Skip to main content
Start a Conversation

Unsolved

This post is more than 5 years old

Nissi1

322 Posts

690

March 11th, 2008 23:00

Unrecognized files; "Wait A Minute for A....."

Good evening:

 

Let me start by saying, please bear with me.  This is my first time posting a HJT and it is somewhat intimidating.  But I am confident since I have been greatly assisted by this community on many occasions.

 

This morning I checked McAfee's Security Center's log (as I do on a routine basis) and noticed numerous system guard entries for yesterday and this morning while I was using the computer.  These entries were for unauthorized registry changes to the IE and unauthorized registry changes to Active X installations.

 

I am normally aware of why and when these changes were made.  However, in this case it was continuing throughout the day while I was requesting assistance from the forum community.

 

There are more than 25 entries occurring approximately every 1/2.

 

Things began to get interesting after I received an IE warning of an unrecognized file.  Soon after my screen crashed.  As the homepage began to reload a message appeared with the following information:

 

"Wait A Minute for a Quick Dose of Awesomeness"

 

I quickly clicked IE's thumbnail and closed the page.

 

I scanned my computer using the following:  SuperAntispyware, Windows Malicious Software Remover, Avast, Adaware 2007 and McAfee of course.  All updated.

 

My specs are simple:  Dell Dimension E521, 3gbs, Vista Home Premium, McAfee (paid) Security Center.

 

I  ran HJT according to your instructions and will do my best as I attempt to copy it to this page.

 

Thanking you in advance for your assistance.

 

Nissi1

 

 

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:13:46 PM, on 3/11/2008
Platform: Windows Vista  (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16609)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Program Files\SiteAdvisor\6253\SiteAdv.exe
C:\Windows\sttray.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Windows Live\Mail\wlmail.exe
C:\Program Files\Internet Explorer\IEUser.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Windows\system32\Macromed\Flash\FlashUtil9e.exe
C:\Program Files\windows defender\MSASCui.exe
C:\Program Files\Common Files\aol\1181882825\ee\aolsoftware.exe
C:\Program Files\AOL 9.1\waol.exe
C:\Program Files\AOL 9.1\shellmon.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer provided by Dell
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6253\SiteAdv.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: McAntiPhishingBHO - {377C180E-6F0E-4D4C-980F-F45BD3D40CF4} - C:\Program Files\McAfee\MSK\mcapbho.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O2 - BHO: CBrowserHelperObject Object - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\BAE\BAE.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6253\SiteAdv.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [SiteAdvisor] C:\Program Files\SiteAdvisor\6253\SiteAdv.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] sttray.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [dscactivate] C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [MSConfig] "C:\Windows\system32\msconfig.exe" /auto
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [AOL Fast Start] "C:\Program Files\AOL 9.1\AOL.EXE" -b
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Global Startup: Digital Line Detect.lnk = C:\Program Files\Digital Line Detect\DLG.exe
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O13 - Gopher Prefix:
O15 - Trusted Zone: http://support.dell.com
O15 - Trusted Zone: http://www.dellcommunity.com
O15 - Trusted Zone: *.hotmail.com
O15 - Trusted Zone: *.live.com
O15 - Trusted Zone: *.msn.com
O15 - Trusted Zone: *.passport.com
O16 - DPF: {B1E2B96C-12FE-45E2-BEF1-44A219113CDD} (SABScanProcesses Class) - http://www.superadblocker.com/activex/sabspx.cab
O16 - DPF: {FFFFFFFF-CACE-BABE-BABE-00AA0055595A} - http://www.trueswitch.com/msn/TrueInstallMSN.exe
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee SpamKiller Service (MSK80Service) - McAfee, Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\6253\SAService.exe
O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe
O23 - Service: SigmaTel Audio Service (STacSV) - SigmaTel, Inc. - C:\Program Files\SigmaTel\C-Major Audio\WDM\STacSV.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--
End of file - 9030 bytes

 

 

 

 

Bugbatter

4 Apprentice

 • 

20.5K Posts

March 13th, 2008 15:00

Hi, Nissi1

Unfortunately I do not see anything unusual in your log. Have you had any new symptoms? Vista is a pretty secure operating system, so unless you disabled some security, this is surprising.
Were the events in your firewall log external (incoming) or outgoing?
Let's try an online scan with rootkit detection.
Please perform this online scan: F-Secure Online Scanner
The online scanner is on the bottom right of the page.
Direct link: http://support.f-secure.com/enu/home/ols.shtml

Follow the directions on the F-Secure page for proper Installation.

* You may receive an alert on the address bar at this point to install the ActiveX control.
* Click on that alert and then click " Install ActiveX component".
* Read the license agreement and click " Accept".
* Click " Custom Scan" and be sure the following are checked:
  • Scan whole System

  • Scan all files
  • Scan whole system for rootkits
  • Scan whole system for spyware
  • Scan inside archives
  • Use advanced heuristics

* When the scan completes, click the " I want to decide item by item" button.
* For each item found, Select " Disinfect" and click " Next".

