Persistent malware, need help
Calypze
Stockholm, Sweden
Hello guys!
I have a very troublesome malware problem. I use Avira AntiVir, eScan and Norton Internet security for antivirus, and while Norton and AntiVir are unable to detect these, eScan detects various pieces of malware, but demands money to remove them. I've also tried some other programs I've found online to remove them, but they weren't able to detect them. Needless to say, neither Spybot or Ad-Aware can find anything.
The malware that eScan finds are "gain.gator Spyware/Adware", "look2me Adware", "zlob Trojan-Downloader" and earlier it also found the Fujacks worm.
Yesterday the malware (which were the same) terminated my Internet connection. That was too bold of them, and that is because of that I made a system restore. But they're here now, so either they remained somehow, or either they reinfected me somehow. I don't know what to do, it seems like these malware pieces refuse to leave me alone.
However, at least right now it seems that the malwares aren't unblocking sites blocked by SpywareBlaster and Advanced Windows Care, and they have yet to inactivate antivirus programs, like they did before I made the system restore (it seems to have removed my clock and the other stuff that appears at the right on the desktop, though). Also, before I made the system restore, I used the trial version of Spy Sweeper, and it found "clientman" (however, the trial version won't remove anything), but I haven't downloaded Spy Sweeper this time. Do you think I should?
I am unable to get the Panda Online Scanner to work, the same goes for Bit Defender Online Scanner and Kaspersky Online Scanner. I can get HouseCall to work, but that takes Java, which is a source for infection.
My OS is Windows Vista Home Premium.
Here is my (current, at least) HijackThis log:
I have a very troublesome malware problem. I use Avira AntiVir, eScan and Norton Internet security for antivirus, and while Norton and AntiVir are unable to detect these, eScan detects various pieces of malware, but demands money to remove them. I've also tried some other programs I've found online to remove them, but they weren't able to detect them. Needless to say, neither Spybot or Ad-Aware can find anything.
The malware that eScan finds are "gain.gator Spyware/Adware", "look2me Adware", "zlob Trojan-Downloader" and earlier it also found the Fujacks worm.
Yesterday the malware (which were the same) terminated my Internet connection. That was too bold of them, and that is because of that I made a system restore. But they're here now, so either they remained somehow, or either they reinfected me somehow. I don't know what to do, it seems like these malware pieces refuse to leave me alone.
However, at least right now it seems that the malwares aren't unblocking sites blocked by SpywareBlaster and Advanced Windows Care, and they have yet to inactivate antivirus programs, like they did before I made the system restore (it seems to have removed my clock and the other stuff that appears at the right on the desktop, though). Also, before I made the system restore, I used the trial version of Spy Sweeper, and it found "clientman" (however, the trial version won't remove anything), but I haven't downloaded Spy Sweeper this time. Do you think I should?
I am unable to get the Panda Online Scanner to work, the same goes for Bit Defender Online Scanner and Kaspersky Online Scanner. I can get HouseCall to work, but that takes Java, which is a source for infection.
My OS is Windows Vista Home Premium.
