Rogue.Fake.MSE & Don't.Steal.Our.Software

[Fred44]

Hope I did this right. Here are the files. Also, I just did a full scan with MSE and nothing was found....clean report.

 

[Jacee]

Looks like you use RevoUninstaller quite a bit! You really should use the specific program's uninstaller.

Please do this for me .... we're going to flush your DNS cache and restore MS's original Hosts file.

Copy and paste these lines in Note pad.
@Echo on
pushd\windows\system32\drivers\etc
attrib -h -s -r hosts
echo 127.0.0.1 localhost>HOSTS
attrib +r +h +s hosts
popd
ipconfig /release
ipconfig /renew
ipconfig /flushdns
netsh winsock reset all
netsh int ip reset all
shutdown -r -t 1
del %0

Save as flush.bat to your desktop. Right click on the batch file and run as Administrator. Your computer will reboot itself.

Now let me know if you can run a full scan with MBam and SuperAntiSpyware.

Post both logs here in your next reply.

 

[Fred44]

Looks like you use RevoUninstaller quite a bit! You really should use the specific program's uninstaller.

Please do this for me .... we're going to flush your DNS cache and restore MS's original Hosts file.

Copy and paste these lines in Note pad.
@Echo on
pushd\windows\system32\drivers\etc
attrib -h -s -r hosts
echo 127.0.0.1 localhost>HOSTS
attrib +r +h +s hosts
popd
ipconfig /release
ipconfig /renew
ipconfig /flushdns
netsh winsock reset all
netsh int ip reset all
shutdown -r -t 1
del %0

Save as flush.bat to your desktop. Right click on the batch file and run as Administrator. Your computer will reboot itself.

Now let me know if you can run a full scan with MBam and SuperAntiSpyware.

Post both logs here in your next reply.

Jacee,

I may be in over my head here, but I'll try and follow your instructions. Right now I'm doing an MBAM scan requested by the company so I can send them a log. So this may take a while. It may be tomorrow before I get this to you. Fred

 

[Jacee]

You can do this! It's real simple

 

[Fred44]

Jacee,

When I booted my computer this morning, I got no security warning, but clicked on the security center icon and found that the security center was turned off (see screen shot). When I click "Turn on now" nothing happens. I ran your DNS cache flush and I'm going to run an MBam and SuperAntiSpyware scan and then I'll post the logs. Any ideas on why security center is turned off and won't come back on? I ran a full scan with MSE last night (took almost 3 hours) and no malware, viruses, etc. were found. I'm also communicating with MBam support and they're having me run some tests. Thans for your help.

Fred

 

[Jacee]

Were you infected at one time? You have a lot of anti-malware programs showing:

c:\program files\microsoft security essentials
%ProgramFiles%\Windows Defender
c:\program files\superantispyware
c:\program files\lavasoft\ad-aware
c:\progra~1\pc-doc~1
c:\program files\Malwarebytes' Anti-Malware
c:\program files\a-squared Free

Go into Services, scroll down to Windows Defender, right click on it, choose properties, then set it to 'Disabled'.

Reboot/restart your computer ... now see if you can turn on the security center

 

[Fred44]

Were you infected at one time? You have a lot of anti-malware programs showing:

c:\program files\microsoft security essentials
%ProgramFiles%\Windows Defender
c:\program files\superantispyware
c:\program files\lavasoft\ad-aware
c:\progra~1\pc-doc~1
c:\program files\Malwarebytes' Anti-Malware
c:\program files\a-squared Free

Go into Services, scroll down to Windows Defender, right click on it, choose properties, then set it to 'Disabled'.

Reboot/restart your computer ... now see if you can turn on the security center

No I've never been infected. I'm using MSE presently for anti-virus. I also run SuperAntiSpyware, a-squared, and Malwarebytes about once a month. I no longer have AdAware. When I uninstalled it must have left some traces. PC Doc I never used. Don't know how it got there. I've attached the SuperAntiSpyware and mbam logs that you asked for.

Disabling Windows Defender did not help. I still can't turn the Security Center on. However, all components of the Security are working when I go to start and click on them (MSE, Windows Firewall, Updates...and is there one more thing I'm forgetting?)

