Skip to main content
Start a Conversation

Unsolved

This post is more than 5 years old

Kanti

295 Posts

2970

May 12th, 2009 08:00

Here is the entire report:

I think the infection is gone. I have run the Malwarebytes' Anti-Malware program as directed. However, please go through this log as from MBAM log tab and please tell me that all is well with my computer. Here is the Log. Thank You.

Malwarebytes' Anti-Malware 1.36
Database version: 2116
Windows 6.0.6001 Service Pack 1

12/05/2009 10:29:13 AM
mbam-log-2009-05-12 (10-29-13).txt

Scan type: Quick Scan
Objects scanned: 70395
Time elapsed: 6 minute(s), 50 second(s)

Memory Processes Infected: 1
Memory Modules Infected: 0
Registry Keys Infected: 3
Registry Values Infected: 2
Registry Data Items Infected: 3
Folders Infected: 4
Files Infected: 21

Memory Processes Infected:
c:\program files\Internet Antivirus Pro\IAPro.exe (Rogue.InternetAntivirus) -> Unloaded process successfully.

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ITGrdEngine (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\internet antivirus pro_is1 (Rogue.InternetAntivirus) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\APMFC1 (Rogue.AntiTrojanPro) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\internet antivirus pro (Rogue.InternetAntivirus) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\internet antivirus pro (Rogue.InternetAntivirus) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
C:\Users\Owner\AppData\Roaming\Internet Antivirus Pro (Rogue.InternetAntivirus) -> Quarantined and deleted successfully.
C:\Users\Owner\AppData\Roaming\Internet Antivirus Pro\db (Rogue.InternetAntivirus) -> Quarantined and deleted successfully.
C:\Program Files\Internet Antivirus Pro (Rogue.InternetAntivirus) -> Quarantined and deleted successfully.
C:\Windows\Ad-Ware Pro (Rogue.Ad-WarePro) -> Quarantined and deleted successfully.

Files Infected:
C:\Program Files\Common Files\InternetAntivirusPro.exe (Rogue.InternetAntivirus) -> Quarantined and deleted successfully.
C:\Users\Owner\AppData\Roaming\Internet Antivirus Pro\settings.ini (Rogue.InternetAntivirus) -> Quarantined and deleted successfully.
C:\Users\Owner\AppData\Roaming\Internet Antivirus Pro\uill.ini (Rogue.InternetAntivirus) -> Quarantined and deleted successfully.
C:\Users\Owner\AppData\Roaming\Internet Antivirus Pro\unins000.exe (Rogue.InternetAntivirus) -> Quarantined and deleted successfully.
C:\Users\Owner\AppData\Roaming\Internet Antivirus Pro\Uninstall  Internet Antivirus Pro.lnk (Rogue.InternetAntivirus) -> Quarantined and deleted successfully.
C:\Users\Owner\AppData\Roaming\Internet Antivirus Pro\db\config.cfg (Rogue.InternetAntivirus) -> Quarantined and deleted successfully.
C:\Users\Owner\AppData\Roaming\Internet Antivirus Pro\db\Timeout.inf (Rogue.InternetAntivirus) -> Quarantined and deleted successfully.
C:\Users\Owner\AppData\Roaming\Internet Antivirus Pro\db\Urls.inf (Rogue.InternetAntivirus) -> Quarantined and deleted successfully.
C:\Program Files\Internet Antivirus Pro\Explorer.ico (Rogue.InternetAntivirus) -> Quarantined and deleted successfully.
C:\Program Files\Internet Antivirus Pro\IAPro.exe (Rogue.InternetAntivirus) -> Quarantined and deleted successfully.
C:\Program Files\Internet Antivirus Pro\unins000.dat (Rogue.InternetAntivirus) -> Quarantined and deleted successfully.
C:\Program Files\Internet Antivirus Pro\uninstall.ico (Rogue.InternetAntivirus) -> Quarantined and deleted successfully.
C:\Program Files\Internet Antivirus Pro\working.log (Rogue.InternetAntivirus) -> Quarantined and deleted successfully.
C:\Windows\Ad-Ware Pro\uninstall.exe (Rogue.Ad-WarePro) -> Quarantined and deleted successfully.
C:\Users\Owner\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Internet Antivirus Pro.lnk (Rogue.InternetAntivirus) -> Quarantined and deleted successfully.
C:\Users\Owner\Local Settings\Application Data\Microsoft\Windows\pguard.ini (Rogue.InternetAntivirus) -> Quarantined and deleted successfully.
C:\Users\Public\Desktop\Internet Antivirus Pro.lnk (Rogue.InternetAntivirus) -> Quarantined and deleted successfully.
C:\Windows\Ad-Ware Pro Setup Log.txt (Rogue.Ad-WarePro) -> Quarantined and deleted successfully.
C:\Windows\Ad-Ware Pro Uninstall Log.txt (Rogue.Ad-WarePro) -> Quarantined and deleted successfully.
C:\Users\Owner\Local Settings\Application Data\Microsoft\Windows\services.exe (Trojan.FakeAlert) -> Delete on reboot.
C:\Program Files\Common Files\file.exe (Rogue.InternetAntivirus) -> Quarantined and deleted successfully.