Here is my (current, at least) HijackThis log:
This is pretty much it I think. Hopefully I haven't forgotten anything.Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 22:06:41, on 2007-06-05
Platform: Windows Vista (WinNT 6.00.1904)
Boot mode: Normal
Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\hp\support\hpsysdrv.exe
C:\Program Files\Hewlett-Packard\On-Screen OSD Indicator\OSD.exe
C:\WINDOWS\CTHELPER.EXE
C:\WINDOWS\System32\CTXFIHLP.EXE
C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanlu.exe
C:\Windows\SYSTEM32\CTXFISPI.EXE
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\BillP Studios\WinPatrol\WinPatrol.exe
C:\hp\kbd\kbd.exe
C:\Program Files\eAcceleration\Station\station.exe
C:\Program Files\Acceleration Software\Anti-Virus\stopsignav.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\system32\taskeng.exe
C:\Users\Johan\Desktop\HiJackThis_v2.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bitdefender.com/scan8/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=SV_SE&c=71&bd=Pavilion&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=SV_SE&c=71&bd=Pavilion&pf=desktop
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
F2 - REG:system.ini: UserInit=C:\Windows\system32\Userinit.exe
O1 - Hosts: ::1 localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - c:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\NppBho.dll
O2 - BHO: QFX Software KeyScrambler - {2B9F5787-88A5-4945-90E7-C4B18563BC5E} - C:\Program Files\KeyScrambler\KeyScramblerIE.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Malicious Scripts Scanner - {55EA1964-F5E4-4D6A-B9B2-125B37655FCB} - C:\ProgramData\Prevx\pxbho.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Visa Norton-verktygsfältet - {90222687-F593-4738-B738-FBEE9C7B26DF} - c:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\UIBHO.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [hpsysdrv] c:\hp\support\hpsysdrv.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KbdStub.EXE
O4 - HKLM\..\Run: [OsdMaestro] "C:\Program Files\Hewlett-Packard\On-Screen OSD Indicator\OSD.exe"
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [VolPanel] "C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanlu.exe" /r
O4 - HKLM\..\Run: [CTXFIREG] CTxfiReg.exe
O4 - HKLM\..\Run: [UpdReg] C:\Windows\UpdReg.EXE
O4 - HKLM\..\Run: [HP Software Update] c:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "c:\Program Files\Norton Internet Security\osCheck.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
O4 - HKLM\..\Run: [PrevxOne] "C:\Program Files\Prevx2\PXConsole.exe"
O4 - HKLM\..\Run: [SoftwareStation] "C:\Program Files\eAcceleration\Station\station.exe" /b Startup
O4 - HKLM\..\Run: [webscan] "C:\Program Files\Acceleration Software\Anti-Virus\stopsignav.exe" -k
O4 - HKLM\..\RunOnce: [Launcher] %WINDIR%\SMINST\launcher.exe
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Registry Cleaner Scheduler] "C:\Program Files\CleanMyPC\Registry Cleaner\RCHelper.exe" /startup
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOKAL TJÄNST')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOKAL TJÄNST')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NÄTVERKSTJÄNST')
O4 - HKUS\S-1-5-18\..\RunOnce: [SetDefaultMIDI] MIDIDEF.EXE /s:'Creative SoundFont Synthesizer' /w:'SB Audigy' (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [SetDefaultMIDI] MIDIDEF.EXE /s:'Creative SoundFont Synthesizer' /w:'SB Audigy' (User 'Default user')
O4 - Global Startup: Belkin Wireless USB Utility.lnk = C:\Program Files\Belkin\USB F5D7050\Wireless Utility\Belkinwcui.exe
O9 - Extra button: (no name) - {5C106A59-CC3C-4caa-81A4-6D909B5ACE23} - C:\Program Files\KeyScrambler\KeyScramblerIE.dll
O9 - Extra 'Tools' menuitem: &KeyScrambler... - {5C106A59-CC3C-4caa-81A4-6D909B5ACE23} - C:\Program Files\KeyScrambler\KeyScramblerIE.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O13 - Gopher Prefix:
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\Windows\system32\browseui.dll
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Automatisk LiveUpdate-schemaläggare - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: Creative Audio Service (CTAudSvcService) - Creative Technology Ltd - C:\Program Files\Creative\Shared Files\CTAudSvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - c:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Symantec IS Verifiering av lösenord (ISPwdSvc) - Symantec Corporation - c:\Program Files\Norton Internet Security\isPwdSvc.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - c:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: Prevx Agent (PREVXAgent) - Prevx - C:\Program Files\Prevx2\PXAgent.exe
O23 - Service: PXVistaSvc - Prevx - C:\Program Files\Prevx2\PXVistaSvc.EXE
O23 - Service: RoxMediaDB9 - Sonic Solutions - c:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - c:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: StopSign Update Manager - eAcceleration - C:\Program Files\Common Files\eAcceleration\eacsvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
--
End of file - 9747 bytes
0
Comments
The log isn't showing too much malware although it IS infected. Given that escan is apparently finding so much we'll do a general clean out first.