Any more suggestions on turning Security Center back on? This just occured this AM when I first turned on the computer.
Check out the mbam and Spyware logs and let me know what you find. Thanks very much.

Fred

 

[Jacee]

SuperAntiSpyware ---> Generated 11/07/2009 at 01:58 PM

Do you have a scan log for today's date?

Look in Services again, and see if Security Center is set for Automatic.

 

[Fred44]

It's set for automatic. I ran the SuperAntiSpyware today and sent the log that was generated. I didn't even notice the date. I'll run another.

 

[Jacee]

edit ...

 

[Fred44]

I do have screenshot of today's SuperAntiSpyware if that will help. I'm attaching it. I don't know why sent that old log.

 

[Fred44]

Jacee, I just got your post about June 9 or 10, but when I click on the link it doesn't go to that message any more. Today is June 9. I'm in Memphis, TN. The log mbam log on my desktop says 6/9/2010. I'm attaching it again

 

[Jacee]

You can delete the tracking cookies that were quarantined. Did you see my post above about going back into services again?

 

[Fred44]

You can delete the tracking cookies that were quarantined. Did you see my post above about going back into services again?

Yes, I saw it. Security Center is set to automatic.

 

[Jacee]

Fred, download HijackThis! HijackThis - Trend Micro USA

Run as Administrator, press 'Do a Sytem Scan and save Log File'
Copy and paste the log back for me to see. You have some 'leftovers' that we can get rid of.

 

[Fred44]

Fred, download HijackThis! HijackThis - Trend Micro USA

Run as Administrator, press 'Do a Sytem Scan and save Log File'
Copy and paste the log back for me to see. You have some 'leftovers' that we can get rid of.

Jacee,

Here's what I got. A note saying that for some reason my system denied write access to the host file. Then I got a screen that said "scan". I'm attaching all as screen shots.

 

[Jacee]

You must not have right clicked to run as Administrator. Is UAC turned on?

That picture is too hard for me to read ... Just copy and paste the log :D

 

[Fred44]

You must not have right clicked to run as Administrator. Is UAC turned on?

That picture is too hard for me to read ... Just copy and paste the log :D

OK I got it this time. BTW, I got Security Center back on. It was something you said in an earlier post about not using RevoUninstaller. I remembered when I was uninstalling MSE that there was some items in bold which Revo said to delete. Both Of these items were registry entries and the word in bold was "security". I just did a system restore back to that uninstall point and the Security center came back. I then went back and got the 1.46 version mbam. Everything seems to be working fine now, but go ahead and check out the log below and let me know if you have any suggestions. Thanks. Fred



Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 5:40:34 PM, on 6/9/2010
Platform: Windows Vista SP2 (WinNT 6.00.1906)
MSIE: Internet Explorer v7.00 (7.00.6002.18005)
Boot mode: Normal
Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\System32\rundll32.exe
C:\Program Files\Hewlett-Packard\Media\DVD\DVDAgent.exe
C:\Program Files\Microsoft Security Essentials\msseces.exe
C:\Program Files\Hewlett-Packard\HP MediaSmart\SmartMenu.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Hewlett-Packard\KBD\kbd.exe
C:\Program Files\Windows Mail\WinMail.exe
C:\Program Files\Internet Explorer\IEUser.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Google\Google Toolbar\GoogleToolbarUser_32.exe
C:\Windows\system32\Macromed\Flash\FlashUtil10e.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Users\Fred\Desktop\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = AOL.com - Welcome to AOL
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = Bing
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = AOL.com - Welcome to AOL
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = Bing
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = Bing
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = AOL.com - Welcome to AOL
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.5.5126.1836\swg.dll
O2 - BHO: Microsoft Live Search Toolbar Helper - {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - c:\Program Files\MSN\Toolbar\3.0.0541.0\msneshellx.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O3 - Toolbar: Microsoft Live Search Toolbar - {1E61ED7C-7CB8-49d6-B9E9-AB4C880C8414} - c:\Program Files\MSN\Toolbar\3.0.0541.0\msneshellx.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [KBD] C:\Program Files\Hewlett-Packard\KBD\KbdStub.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Google Quick Search Box] "C:\Program Files\Google\Quick Search Box\GoogleQuickSearchBox.exe" /autorun
O4 - HKLM\..\Run: [DVDAgent] "c:\Program Files\Hewlett-Packard\Media\DVD\DVDAgent.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [MSSE] "c:\Program Files\Microsoft Security Essentials\msseces.exe" -hide -runkey
O4 - HKLM\..\Run: [SmartMenu] %ProgramFiles%\Hewlett-Packard\HP MediaSmart\SmartMenu.exe
O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_2EC7709873947E87.dll/cmsidewiki.html
O16 - DPF: {49232000-16E4-426C-A231-62846947304B} (SysData Class) - https://wimpro.cce.hp.com/ChatEntry/downloads/sysinfo.cab
O16 - DPF: {73ECB3AA-4717-450C-A2AB-D00DAD9EE203} (GMNRev Class) - http://h20270.www2.hp.com/ediags/gmn2/install/HPProductDetection2.cab
O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
O16 - DPF: {A3256902-51FA-45A0-8A97-FC1143C169D9} (Diagnostics ActiveX WebControl) - Help and Support
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\Windows\system32\browseui.dll
O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - C:\Program Files\a-squared Free\a2service.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Lavasoft Ad-Aware Service - Unknown owner - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe (file missing)
O23 - Service: LeapFrog Connect Device Service - LeapFrog Enterprises, Inc. - C:\Program Files\LeapFrog\LeapFrog Connect\CommandService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe
--
End of file - 7703 bytes

