Free Malware Removal Forum

[viva8la7ram]

I am currently fixing a PC for someone. The PC is running Windows Vista Home Premium. I know that they are infected because there are some things that are acting erradic AND they told me that they didn't have any virus and/or spyware protection FOR 6 MONTHS!!! So I'm left to cleanup after their mess. Anyways, I have noticed that on the Start Menu, the programs are always reset to the same ones that the PC originally came with:

- Welcome Center
- Windows Media Center
- Windows Media Player
- Windows Photo Gallery
- - Gateway Game Console -
- NetZero
- Windows DVD Maker
- Windows Calendar

I can go and delete them and run programs that I use so that I can have them there for easier access, but everytime that I restart the PC, those programs that I put there are wiped and these return.

Anyways, I have been doing maintenance on the PC all day. I have already cleaned up the spyware that these programs detected:

- AVG Anti-Virus 8
- Spybot - Search & Destroy
- Ad-Aware 2008

Even though I did this cleanup, I still have suspicions that there may be more infections on the PC that those programs have not picked up. Everytime that I am using Internet Explorer 7, AVG Anti-Virus 8 ALWAYS picks up these tracking tracking cookies:

- cookie.Mediaplex
- cookie.Tribalfusion
- cookie.Questionmarket
- cookie.Atdmt
- cookie.Webtrends
- cookie.Revscie
- cookie.Doubleclick
- cookie.Adrevolver
- cookie.Realmedia
- cookie.Burstnet
- cookie.Advertising
- cookie.Fastclick

I ALWAYS have to end up cleaning them out and I'm tired of it. So those are my suspicions. I know you're probably already tired of reading this so let me post the HijackThis log now. I have to run it as an administrator just to get everything:



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:20:23 AM, on 5/27/2008
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Program Files\Security\AVG Anti-Virus\avgtray.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\Internet Explorer\ieuser.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.rr.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.gateway.com/g/startpage.html ... P&M=GM5472
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gateway.com/g/startpage.html ... P&M=GM5472
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.gateway.com/g/sidepanel.html ... P&M=GM5472
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\Security\AVG Anti-Virus\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\Security\SPYBOT~1\SDHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\Security\AVGANT~1\avgtray.exe
O4 - HKLM\..\RunOnce: [Launcher] %WINDIR%\SMINST\launcher.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\Security\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\Security\SPYBOT~1\SDHelper.dll
O13 - Gopher Prefix:
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://sdlc-esd.sun.com/ESD42/JSCDL/jre ... 586-jc.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\Security\AVG Anti-Virus\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Security\Ad-Aware 2008\aawservice.exe
O23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) - Agere Systems - C:\Windows\system32\agrsmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ares Chatroom server (AresChatServer) - Unknown owner - F:\ares\chatServer.exe (file missing)
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\Security\AVGANT~1\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\Security\AVGANT~1\avgwdsvc.exe
O23 - Service: GameConsoleService - WildTangent, Inc. - C:\Program Files\Gateway Games\Gateway Game Console\GameConsoleService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Security\Spybot - Search & Destroy\SDWinSec.exe

--
End of file - 6711 bytes



If someone could be so kind as to help me out here and look at the log and see if I have any kind of infections, that would be greatly appreciated. By the way, I looked at the HijackThis scan also and deleted empty files (files that said no file at the end). I noticed that there's an entry in there that says AresChat something and it says file missing. The reason for that is that the client installed Ares into their external hard drive and because I don't have it with me, it says file missing. Thanks!

-Ram

[Shaba]

Hi viva8la7ram

Those tracking cookies come due to incorrect browser settings. However, they are no real threats.

See here and post back if it helped

[viva8la7ram]

Well, I tried what you asked me to do. That website is a bit outdated though, as the screenshots look like they show Internet Explorer 6 and older version of Mozilla Firefox lol. The newer versions of Mozilla Firefox don't have that option of setting the cookies up just for the originating site. Oh well.. But it is still useful. I went to the Privacy tab in Internet Explorer 7 and changed it. BUT I realized that after I scanned with AVG Anti-Virus, everything it would detect would be moved to the Virus Vault. From there, in order for the cookies not to show up again, I would have to remove and/or delete them completely so that's what I did. Ever since then, I haven't had any problems with those cookies. I do get others though, but all I do is follow the same routine with the Resident Shield settings and they are gone.

BUT I am still having that issue with the programs list under the Start Menu in Windows Vista. Usually, you are allowed to set your own programs there for easier access but when I restart the system, the old programs always return. I don't know if this is normal or not. I even upped the security on that computer by adding the programs Spyware Doctor Starter Edition, SpywareBlaster, SUPERAntiSpyware, and ThreatFire. I scanned with those programs (with the exception of SpywareBlaster, of course) and with some I did get tracking cookies, but I got rid of them. I didn't find any other kind of threat and I don't know what to do now. Is this PC really infected, or am I just being paranoid?