However, please note one thing.
You must only have ONE installed antivirus and ONE installed firewall in operation at any one time. More than this will result in conflicts and problems.
Please ensure you have only one of each running.
***********************
Make sure you have exposed all Hidden Files & Folders.
To enable the viewing of Hidden files follow these steps:
1. Close all programs so that you are at your desktop.
2. Double-click on the My Computer icon.
3. Select the Tools menu and click Folder Options.
4. After the new window appears select the View tab.
5. Put a checkmark in the checkbox labeled Display the contents of system folders.
6. Under the Hidden files and folders section select the radio button labeled Show hidden files and folders.
7. Remove the checkmark from the checkbox labeled Hide file extensions for known file types.
8. Remove the checkmark from the checkbox labeled Hide protected operating system files.
9. Press the Apply button and then the OK button and close My Computer.
***********************
Please download and install SUPERAntiSpyware (it's VISTA compatable)
IMPORTANT: Do NOT open any other windows or programs while SUPERAntiSpyware is scanning, it may interfere with the scanning process.
***********************
Open HJT ... click on 'Do a System Scan Only'... put tick/check marks next to these entries IF they are still present ...
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOKAL TJÄNST')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NÄTVERKSTJÄNST')
Remember to close ALL open browser windows – including this one – before clicking on “Fix Checked” at the foot of the HijackThis window.
*******************
Do a system wide search for this file and delete it…..
Sidebar.exe
*******************
Empty your recycle bin.
*******************
Rehide your Hidden Files & Folders by carrying out the reverse operation to that described at the start of this post.
*******************
Copy and paste both the Superantispyware scan report and a fresh HJT logfile to this thread.
Please also tell us how the computer is working now.
More specific removal instructions will follow for any other problems identified.
OJ
I uninstalled Norton. I tried to get rid off some other antivirus programs (like StopSign and Prevx2), but was unable to uninstall them. I rely on Avira AntiVir, since it is usually much better than Norton (at least it was on my old computer) and since I don't really know about the other two mentioned.
SUPERAntiSpyware didn't find anything actually. As for HJT, the R0 entries you listed weren't present, but the O4s were, and I "fixed" them. However, after a restart, the mentioned R0 entries were present, so I fixed them then (though they always reappear when I run HJT again). I searched the system for sidebar.exe, and the search engine is unable to find it, though I found in a folder, and it appears that it is a Microsoft application. It says I must have authorization (I'm uncertain which English word that the English version of Windows uses) to remove it, even though my account is the administrator account.
The computer works generally well, though there is some strange behavior. Sometimes SpywareTerminator and WinPatrol and other programs start properly at start-up, sometimes they don't, though it seems like this has to do with Windows. The computer also demands me to press Ctrl + Alt + Delete to allow me to enter the password to the account. It also sometimes sounds like it is working with a heavy task for no apparent reason.
Here are the logs:
Could it be that MWAV is giving false positives? I Googled about it, and it appears that the earlier versions of it had a habit to do that. So the case would then be that it detected gain.gator because I had used SpywasterBlaster and Advanced Windows Care to block it. It also appears unlikely that AntiVir would not recognize known malwares like zlob and Fujacks. Though I don't know if this is the case, I'm just "thinking aloud".
Sorry to leave you for so long but I didn't receive any e-mail prompt of your last post.
How are things with you at the moment?
Please post a fresh HJT log with another update on how things are working.
MM
The computer works generally well, but something that bothers and worries me is that about one to two gigabytes of the C harddrive seems to be filled everyday without any reason whatsoever. I use CCleaner for temp cleaning, but it usually just get a few megabytes. Why this? Also the computer sometimes sounds like it is working with a heavy task for no obvious reason.