Bugbatter

4 Apprentice

 • 

20.5K Posts

May 12th, 2009 09:00

Hello again :emotion-1:

So far so good, however, please post a HijackThis log so we can check any vulnerabilities. Let us know how things are running after that.

Kanti

295 Posts

May 12th, 2009 20:00

Things are running fine after getting your help. So far so good. I am back to browsing on internet without any troubles from "Internet Anti Virus Pro". This program has caused panic within myself. I have never experienced such troubles in 15 years of working on computers.

Please tell me how do I post a "Hijack This Log". Where can I find it?

Thank You,

Kanti 

 

Bugbatter

4 Apprentice

 • 

20.5K Posts

May 12th, 2009 21:00

The instructions for HijackThis are in the announcement at the top of this forum, but you can download HJT Installer for version 2.02 from Here to your desktop.

  • Click the Download button. When the Trend Micro HJT install box appears, double click on the HJTInstall.exe. Click on Install.
  • It will be installed by default here: C:\Program Files\Trend Micro\HijackThis.
  • A shortcut to the application will also be placed on your Desktop.
  • The program will open automatically after installation.
  • You can double-click the icon that was placed on the Desktop to run subsequent HijackThis scans or you can use the icon inside the folder. The folder HijackThis is where you will find the HJT logs that you save. When you use the application to remove anything, you will also find the backup copies made by HJT inside this folder.
  • Open HijackThis, check the Main Menu button at the bottom center. When the main menu appears check the box "Show this window when I start HijackThis".
  • Run a Scan and Save Log. When the log pops  up at the end of the scan, please copy and paste it into your next reply.

