-00104B6EB52E}

This registry value is “default” and “data not set”.

RE: Adware.IEPlugin

Although Adware.IEPlugin was successfully removed as reported by Symantec’s removal tool log initially, do these 4 remaining unscanned Temp IE files reported by IEPlugin log from Symantec Adware.IEPlugin Removal Tool have anything to do with the current IEPlugin detection, especially since several entries from \Content IE5 in the same directory were deleted?

C:\Documents and Settings\Owner\Local Settings\Temp\Temporary Internet Files\Content.IE5\DNZ0SYKG\222&color_link=007c85&color_url=007c85&color_border=ffffff&color_line=ffffff&ad_type=text&region=main%20sec&cc=100&u_h=768&u_w=1024&u_ah=738&u_aw=1024&u_cd=32&u_tz=-360&u_java=true (WARNING: not scanned, path to long)

C:\Documents and Settings\Owner\Local Settings\Temp\Temporary Internet Files\Content.IE5\JOORY859\222&color_link=007c85&color_url=007c85&color_border=ffffff&color_line=ffffff&ad_type=text&region=main%20sec&cc=100&u_h=768&u_w=1024&u_ah=738&u_aw=1024&u_cd=32&u_tz=-360&u_java=true (WARNING: not scanned, path to long)

C:\Documents and Settings\Owner\Local Settings\Temp\Temporary Internet Files\Content.IE5\TZ3X9D1X\222&color_link=007c85&color_url=007c85&color_border=ffffff&color_line=ffffff&ad_type=text&region=main%20sec&cc=100&u_h=768&u_w=1024&u_ah=738&u_aw=1024&u_cd=32&u_tz=-360&u_java=true (WARNING: not scanned, path to long)

C:\Documents and Settings\Owner\Local Settings\Temp\Temporary Internet Files\Content.IE5\VOXN7964\222&color_link=007c85&color_url=007c85&color_border=ffffff&color_line=ffffff&ad_type=text&region=main%20sec&cc=100&u_h=768&u_w=1024&u_ah=738&u_aw=1024&u_cd=32&u_tz=-360&u_java=true (WARNING: not scanned, path to long)

Should I uninstall Logitech Desktop Manager? Is it a confirmed spyware? Several related entries were locked and skipped in the last Kaspersky scan.

I did a search on SC30, but I can’t find anything on it. Is it a legitimate program or should I uninstall it?

RE: Problem renaming a few long .doc file names in DOS

Three .doc files also were not scanned, so I would like to fix them before I run the IEPlugin removal tool again. I can see the long file name in the right directory in DOS, but I am getting “The syntax of the command is incorrect” when using the REN command to rename the following long file name at the command prompt. Could you tell me what are the steps to rename this .doc file, “C:\Documents and Settings\Owner\My Documents\Skin Care\Photo-damage\Antioxidants\Topical Vitamin A\Epidermal Vitamin A\A-Alcohol-Retinol\Application of retinol in vivo induces epidermal hyperplasia and cellular retinoid binding proteins characteristic of RA.doc?” Thanks very much.

 

Hi Tim,

I don't have good news to report yet and have a problem. I was checking manually through the Registry Editor looking for IEPlugin related subkeys and accidentally modified one value under the CLSID subkey - under HKEY_CURRENT_USER\Software\Classes\CLSID. I have a a system backup, but do you have a faster and easier way to restore just this one value under this CLSID subkey? If I use the system backup, I'm not sure if it will allow me to restore one specific registry subkey, and then all the changes we worked on may be undone. Please advise.

Here is what I have done since we last communicated, and Panda Active Scan is still detecting Adware cws, ieplugin, ist.istbar:

1. Deleted remaining Viewpoint folders and files:

Ran Viewpointkiller tool and confirmed there was only one remaining Viewpoint folder to delete - C:\Documents and Settings\All Users\Application Data\Viewpoint\AxMetaStream_Win, which was removed by Viewpointkiller tool.

Merged the Viewpoint registry entry as directed.

Ran but terminated Panda Active Scan because the results did not change – the same three spyware were detected.