Here is a HJT log:
As for sidebar.exe, are you sure that the file is supposed to be removed? From what I've seen, it seems to be part of the Windows Vista OS.
I also made regular scans with HouseCall and AntiVir today, and both came up clean. However, it seems like AntiVir takes hours to scan nowadays, while it used to take about 50 minutes before...
Have you any idea what "stuff" is filling up your hard drive at such a rate? Have you carried out any experiments to find out?
Sounds always concern me.
Make sure you have all you vital data backed up.
If you don't have it already I suggest you use Process Explorer. Download it from here ...
http://www.microsoft.com/technet/sysinternals/utilities/ProcessExplorer.mspx
Install it and play with it to see how it works. It's like a more detailed version of Task Manager ... it looks at all your running processes and gives you more information on each process.
Once installed click twice on the CPU tab. This will bring all the Proceess(es) using the most CPU resources to the top of the list.
This may identify which task is working so hard.
Please let me know what you discover.
Yes, sidebar is indeed usually fine BUT it can be infected too. That's why I wanted you do try and remove it. If you weren't allowed to remove it then that told me you had the genuine copy. All OK there. Don't do anythign more with sidebar.
Not sure why you would have a sudden increase in the antivir scan time. If you "upgraded" to vista rather than starting from a clean install this may cause it.
The log is generally OK. Just open HJT ... click on 'Do a System Scan Only'... put tick/check marks next to these few entries IF still present ...
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
Remember to close ALL open browser windows – including this one – before clicking on “Fix Checked” at the foot of the HijackThis window.
Lastly run a full system scan with Activescan from here ....
http://www.pandasoftware.com/products/activescan
Let it fix what it wants to fix and SAVE the scan log report.
When done please post a fresh HJT log, the Activescan report and an update on what you found out with Process Explorer.
MM
No, it's not full (it's a very huge one), and some days there is a "break" in the filling, so the amounts are not constant or schematic.
No idea. Is there any way to check the most recent files on a harddrive or something like that?
How do one identify the hardest working processes? Is it the darker color, the harder does the particular process work? Also some processes disappear after a while.
I did so, and the O2 entry seems to be permanently gone, but the R0s are always back at a new scan :S
It says that it is currently not available for Windows Vista, but will be soon. So scanning isn't possible.
HJT: Glad to hear that the log in generally ok.
This may identify which task is working so hard.
It may also help us identify what is filling up your hard drive.
Please post the results back here.
Sorry about Activescan ... yes, I should have realised.
Let's try a rootkit scanner in the meantime.
Please download Sophos Anti-Rootkit and save it to your desktop ....
http://www.sophos.com/products/free-tools/sophos-anti-rootkit.html
1. Double-click sarsfx.exe to extract the files and leave the default settings.
2. Open the folder C:\SOPHTEMP and double-click sargui.exe to start the program.
3. Make sure the following are checked:
- Running processes
- Windows Registry
- Local Hard Drives
4. Click the "Start Scan" button.
5. Click the "OK" button after you get the notification that the scan has finished and close the program.
6. Click on Start>Run and type, or copy and paste this:-
%temp%\sarscan.log
then press Enter.
7. This should open the log from the rootkit scan.
Save the log report & post it into your next reply.
Notes >>>
If the scan is performed while the computer is in use false positives may appear in the scan results. This is caused by files or registry entries being deleted including temporary files being deleted automatically.
If you have TrojanHunter installed (I don't think you do) you will need to disable it prior to running a scan. It has been reported that TrojanHunter is detecting Sophos Anti-rootkit as “Trojan.Dropper.Interlac.100”.
In your next post please include ...
The Process Explorer information
The Rootkit log scan
A fresh HJT log
An update on how things are going.
(I could give you a registry fix for those stubborn R0 entries but I don't want to do that just yet).