Kanti

295 Posts

May 13th, 2009 06:00

Here is a Log after running "Scan and Save Log" from Hijack This as explained by you above in this thread. Please kindly go through it and let me know if my system  is now clean or not. Thank You.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:14:11 AM, on 13/05/2009
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18226)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Rogers Online Protection\Rogers Online Protection\rps.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\hp\support\hpsysdrv.exe
C:\Program Files\Hewlett-Packard\On-Screen OSD Indicator\OSD.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\Windows\system32\schtasks.exe
C:\Program Files\Picasa2\PicasaMediaDetector.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\winsim\ConnectionManager\Simply.SystemTrayIcon.exe
C:\Program Files\Rogers Online Protection\Rogers Servicepoint Agent\RogersServicepointAgent.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Yahoo!\Yahoo! Music Jukebox\ymetray.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopCrawl.exe
C:\Program Files\Rogers Online Protection\Rogers Servicepoint Agent\RogersServicepointAgentComHandler.exe
C:\hp\kbd\kbd.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr9/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://rogers.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_CA&c=74&bd=Pavilion&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr9/*http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_CA&c=74&bd=Pavilion&pf=desktop
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O1 - Hosts: ::1 localhost
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Pop-Up Blocker BHO - {3C060EA2-E6A9-4E49-A530-D4657B8C449A} - C:\Program Files\Rogers Online Protection\Rogers Online Protection\pkR.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [hpsysdrv] c:\hp\support\hpsysdrv.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KbdStub.EXE
O4 - HKLM\..\Run: [OsdMaestro] "C:\Program Files\Hewlett-Packard\On-Screen OSD Indicator\OSD.exe"
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [HP Health Check Scheduler] c:\Program Files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe
O4 - HKLM\..\Run: [SunJavaUpdateReg] "C:\Windows\system32\jureg.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [ConnectionManager] C:\Program Files\Winsim\ConnectionManager\Simply.SystemTrayIcon.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [RogersServicepointAgent.exe] "C:\Program Files\Rogers Online Protection\Rogers Servicepoint Agent\RogersServicepointAgent.exe" /AUTORUN
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\RunOnce: [Launcher] %WINDIR%\SMINST\launcher.exe
O4 - HKLM\..\RunOnce: [IndexCleaner] "C:\Program Files\Rogers Online Protection\Rogers Online Protection\IdxClnR.exe"
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKCU\..\Run: [Messenger (Yahoo!)] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\RunOnce: [IndexCleaner] "C:\Program Files\Rogers Online Protection\Rogers Online Protection\IdxClnR.exe"
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Global Startup: APC UPS Status.lnk = ?
O4 - Global Startup: Snapfish Media Detector.lnk = C:\Program Files\Snapfish Picture Mover\SnapfishMediaDetector.exe
O4 - Global Startup: ymetray.lnk = C:\Program Files\Yahoo!\Yahoo! Music Jukebox\ymetray.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O13 - Gopher Prefix:
O18 - Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O23 - Service: APC UPS Service - American Power Conversion Corporation - C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: HP Health Check Service - Hewlett-Packard - c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - c:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - c:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe
O23 - Service: PDAgent - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
O23 - Service: PDEngine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
O23 - Service: Rogers Online Protection (Radialpoint Security Services) - Rogers - C:\Program Files\Rogers Online Protection\Rogers Online Protection\RpsSecurityAwareR.exe
O23 - Service: Rogers Update Manager (RogersUpdateManager) - Rogers Cable Communications - C:\Program Files\Rogers\Update Manager\RogersUpdateManager.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - c:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: Rogers Online Protection Firewall (RP_FWS) - Rogers - C:\Program Files\Rogers Online Protection\Rogers Online Protection\Fws.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
O23 - Service: Simply Accounting Database Connection Manager - Sage Software - C:\Program Files\Winsim\ConnectionManager\SimplyConnectionManager.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - c:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--
End of file - 11325 bytes

 

Bugbatter

4 Apprentice

 • 

20.5K Posts

May 13th, 2009 07:00

We'll need to do some more scanning.

To prevent Spybot's Teatimer from interfering with removals please disable it temporarily. Please disable Spybot's Teatimer via MSCONFIG:
http://www.netsquirrel.com/msconfig/msconfig_vista.html

When you get to the Startup tab, UNcheck the entry for TeaTimer until this is over...
1. Open Spybot
2. Click Mode -> Advanced Mode
3. Click Yes
4. Click Tools (located in the bottom left corner) -> Resident
5. Uncheck 'Resident "TeaTimer" (Protection of over-all system settings) active'
6. Then close Spybot.
Reboot.
Verify that Teatimer is not running.
After ALL cleaning of your system has been completed and we have confirmed that your computer is clean, reverse these steps and re-enable the protection applets for TeaTimer

Please update MBAM and run a Full scan this time. You should have at least database 2122. (Yours is still at 2116.)