2. Search and remove Adware IEPlugin using Symantec removal tool:

I couldn't rename, open, or delete a long filename in Explorer and at the command prompt. Microsoft support document didn't help, since I couldn't comprehend its specialized techno speak. After googling, I got some ideas from others and moved the folders up the directory where the deep long filenames were located to shorten the directory path to rename the files. Three long filenames renamed.

Ran Adware IEPlugin removal tool from Symantec for the second time. The 2nd result and a summary of the log:

Adware.IEPlugin has been successfully removed from your computer!

Here is the report:

The total number of the scanned files: 50742
The number of deleted files: 2
The number of threat processes terminated: 0
The number of other processes terminated: 0
The number of registry entries fixed: 7​

Apparently, there were additional Temporary Internet Explorer Files in a second Administrator folder created titled Administrator.Gateway 702GE. I'm not sure how the creation of a second Administrator folder came about or if it was legitimate. See attached FxIeplg.log

Restarted PC and ran CCleaner, Panda Active Scan, and Symantec online virus scan in Normal Mode. No threat was detected by Norton, but Panda is still reporting the same three infections. Today's scheduled updated AVG AV scan also showed no threat detected.

3. Disabling and browser extensions in IE

Did you want me to disable the browser extensions for the "add-ons currently loaded in IE" or the "add-ons that have been used by IE?" I researched the .dll and .exe in the currently loaded add-ons, all of them are legitimate, so I haven't disabled any in that category. I have yet to go through the longer list of add-ons in the "add-ons that have been used by IE. Am I approaching this correctly? Should I continue? How would I know which browser extension to disable to test?

4. I'm almost done manually checking the ieplugin affected files as per Symantec, so I hope you can help me restore the value in the Registry CLSID subkey.

5. The last step is to reset the IE Search page. Do you want me to follow-through with this last step of setting the Search page? Will it undo the registry changes we made?

6. Ran Symantec's FixIstbar removal tool for the second time:

The following four registry files were deleted but the result of the scan was the same as the first: "Adware.Istbar has not been found on your computer":

registry: HKEY_USERS\S-1-5-21-717021609-1707896527-2994540852-1003\Software\Microsoft\Internet Explorer\Main: Search Bar (value deleted)
registry: HKEY_USERS\S-1-5-21-717021609-1707896527-2994540852-1003\Software\Microsoft\Internet Explorer\Main: Search Bar (value deleted)
registry: HKEY_USERS\S-1-5-21-717021609-1707896527-2994540852-500\Software\Microsoft\Internet Explorer\Main: Search Bar (value deleted)
registry: HKEY_USERS\S-1-5-21-717021609-1707896527-2994540852-1003\Software\Microsoft\Internet Explorer\Search: SearchAssistant (value deleted)

 

So, do you think running CCleaner Issues will restore registry subkey? I'm not sure how CCleaner Issues fix registry, but is that an option?

System Restore on my XP Home Edition is kind of odd. I manually created a restore point on 2-18 or about, but it seems not to exist any no longer and is replaced by System Checkpoint. Maybe it was because unchecked "Turn off System Restore" as instructed subsequently. Either XP (and/or AVG AV) seems to be creating sheduled automatic System Checkpoint daily and as I install new software.

quoting TimW: Have you run the removal tool under all user accounts?

I'd imagine I ran Symanatec's Fxplgn.exe and Fxistbar.exe under Owner account the second time since Owner is the only active account when the computer boots up, unless I manually select the Adminstrator account in Safe Mode when instructed.

The added Administrator.Gateway 702GE account and the Default User account look worrisome to me because I don't believe they were there before I did the registry merge on CLSID for AxMetaStream_Win and when I ran the Symantec removal tools the first time. Please confirm and advise.

quoting TimW: I would scan your backup before using it to restore your system.

What do you mean by scanning the backup and why and with what?

There are daily system checkpoints in System restore. I also have a backup on 3 zip disks created on Day1 prior to all the fixes. Should I use the restore system check point, the zip backup, or CCleaner Issues to restore registry subkey?