[Shaba]

Hi

Are you doing that from administrator account?

[viva8la7ram]

Well the users that I am going to (there are only 2 on the PC) are both labeled as Administrators. But I do understand that Windows Vista has that little layer of protection where even if you're labeled as an administrator, sometimes you can't do things without first right-clicking the program and hitting "Run as administrator", as was the case with Spybot - Search & Destroy. I could not immunize the system without first being an administrator (which I thought was really weird).

By the way, thanks for trying to help. I appreciate it.

[Shaba]

Hi

Then I don't think that I can help you with that issue but I can re-direct you to some windows forum. Is it ok?

[viva8la7ram]

Ok. That will be fine as long as I can find an answer to this issue ASAP. Thanks!

[Shaba]

Hi

I recommend this forum.

[viva8la7ram]

Thanks a lot for recommending me to that website. It has a lot of helpful tools and advice that anyone can use to help keep their system running at optimal levels and clean from any type of infection.

I do have a question though. You were trying to help me out but you never once mentioned anything in the HijackThis log that I posted. You never said if I had any kind of infection or anything like that. I'm guessing you looked at it and everything seemed ok. Am I correct? I have no infections at all? I just want to be sure that I am clean at least..

[Shaba]

Hi

Yes, your HijackThis log is clean

[viva8la7ram]

Woo! Thanks a bunch! That's just what I wanted to hear lol.. For reals, thanks for trying to assist me. I really appreciate it. Because I am clean, I guess this thread will close..

-RaM-

[Shaba]

Hi

Before that, some tips for the future

Looking over your log, it seems you don't have any evidence of a third party firewall.

As the term conveys, a firewall is an extra layer of security installed onto computers, which restricts access to systems from the outside world. Firewalls protect against hackers and malicious intruders. I want you to download a free firewall NOW from one of these excellent vendors:

1) Comodo
2) Online Armor
3) Sunbelt/Kerio
4) Agnitum
5) ZoneAlarm (uncheck ZoneAlarm Spy Blocker during installation if you choose this one)

If you are using the built-in Windows XP firewall, it is not recommended as it does not block outgoing connections. This means that any malware on your computer is free to "phone home" for more instructions. Simply put, Windows XP contains a mediocre firewall. This firewall is NO replacement for a dedicated software solution. Remember to use only one firewall at the same time.

• Make your Internet Explorer more secure - This can be done by following these simple instructions:
• From within Internet Explorer click on the Tools menu and then click on Options.
• Click once on the Security tab
• Click once on the Internet icon so it becomes highlighted.
• Click once on the Custom Level button.
• Change the Download signed ActiveX controls to Prompt
  
• Change the Download unsigned ActiveX controls to Disable
  
• Change the Initialize and script ActiveX controls not marked as safe to Disable
  
• Change the Installation of desktop items to Prompt
  
• Change the Launching programs and files in an IFRAME to Prompt
  
• Change the Navigate sub-frames across different domains to Prompt
  
• When all these settings have been made, click on the OK button.
  
• If it prompts you as to whether or not you want to save the settings, press the Yes button.
• Next press the Apply button and then the OK to exit the Internet Properties page.

• Update your AntiVirus Software - It is imperitive that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.
  
  
• Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.
  
• Install Malwarebytes' Anti-Malware - Malwarebytes' Anti-Malware is a new and powerful anti-malware tool. It is
  totally free but for real-time protection you will have to pay a small one-time fee. Tutorial on installing & using this product can be found below:
  
  Malwarebytes' Anti-Malware Setup Guide
  
  Malwarebytes' Anti-Malware Scanning Guide
  
• Install SpywareBlaster - SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.
  
  A tutorial on installing & using this product can be found here:
  
  Using SpywareBlaster to protect your computer from Spyware and Malware
  
  
• Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.

Follow this list and your potential for being infected again will reduce dramatically.

Here are some additional utilities that will enhance your safety

• MVPS Hosts file <= The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer
• Google Toolbar <= Get the free google toolbar to help stop pop up windows.
• Comodo BOCLEAN <= Stop identity thieves from getting personal information. Instantly detects well over 1,000,000 unique, variant and repack malware in total. And it's free.
• Winpatrol <= Download and install the free version of Winpatrol. a tutorial for this product is located here:
  Using Winpatrol to protect your computer from malicious software

Also, please read this great article by Tony Klein So How Did I Get Infected In First Place

Happy surfing and stay clean!

[Shaba]

viva8la7ram this topic is now closed.

We are pleased we could help you resolve your computer's malware issues.

If you would like to make a comment or leave a compliment regarding the help you have received, please see Feedback for Our Helpers - Say "Thanks" Here.