Please post the new log.

Also, please open HijackThis and click on the "Open the Misc Tools section" button.
Click on the "Open Uninstall Manager" button. Click the "Save List" button. After you click the "Save List" button, you will be asked where to save the file. Select a place to save it. The list should open in notepad.
Copy and paste that list here.

Kanti

295 Posts

May 14th, 2009 19:00

I am sorry for delay in posting the info. I have followed your instructions properly without any mistakes (credit goes to you).

Here are two logs:

This one is from Hijack This.

ActiveCheck component for HP Active Support Library
Adobe Flash Player 10 ActiveX
Adobe Reader 8.1.3
APC PowerChute Personal Edition
Enhanced Multimedia Keyboard Solution
Google Desktop Search
Google Toolbar for Internet Explorer
Google Toolbar for Internet Explorer
Hardware Diagnostic Tools
HijackThis 2.0.2
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
HP Active Support Library
HP Active Support Library 32 bit components
HP Customer Experience Enhancements
HP Customer Feedback
HP Easy Setup - Frontend
HP On-Screen Cap/Num/Scroll Lock Indicator
HP Photosmart Essential 2.01
HP Picasso Media Center Add-In
HP Total Care Advisor
HP Update
HPAsset component for HP Active Support Library
J2SE Runtime Environment 5.0 Update 11
Java(TM) 6 Update 13
Java(TM) SE Runtime Environment 6 Update 1
LiveUpdate Notice (Symantec Corporation)
Malwarebytes' Anti-Malware
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 3.5 SP1
Microsoft Silverlight
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2005 Redistributable
Microsoft Works
Microsophic products - Common Components
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB941833)
MSXML 4.0 SP2 (KB954430)
muvee autoProducer 6.0
My HP Games
MySQL Connector/ODBC 3.51
NoAdware v5.0
NVIDIA Drivers
OrganizeMY Electronic Filing Cabinet For Dummies
PerfectDisk
Picasa 2
Python 2.5
Realtek High Definition Audio Driver
Rhapsody
Rhapsody Player Engine
Rogers Online Protection
Rogers Servicepoint Agent 2.0.21
Rogers Update Manager
Rogers Yahoo! Applications
Rogers Yahoo! Music Jukebox
Roxio Activation Module
Roxio Creator Audio
Roxio Creator Basic v9
Roxio Creator Copy
Roxio Creator Data
Roxio Creator EasyArchive
Roxio Creator Tools
Roxio Express Labeler 3
Roxio MyDVD Basic v9
RPS Ad Blocker
RPS AntiFraud
RPS AntiSpyware
RPS AntiVirus
RPS App Detector
RPS Backup
RPS Burn
RPS CRT
RPS Diagnostic Utility
RPS Firewall
RPS Ksdk
RPS ParentalControl
RPS Performance Tool
RPS PopupBlocker
RPS Privacy Manager
RPS RpsCore
RPS Security Cleanup
RPS Zip
Shop for HP Supplies
Simply Accounting by Sage 2008
Snapfish Picture Mover
Soft Data Fax Modem with SmartCP
Spybot - Search & Destroy
T1-2006
T1-2007
T1-2008 1.00
T4 Internet - T4 par Internet 9.0
TR-2007
Uniblue DriverScanner 2009
Uniblue DriverScanner 2009
VeryPDF PDFcamp Printer v2.1
WD Diagnostics
WeatherBug Gadget
Yahoo! Search Protection

                                                                                                     *****************************

This one is from updated MBAM Log:

Malwarebytes' Anti-Malware 1.36
Database version: 2131
Windows 6.0.6001 Service Pack 1

14/05/2009 2:13:18 PM
mbam-log-2009-05-14 (14-13-18).txt

Scan type: Full Scan (C:\|D:\|E:\|F:\|G:\|H:\|I:\|J:\|K:\|L:\|M:\|)
Objects scanned: 224527
Time elapsed: 2 hour(s), 4 minute(s), 23 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Users\Owner\Desktop\Temp\noadware.exe (Rogue.Installer) -> Quarantined and deleted successfully.