MM
Research shows that the entries probably aren't malware but just information.
This key >>
HKLM\Software\Microsoft\Internet Explorer\Search
....contains the Values (URLs) for ...
Customizesearch
Default_Search_url
Search assistant
Normally all these values would have a URL associated with them, for example ....
Customizesearch = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm
Default_Search_url = http://www.google.com/ie
Search assistant = http://www.google.com/ie
I believe those entries are showing that the key looks like this (note the two blank parts) ....
Customizesearch =
Default_Search_url = http://www.google.com/ie
Search assistant =
In your log maybe the Default_Search_url is missing as well but hijackthis doesn't show it.
For the moment let's not concern ourselves with those two R0 entries ... just move on with the other issues in my last post, #8, above.
MM
As for Process Explorer, the hardest working task appears to be a2service.exe, followed by AluSchedulerSvc.exe. Is there any specific process you have in mind? Or should I list some more? Those immediately following seems ok as well, they are audiodg.exe and avgnt.exe. None of these are dangerous I think.
Things are generally going well, but there is a strange phenomenon about the start-up. Sometimes Spyware Terminator and Super AntiSpyware start at the start-up, and sometimes they don't. Why is it so?
And here is a new HJT log:
On those processes .....
a2service.exe >> a Service from Emsi Software GmbH belonging to A-squared.
AluSchedulerSvc.exe >> a process belonging to the Symantec LiveUpdate service which updates your Symantec products periodically.
audiodg.exe >> a Windows Audio Device Graph Isolation from Microsoft.
avgnt.exe >> a process belonging to Avira Internet Security Suite.
None of these are dangerous I think >> You are right. They are all OK.
As to why Spyware Terminator and Super AntiSpyware sometimes start at startup and sometimes not ... I'm afraid I don't know.
The only thing I can suggest there is that you go into both programs' "Options" and check they are both instructed NOT to start on startup.
If they are then DISABLE that order and reboot your machine. Neither of them should now start, of course.
Leave things like that (start the programs manually if desired) and, after a few reboots over the next few days, go back to the options and re-instruct them to start at system startup.
See if they get the message.
Otherwise the log seems to be free of malware.
If you are certain you have no more trouble you should clear out all old System Restore points then immediately create a new one so you have something to fall back on should anything go awry again. Also remember to make SR points on a regular basis.
More on System Restore ...
http://www.microsoft.com/windowsxp/using/helpandsupport/getstarted/ballew_03may19.mspx
NOTE >> if you don't know how to create a SR point in Vista let me know and I'll post the instructions.
What may have lead up to your infection and help keep your computer free of malware …
http://www.castlecops.com/t7736-So_how_did_I_get_infected_in_the_first_place.html
http://www.help2go.com/Tutorials/Protect_Your_PC/Avoid_Web_Browser_Hijackers.html
http://www.techsupportforum.com/security-center/general-computer-security/115548-pc-safety-security-what-do-i-need.html
There is a little duplication/crossover but all these tutorials are well worth reading.
Don’t forget to keep AVG Anti Spyware / Superantispyware updated and use it to scan/disinfect your computer from time to time.
If you do suffer an infection again you should run first Ccleaner to clean out your system. Get Ccleaner here but ensure you install it WITHOUT the optional Yahoo Toolbar download (you must untick/uncheck the relevant box on download) …
http://www.ccleaner.com/
Also run through this before posting another HijackThis log …
http://www.help2go.com/Tutorials/Protect_Your_PC/Get_Rid_of_Spyware%2C_Adware%2C_and_Web_Browser_Hijackers.html
Best wishes.
MM
Yes I found the way to do system restore points for Vista, and it seems to work well.
As for HJT, is it safe to remove entries containing (file missing) and (no name)?
Thanks for the links, even though I have most of the software they list. But I'll look into the rest.
The only problem remaining is that Windows freezes once in a month or so, so I have to restart the computer the hard way. But I guess that has to do with Windows instability more than anything else.