* When done, click the " Show Report" button, then copy and paste the entire report into your next reply.

Nissi1

322 Posts

March 14th, 2008 16:00

Good afternoon Bugbatter,

 

God bless you for your reply. 

 

I attempted to run the scan, however my computer would not allow me to install the Active X component.  Message read:  Insufficient rights to use Active X controls.... This is ridiculous since I installed an Active X component just yesterday when I downloaded PC Checkup.

 

I restored the computer back to yesterday hoping that would help.  It did not.  It completed the restore and placed two notepads on the desktop with the following messages:

 

1.  [.ShellClassInfo]
LocalizedResourceName=@%SystemRoot%\system32\shell32.dll,-21799

 

2.  [.ShellClassInfo]
LocalizedResourceName=@%SystemRoot%\system32\shell32.dll,-21769
IconResource=%SystemRoot%\system32\imageres.dll,-183

 

I do not know what all this means, I just know these incidents have never occurred in the past.

 

Also, McAfee's security log continues to report registry changes to web browser I did not make.

 

Thank you for your assistance.

 

Nissi1/Zandra

 

Nissi1

322 Posts

March 14th, 2008 16:00

To answer your question, the events reported are in the SystemGuard log.  Inboud log report only port scans and there are 2 outbound attempts made by Picture It (?), which I have never used.  Gratefully the firewall blocked them both.

Nissi1

322 Posts

March 15th, 2008 11:00

Good morning Bugbatter,

 

Since your reply several things have happened.  As stated I could not run the scan due to "insufficient rights to use Active X controls....."  I made an attempt several times to no avail.

 

Further:  called Dell Support, had long wait due to heavy traffic;  tried posting problem in Vista software forum, could not due to "Authentication failure";  tried "restore", did not help.

 

Finally got through to Dell Support and the above problems were resolved ( ? ).  I ran the scan 3 times with all windows closed, even the IE.  Each time, approximately 1 hour into the scan, it abruptly stopped due to "IE stopped working".  As I stated I closed IE before each scan.  It is also ironic that each scan stopped in almost the same area.

 

Before the last scan abruptly stopped, the log revealed 999 files skipped and 1 spyware.

 

Please post back with further suggestion since I am at a lost.

 

Thank you again,

 

Nissi1

Bugbatter

4 Apprentice

 • 

20.5K Posts

March 15th, 2008 12:00

See if you can run this online scan here:
http://www.eset.eu/online-scanner
• Accept the Terms of Use;
• Approve the install of the required ActiveX Control, then follow on-screen instructions.
* Disable the protection of your resident anti-virus program after installing the
active X control that Eset has installed and again when you actually start scanning.
• Enable (check) the Remove found threats option, and run the scan.
• After the scan completes, the Details tab in the Results window will display what was found and removed. A record of these results will be found here: C:\program files\esetonlinescanner\log.txt. Please include a copy of that log in your next reply along with a fresh HijackThis log.
This online scan may take quite a bit of time to complete so please be patient. If necessary, allow the scan to run overnight. Please do not use the machine to do anything else (e.g. browse; check email; chat) until the scan completes.


** ESET Online Scanner works in Windows Vista, provided you
first start Internet Explorer as an Administrator. To do so,
right-click on the Internet Explorer icon in the Start Menu and select
"Run as administrator" from the popup context menu.

Nissi1

322 Posts

March 15th, 2008 16:00

Good afternoon Bugbatter,

 

The good news, "0 threats were found" (see logs below).  Which is very good news and a tremendous relief. 

 

 

# version=4
# OnlineScanner.ocx=1.0.0.635
# OnlineScannerDLLA.dll=1, 0, 0, 79
# OnlineScannerDLLW.dll=1, 0, 0, 78
# OnlineScannerUninstaller.exe=1, 0, 0, 49
# vers_standard_module=2949 (20080315)
# vers_arch_module=1.064 (20080214)
# vers_adv_heur_module=1.064 (20070717)
# EOSSerial=afb0a2d6178012449d174b40b6ae0881
# end=finished
# remove_checked=true
# unwanted_checked=false
# utc_time=2008-03-15 05:07:38
# local_time=2008-03-15 01:07:38 (-0500, Eastern Daylight Time)
# country="United States"
# osver=6.0.6000 NT
# scanned=268211
# found=0
# scan_time=2453

 

# vers_standard_module=2949 (20080315)
# vers_arch_module=1.064 (20080214)
# vers_adv_heur_module=1.064 (20070717)

 

Whatever caused the problems earlier continues to be a mystery.  But now I know it was not caused by some form of malware.

 

I can not fully express how grateful I am for your assistance.

 

Thank you and have a Blessed Day!