                                                                                                 *************************

There was one malicious item detected called "Rogue.Installer" which was Quarantined and I deleted it from Quarantine area. This Log is having database 2131 which is more then 2122 as mentioned by you.

Please kindly let me know if I have followed your instructions correctly and my system is now clean. If it is clean now then what steps I take for future to avoid this problem.

Thank You,

Kanti

Bugbatter

4 Apprentice

 • 

20.5K Posts

May 14th, 2009 19:00

I do not recall asking you to delete what was in quarantine. You might as well go to Add/Remove and see if you can remove the rest of NoAdware v5.0.

After that, run DiskCleanup in each user's profile.

1. Open Disk Cleanup by clicking the Start button Picture of the Start button, clicking All Programs, clicking Accessories, clicking System Tools, and then clicking Disk Cleanup.

2. In the Disk Cleanup Options dialog box, choose whether you want to clean up your own files only or all of the files on the computer. Administrator permission required If you are prompted for an administrator password or confirmation, type the password or provide confirmation.

3. If the Disk Cleanup: Drive Selection dialog box appears, select the hard disk drive that you want to clean up, and then click OK.

4. Click the Disk Cleanup tab.

* Please make sure only the following are checked:

-- Downloaded Program Files

-- Temporary Internet Files

-- Recycle Bin

-- Temporary Files

5. When you finish selecting the files you want to delete, click OK, and then click Delete files to confirm the operation. Disk Cleanup proceeds to remove all unnecessary files from your computer.

Download -- to your Desktop -- JavaRa.Zip from either of these two sites:
http://prm753.bchea.org/click/click.php?id=9
http://www.majorgeeks.com/JavaRa_d5967.html

  • Unzip the download. This will create a new Folder, JavaRa on your Desktop.
  • Double click this new Folder to open it, and double click the file within: JavaRa to execute the program.
  • Click the button: Remove Older Versions.
  • Agree to the cleanup operation by clicking Yes. After a moment, a notice will appear that a log file has been produced. Click OK. Close the Notepad view that opens.
  • Click the button: Other Tasks.
  • Choose these options:
  • Remove Useless JRE Files
    Remove Startup Entry
    Remove JavaRa Logfile
  • Click Go. When it finishes, click OK to close the panel, and then Exit the program.
  • Delete the download, and the unzipped folder and all contents.
  • Go to http://java.sun.com/javase/downloads/index.jsp
  • Download Java Runtime Environment (JRE) 6 Update 13.
  • Select Windows Offline Installation > SAVE it to your desktop, do not RUN it yet.
  • When the download is complete, close all browser windows and double-click on the saved file to install the update. Be patient: It may take five (5) minutes or more for the installation to complete.
  • If the installation gives you the option to install a toolbar UNCHECK the option if you don't want it .

Delete the downloaded installation file after completing the above procedure and reboot if not prompted to do so.

Please post a fresh HijackThis log and let me know how things are running. If all is running smoothly,  we'll flush System Restore.

Kanti

295 Posts

May 14th, 2009 21:00

I am sorry. You did not ask me to delete what was in quarantine. Have I messed up something? Anyhow, I will work around your new instructions but now I must go to bed - it is 11.00 pm here in Canada. I will be back with you tomorrow.

I hope you are not angry with me? Good Night.

Kanti

Bugbatter

4 Apprentice

 • 

20.5K Posts

May 14th, 2009 21:00

No, I'm not angry with you.  Just so you know for the future, it is not always good to immediately delete what is in quarantine until you have verified that it is not a false positive.

Kanti

295 Posts

May 15th, 2009 05:00

No, I'm not angry with you.  Just so you know for the future, it is not always good to immediately delete what is in quarantine until you have verified that it is not a false positive.