 

[Jacee]

OK I got it this time. BTW, I got Security Center back on. It was something you said in an earlier post about not using RevoUninstaller. I remembered when I was uninstalling MSE that there was some items in bold which Revo said to delete. Both Of these items were registry entries and the word in bold was "security". I just did a system restore back to that uninstall point and the Security center came back. I then went back and got the 1.46 version mbam. Everything seems to be working fine now, but go ahead and check out the log below and let me know if you have any suggestions. Thanks. Fred

Good deal! Be so very careful using RevoUninstaller, you can flubber up your computer, in more ways than one.

Now rescan with HJT, put a check mark next to these items:

O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - (no file)
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [KBD] C:\Program Files\Hewlett-Packard\KBD\KbdStub.EXE
This watches for Multimedia Keys on HP keyboards.Not necessary in statup
O4 - HKLM\..\Run: [SmartMenu] %ProgramFiles%\Hewlett-Packard\HP MediaSmart\SmartMenu.exe
Not necessary in start up, not a Windows core file.
O23 - Service: Lavasoft Ad-Aware Service - Unknown owner - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe (file missing)

Once you've checked all these items, click "fix checked" and exit out of HJT. Don't reboot, yet!

Click on Computer from the start orb ... navigate to C:\Program Files\Lavasoft\Ad-Aware and delete the folder (if you've uninstalled it)

Reboot/restart your computer and post a 'fresh' HJT log for me.

 

[Fred44]

OK I got it this time. BTW, I got Security Center back on. It was something you said in an earlier post about not using RevoUninstaller. I remembered when I was uninstalling MSE that there was some items in bold which Revo said to delete. Both Of these items were registry entries and the word in bold was "security". I just did a system restore back to that uninstall point and the Security center came back. I then went back and got the 1.46 version mbam. Everything seems to be working fine now, but go ahead and check out the log below and let me know if you have any suggestions. Thanks. Fred

Good deal! Be so very careful using RevoUninstaller, you can flubber up your computer, in more ways than one.

Now rescan with HJT, put a check mark next to these items:

O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - (no file)
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [KBD] C:\Program Files\Hewlett-Packard\KBD\KbdStub.EXE
This watches for Multimedia Keys on HP keyboards.Not necessary in statup
O4 - HKLM\..\Run: [SmartMenu] %ProgramFiles%\Hewlett-Packard\HP MediaSmart\SmartMenu.exe
Not necessary in start up, not a Windows core file.
O23 - Service: Lavasoft Ad-Aware Service - Unknown owner - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe (file missing)

Once you've checked all these items, click "fix checked" and exit out of HJT. Don't reboot, yet!

Click on Computer from the start orb ... navigate to C:\Program Files\Lavasoft\Ad-Aware and delete the folder (if you've uninstalled it)

Reboot/restart your computer and post a 'fresh' HJT log for me.

I'll get to this in the morning. Thanks, Jacee.