 

Nissi1

Bugbatter

4 Apprentice

 • 

20.5K Posts

March 15th, 2008 18:00

That's good news! :)

It seems that you are free of malware.

Here is my standard list of simple steps that you can take to reduce the chance of infection in the future.

You may have already taken some of these steps, and depending on your current security, you may not need to implement all of these:

1. Visit Windows Update:
Make sure that you have all the Critical Updates recommended for your operating system and IE. The first defense against infection is a properly patched OS.
Windows Update: http://v4.windowsupdate.microsoft.com/en/default.asp

2. Please use a firewall and realtime anti-virus. Keep the anti-virus software and firewall software up to date.
Note: Zone Alarm Firewall (by Checkpoint) has a free version http://www.zonelabs.com/store/content/company/products/trial_zaFamily/trial_zaFamily.jsp?lid=home_freedownloads

3. You might consider installing Mozilla / Firefox.
http://www.mozilla.org/

4. Do not use file sharing. Even the safest P2P file sharing programs that do not contain bundled spyware, still expose you to risks because of the very nature of the P2P file sharing process. By default, most P2P file sharing programs are configured to automatically launch at startup. They are also configured to allow other P2P users on the same network open access to a shared directory on your computer. The reason for this is simple. File sharing relies on its members giving and gaining unfettered access to computers across the P2P network. However, this practice can make you vulnerable to data and identity theft. Even if you change those risky default settings to a safer configuration, the act of downloading files from an anonymous source greatly increases your exposure to infection. That is because the files you are downloading may actually contain a disguised threat. Many very malicious worms and trojans, such as the Storm Worm, target and spread across P2P files sharing networks because of their known
vulnerabilities.

5. Before using or purchasing any Spyware/Malware protection/removal program, always check the following Rogue/Suspect Spyware Lists.
http://www.spywarewarrior.com/rogue_anti-spyware.htm
http://www.malwarebytes.org/database.php

6. If you have not already done so, you might want to install CCleaner and run it in each user's profile: http://www.ccleaner.com/
** UNcheck the option to install the Yahoo toolbar that is checked by default for the Standard version, or download the toolbar-free versions (Slim or Basic) when given the option for those.

7. Make sure you are using the most updated version of Java.
The current version is Java Runtime Environment (JRE) 6u5
You can go here to download the latest version of Java Runtime Environment (JRE) 6.
Scroll down to where it says " Java Runtime Environment (JRE) 6u5 allows end-users to run Java applications".

Click the link to download the Windows (Offline Installation) package: Save it, do not run it. When the download is complete, close the browser.

Remove all prior versions using Add/Remove Programs, and delete the Java folder in Program Files.
Reboot your computer once all Java components are removed.
Then from your desktop double-click on jre-6u5-windows-i586-p.exe to install the newest version.
Official JAVA Installation Instructions if needed.
Reboot.

8. Practice Safe Surfing with with TrendProtect by Trendmicro.
TrendProtect is a browser plugin that assigns a safety rating to domains listed in your search engine. TrendProtect also adds a new button to your browser's toolbar area. The icon and color of the button changes to indicate whether the page currently open is safe, unsafe, trusted, or unrated, or whether it contains unwanted content.

The following color codes are used by TrendProtect to indicate the safety of each site.

Red for Warning
Yellow for Use Caution
Green for Safe
Grey for Unknown

9. You might consider installing SpywareBlaster: http://www.javacoolsoftware.com/spywareblaster.html
It will:
Prevent the installation of ActiveX-based spyware, adware, browser hijackers, dialers, and other potentially unwanted software.
Block spyware/tracking cookies in Internet Explorer and Mozilla Firefox.
Restrict the actions of potentially unwanted sites in Internet Explorer.
Tutorial here: http://www.bleepingcomputer.com/forums/tutorial49.html
Periodically check for updates.

10. Here are some helpful articles:
"So how did I get infected in the first place?"
by TonyKlein
http://computercops.biz/postlite7736-.html

"I'm not pulling your leg, honest"
by Sandi Hardmeier
http://www.microsoft.com/windows/IE/community/columns/pulling.mspx

11. This is an excellent resource for users of all levels. General computer maintenance as well as internet security is covered.
Rootkits for Dummies
(Paperback)
by Larry Stevenson (Author), Nancy Altholz (Author)

Let us know if we have not resolved your problem. Otherwise, you are good to go.
Happy and Safe Surfing!

Nissi1

322 Posts

March 15th, 2008 21:00

Dear Bugbatter (the name is truly appropriate),

 

All I could say after reading your last post was WOW!:smileysurprised::smileyhappy:

Such a treasure load of information.

 

Some of your suggestions are presently in place.  I will begin instituting the others immediately.

 

Again, may God continue to richly bless you.

 

Nissi1

Was this post helpful?

View All

No Events found!

Top