 

I have gone through the complete process without any problems. Except, Spybot kept asking me to accept the changes and I did accepted the changes. This was happening when I was installing (JRE) 6 Update 13.  Have I done  anything wrong here?

So far, all  is running fine and smoothly.

Here is the fresh HijackThis Log:

ActiveCheck component for HP Active Support Library
Adobe Flash Player 10 ActiveX
Adobe Reader 8.1.3
APC PowerChute Personal Edition
Enhanced Multimedia Keyboard Solution
Google Desktop Search
Google Toolbar for Internet Explorer
Google Toolbar for Internet Explorer
Hardware Diagnostic Tools
HijackThis 2.0.2
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
HP Active Support Library
HP Active Support Library 32 bit components
HP Customer Experience Enhancements
HP Customer Feedback
HP Easy Setup - Frontend
HP On-Screen Cap/Num/Scroll Lock Indicator
HP Photosmart Essential 2.01
HP Picasso Media Center Add-In
HP Total Care Advisor
HP Update
HPAsset component for HP Active Support Library
Java(TM) 6 Update 13
LiveUpdate Notice (Symantec Corporation)
Malwarebytes' Anti-Malware
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 3.5 SP1
Microsoft Silverlight
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2005 Redistributable
Microsoft Works
Microsophic products - Common Components
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB941833)
MSXML 4.0 SP2 (KB954430)
muvee autoProducer 6.0
My HP Games
MySQL Connector/ODBC 3.51
NVIDIA Drivers
OrganizeMY Electronic Filing Cabinet For Dummies
PerfectDisk
Picasa 2
Python 2.5
Realtek High Definition Audio Driver
Rhapsody
Rhapsody Player Engine
Rogers Online Protection
Rogers Servicepoint Agent 2.0.21
Rogers Update Manager
Rogers Yahoo! Applications
Rogers Yahoo! Music Jukebox
Roxio Activation Module
Roxio Creator Audio
Roxio Creator Basic v9
Roxio Creator Copy
Roxio Creator Data
Roxio Creator EasyArchive
Roxio Creator Tools
Roxio Express Labeler 3
Roxio MyDVD Basic v9
RPS Ad Blocker
RPS AntiFraud
RPS AntiSpyware
RPS AntiVirus
RPS App Detector
RPS Backup
RPS Burn
RPS CRT
RPS Diagnostic Utility
RPS Firewall
RPS Ksdk
RPS ParentalControl
RPS Performance Tool
RPS PopupBlocker
RPS Privacy Manager
RPS RpsCore
RPS Security Cleanup
RPS Zip
Shop for HP Supplies
Simply Accounting by Sage 2008
Snapfish Picture Mover
Soft Data Fax Modem with SmartCP
Spybot - Search & Destroy
T1-2006
T1-2007
T1-2008 1.00
T4 Internet - T4 par Internet 9.0
TR-2007
Uniblue DriverScanner 2009
Uniblue DriverScanner 2009
VeryPDF PDFcamp Printer v2.1
WD Diagnostics
WeatherBug Gadget
Yahoo! Search Protection

                                                                                  *************************************************

Please let me  know your next steps. I will be back after 45 minutes.

Thank You,

Kanti

 

Kanti

295 Posts

May 15th, 2009 06:00

Hi, I am back.

I am confused now. Same thing has happened again. I tried to go to the same web site from where I had this "Internet Anti Virus Pro" . I thought to try this Indian Web Site (called Akila News Rajkot) and has happened same thing again. "Internet Anti Virus Pro" has suddenly started scanning my hard drives and it don't stop. It want me to download the program. I did not do so. I had to get out and reboot the computer. I am back now on internet and tried the same website. This time "I A Virus Pro" did not come up. Nothing happened, no harddrive scanning. For your info I  have been visiting this site for last two years and never had this problem ever before.