I also use Advanced Windows Care V2 Personal, is that a good thing?
Also, yesterday I made a scan with Housecall, and it found a grayware named ADWARE_FASTERXP which it removed. The next scan it came up clean, so I guess that's ok, right?
It is a file named KBDStub.EXE which is located in C:\HP\KBD. When the file is active, and that is when the computer has recently started, it is rated as potentially dangerous by Security Task Manager, but when it later goes inactive, it is not rated as dangerous. However, STM can't determine the file's function, and there is no information about it in the process libraries you find at Google, they're merely telling that they are evaluating the process.
So what kind of file is this? How come there is no info about it? And why can't STM determine its function? It isn't listed as belonging to any company by STM.
As to your machine freezing "every month or so" this shouldn't happen. You should download and install Ccleaner (see link in previous post). Run it and clean out your system on the default options. See if that improves stability.
If not look at the hardware ... for example, do you need more RAM?
Windows Care V2 Personal ...... I've heard good things about this but don't use it myself. Maybe others here would have experience of using it and would be better qualified to comment than me.
Yes indeed. You don't want this so looks like Housecall did a good job of removing it.
KBDStub.EXE located in C:\HP\KBD ..... Can't find anything bad on this one. Looks to me like it's part of a Hewlett Packard hardware installation. Do you have a piece of HP kit that could be using it?
As for STM ... these "checking" sites often just say it could be dangerous to cover their backs. Especially if they're "evaluating" it and don't actually know for sure what it is yet.
To run a check go to this site ...
http://www.virustotal.com/en/indexf.html
....hit the "Browse" button and go to this file on your computer ...
C:\HP\KBD\KBDStub.EXE
Upload the file for examination by VirusTotal and post the scan results back here.
Also let me know how the machine is running now.
MM
Hmm... I already use CCleaner from time to time. However, I also let it clean "Old Prefetch data". Perhaps I shouldn't?
As for RAM, I currently have 3,25 GB RAM.
Yes my computer is from HP so the file should be legitimate. I uploaded it to the site you linked to, and it came up clean. It also came up clean on Jotti's virusscan.
However, today I made a scan with a-squared and it found a few things. In a few freeware games (which I had downloaded but not played yet) it found Constructor.Win32.IDL.a. I allowed it to delete them. Its heuristic also detected ComboFix (I was going to scan just for a check, but discovered that it didn't work for Vista) and some component to PC Doctor 5, which is some program that came with the computer but which I've never used. It did not allow it to delete them. However, a Google search revealed that this program produces false positives at a comparably high rate, so should I heed its warnings? Especially since none of my other programs rate those files as dangerous.
OK with the RAM. More than enough, I'd say.
Thanks for letting me know about the HP file. The result was more or less as expected.
Constructor.Win32.IDL.a > Kapersky will also pick this up as malware and EMISoft - the makers of a-squared - know about it. The last I heard they were looking into this one and why their scanner picks it up. Mind you that was quite a few months ago so I guess, as it's still identifying it, they don't like it.
No matter. It's been removed now from your machine anyway.
PC Doctor 5 > I know nothing about this one but, from your own research, it seems it's perhaps not the best thing to use.
I don't think there's anything more I can add to help you speed things up but please post again and let us know what's happening. Maybe others will have more ideas.
MM
Well ok, but thanks a lot man! The computer works well, at least right now. Though there is one thing that I wonder. As a Vista user, currently I use the Vista firewall. But some programs (like Spybot) are able to update definitions without me going and unblock them in the firewall settings. Other programs (for example auto-patchers for games) require that I go into the settings and unblock them for them to work properly. And HouseCall was obviously able to automatically allow itself in the firewall settings. Now, if some programs obviously don't need me to change the settings to allow them to connect to the Internet, couldn't a malware program hypothetically do the same? Or have I missed something about the Visa firewall?