I am confused. If it is a problem with this Indian Web Site then I will not visit the site in future. I have done nothing wrong. Please let me know your views. What do I do now? Have I been infested again?

Thank You,

Kanti

Kanti

295 Posts

May 15th, 2009 07:00

I tried this Indian WebSite again just now. There was a running message like this "This website wants to run the following add-on 'Remote Data Service Data Control' from Microsoft Corporation web site. If you trust the web site and the add-on and want to allow it to run, click here."

I did not click and then nothing happened. "Internet Anti Virus Pro" did not run and did not started scanning the hard drives. The message was disappeared. I did the browsing on this Indian Web site and nothing happended. So what is going on  here, please.

Thank You,

Kanti

Bugbatter

4 Apprentice

 • 

20.5K Posts

May 15th, 2009 13:00

There is probably some bad code on that site.  Is that the only site that you visit where this happens?

Certain sites will display a pop-up ad stating that your computer has infections, even though the website has no way of knowing that, and then pretends to be a program scanning your computer for malware. Once this ad has finished with its act you will see another popup stating that a variety of infections were found and that you should download and install Internet Antivirus Pro. I'm glad you backed out of that! 

If you decide to download and install the program, Internet Antivirus Pro will be set to automatically run when your computer starts. Once started, it will scan your computer and display a variety of legitimate programs and folders and state that they are infection. These infections, though, can't be removed unless you first register the program. This act of displaying legitimate entries as malware is being done to scare you into purchasing the program. In fact, if you deleted all of the files and folders that it stated were infections, your computer would not run properly.

It might be good to do a follow-up check with updated MBAM just to be sure nothing new installed on to your computer, but it sounds as if it is on the website and not on your computer because you did not allow to install it.  (MBAM is currently at  database 2137.) Let me know if the new MBAM scan finds anything.

Kanti

295 Posts

May 15th, 2009 17:00

Hi,

The current MBAM database is 2138.  The new scan did not find anything. However, I saw 31 items stored in MBAM Quarantine from previous scan dated 12-5-2009 all of them related to Rogue.InternetA..; Trojan. FakeAleret & Rogue.Ad ware.Pro.  Can I remove them?

Here is the new Log from database 2138:

Malwarebytes' Anti-Malware 1.36
Database version: 2138
Windows 6.0.6001 Service Pack 1

15/05/2009 7:29:03 PM
mbam-log-2009-05-15 (19-29-03).txt

Scan type: Full Scan (C:\|D:\|E:\|F:\|G:\|H:\|I:\|J:\|K:\|L:\|M:\|)
Objects scanned: 223639
Time elapsed: 1 hour(s), 42 minute(s), 9 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

***************************************************************************************************************************************************************************************

Thank You,

Kanti

Bugbatter

4 Apprentice

 • 

20.5K Posts

May 15th, 2009 21:00

I saw 31 items stored in MBAM Quarantine from previous scan dated 12-5-2009 all of them related to Rogue.InternetA..; Trojan. FakeAleret & Rogue.Ad ware.Pro.  Can I remove them?
As long as everything is running well, you can delete those.

If everything is running smoothly after that, it would be good to flush System Restore so you can start fresh. We'll purge the old, infected Restore Points by turning System Restore off and on again.

To turn off Windows Vista System Restore:

1. Click Start.
2. Right-click the Computer icon, and then click Properties.
3. Click on System Protection under the Tasks column on the left side
4. Click on Continue on the "User Account Control" window that pops up
5. Under the System Protection tab, find Available Disks
6. Uncheck the box for any drive you wish to disable system restore on
7. When turning off System Restore, the existing restore points will be deleted. Click "Turn System Restore Off" on the popup window to do this.
8. Click OK
9. When you have finished, restart the computer and follow the instructions in the next section to turn on System Restore.

To turn on Windows Vista System Restore:

1. Click Start.
2. Right-click the Computer icon, and then click Properties.
3. Click on System Protection under the Tasks column on the left side
4. Click on Continue on the "User Account Control" window that pops up
5. Under the System Protection tab, find Available Disks
6. Place a checkmark in the box for any drive you wish to enable System Restore on
7. Click OK

 

Here is my standard list of simple steps that you can take to reduce the chance of infection in the future.

If you have installed Malwarebytes' Anti-Malware as part of your cleaning procedures, keep it updated and use it to scan every so often for malware, or upgrade to the paid version for realtime scanning and auto updating.

The following suggestions are general prevention and are not customized for your computer. You may have already taken some of these steps, and depending on your current security, you may not need to implement all of these:


1. Visit Microsoft Update: Make sure that you have all the Critical Updates recommended for your operating system and IE. The first defense against infection is a properly patched OS. Microsoft's widows Update: http://v4.windowsupdate.microsoft.com/en/default.asp

2. Please use a firewall and realtime anti-virus. Keep the anti-virus software and firewall software up to date.

3.You might consider installing Mozilla / Firefox.
http://www.mozilla.com/en-US/

4. Do not use file sharing. Even the safest P2P file sharing programs that do not contain bundled spyware, still expose you to risks because of the very nature of the P2P file sharing process. By default, most P2P file sharing programs are configured to automatically launch at startup. They are also configured to allow other P2P users on the same network open access to a shared directory on your computer. The reason for this is simple. File sharing relies on its members giving and gaining unfettered access to computers across the P2P network. However, this practice can make you vulnerable to data and identity theft. Even if you change those risky default settings to a safer configuration, the act of downloading files from an anonymous source greatly increases your exposure to infection. That is because the files you are downloading may actually contain a disguised threat. Many very malicious worms and trojans, such as the Storm Worm, target and spread across P2P files sharing networks because of their known vulnerabilities.

5. Before using or purchasing any Spyware/Malware protection/removal program, always check the following Rogue/Suspect Spyware Lists. http://www.spywarewarrior.com/rogue_anti-spyware.htm http://www.malwarebytes.org/database.php

6. If you have not already done so, you might want to install CCleaner and run it in each user's profile: http://www.ccleaner.com/ ** UNcheck the option to install the Yahoo toolbar that is checked by default for the Standard version, or download the toolbar-free versions (Slim or Basic) when given the option for those.

7. Practice Safe Surfing with with TrendProtect by Trend Micro. This is not compatible with Firefox 3.0 yet. TrendProtect is a browser plugin that assigns a safety rating to domains listed in your search engine. TrendProtect also adds a new button to your browser's toolbar area. The icon and color of the button changes to indicate whether the page currently open is safe, unsafe, trusted, or unrated, or whether it contains unwanted content. The following color codes are used by TrendProtect to indicate the safety of each site.

  • Red for Warning
  • Yellow for Use Caution
  • Green for Safe
  • Grey for Unknown

Alternatively, Web Of Trust is a similar add-on that can also be used for Internet Explorer.  It uses colored alerts to warn about risky websites that try to scam visitors, deliver malware, or send spam. There is a Web Of Trust version for Firefox as well.

8. You might consider installing SpywareBlaster: http://www.javacoolsoftware.com/spywareblaster.html
It will:
Prevent the installation of ActiveX-based spyware, adware, browser hijackers, dialers, and other potentially unwanted software.
Block spyware/tracking cookies in Internet Explorer and Mozilla Firefox.
Restrict the actions of potentially unwanted sites in Internet Explorer.
Tutorial here:http://www.bleepingcomputer.com/forums/tutorial49.html
Periodically check for updates

9. Here are some helpful articles:
"How did I get infected?"
http://www.bleepingcomputer.com/forums/topic2520.html


"I'm not pulling your leg, honest"
by Sandi Hardmeier
http://www.microsoft.com/windows/IE/community/columns/pulling.mspx

Happy and Safe Surfing!

Was this post helpful?

View All

0 events found

No Events found!

Top