Vista Anti-Spyware hostile takeover

[Corrine]

Yes, you can delete the downloaded zip file.

When downloading a file, select Save.  Running immediately starts the installation.  By saving, the file goes in my download folder.  This way, my antivirus can scan the downloaded file prior to installation. 

[Daisy]

I got the Windows x86 Offline downloaded.  Was not given any opportunities to UNCHECK anything.

It looks like the uninstaller for "Iwon toolbar" would work.  I didn't do it though.  Shall I?

I'm ready to run ComboFix and I cannot find out how to disable ARO 2011 trial version, but it does give me an opportunity to UNINSTALL.  Should I do that?  That would leave me Microsoft Security Essentials and Malawarebytes' to disable.

I'm stopped at the ComboFix Warning! box now--telling me to disable  Microsoft Security Essentials.

[Corrine]

Hi, Daisy.

Did you complete the installation of the updated Java?  It is during installation of programs like that you need to watch for pre-checked options to add toolbars (like the Iwon toolbar).

Yes, try the uninstaller for "Iwon toolbar".

ARO 2011 is not security software -- however, it is a registry cleaner and, as I indicated previously, not something I would recommend unless extremely knowledgeable about the registry.  Personally, I suggest uninstalling it.

If you use the free version of Malwarebytes, there is nothing to disable.  However, if it is the paid/licensed version, yes, you need to disable MBAM's real-time protection.

[Daisy]

Java is installed.  I got the window "You have successfully installed Java.  Updates will automatically......"

I uninstalled "Iwon toolbar."

ARO 2011 uninstalled.

Ran Combofix.   It asked if I wanted the newer version from when I started working on it last night, and I said yes.  I have the Combofix log.

Combofix was not on my desktop, it was in downloads or the C: drive--cannot remember.  Could not find ComboFix.exe to check for Recovery Console.

I am using my husband's laptop  because I cannot access the internet.

[Daisy]

I restarted computer so I'm online now.

[Daisy]

Here is the ComboFix log. I don't know where to find C:ComboFix.txt.

I am beginning to feel I do not have the computer skills to do all this. 


ComboFix 11-05-17.03 - Susan 05/18/2011   7:54.2.2 - x86
Microsoft® Windows Vista™ Home Premium   6.0.6002.2.1252.1.1033.18.3060.1708 [GMT -7:00]
Running from: c:\users\Susan\Downloads\ComboFix.exe
AV: Microsoft Security Essentials *Disabled/Updated* {108DAC43-C256-20B7-BB05-914135DA5160}
SP: Microsoft Security Essentials *Disabled/Updated* {ABEC4DA7-E46C-2F39-81B5-AA334E5D1BDD}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
(((((((((((((((((((((((((   Files Created from 2011-04-18 to 2011-05-18  )))))))))))))))))))))))))))))))
.
.
2011-05-18 14:57 . 2011-05-18 14:57   --------   d-----w-   c:\users\Susan\AppData\Local\temp
2011-05-18 14:57 . 2011-05-18 14:57   --------   d-----w-   c:\users\Default\AppData\Local\temp
2011-05-18 14:38 . 2010-09-23 17:19   643072   ----a-w-   c:\program files\Uninstall iWon Toolbar.dll
2011-05-18 14:36 . 2011-05-18 14:36   --------   d-----w-   c:\program files\Common Files\Java
2011-05-18 03:07 . 2011-05-18 14:34   472808   ----a-w-   c:\windows\system32\deployJava1.dll
2011-05-17 20:39 . 2011-04-11 07:04   7071056   ----a-w-   c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{898AA554-85B6-4DA6-8B8B-24B6CD3A3F2B}\mpengine.dll
2011-05-16 01:57 . 2011-05-18 14:40   --------   d-----w-   c:\users\Susan\AppData\Roaming\Sammsoft
2011-05-14 22:17 . 2011-05-16 01:30   0   ----a-w-   c:\users\Susan\AppData\Local\Tsapexijokiqov.bin
2011-05-11 00:14 . 2011-04-07 12:01   2409784   ----a-w-   c:\program files\Windows Mail\OESpamFilter.dat
2011-05-01 21:02 . 2010-09-01 01:43   4199768   ----a-w-   c:\windows\system32\cdintf400.dll
2011-04-27 21:01 . 2011-03-03 15:40   28672   ----a-w-   c:\windows\system32\Apphlpdm.dll
2011-04-27 21:01 . 2011-03-03 13:35   4240384   ----a-w-   c:\windows\system32\GameUXLegacyGDFs.dll
2011-04-27 21:01 . 2011-03-12 21:55   876032   ----a-w-   c:\windows\system32\XpsPrint.dll
2011-04-20 14:28 . 2011-04-20 14:28   --------   d-----w-   c:\program files\iPod
2011-04-20 14:27 . 2011-04-20 14:28   --------   d-----w-   c:\program files\iTunes
2011-04-20 14:26 . 2011-04-20 14:26   --------   d-----w-   c:\program files\Bonjour
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-04-16 17:51 . 2011-04-16 17:51   161792   ----a-w-   c:\windows\system32\msls31.dll
2011-04-16 17:51 . 2011-04-16 17:51   1126912   ----a-w-   c:\windows\system32\wininet.dll
2011-04-16 17:50 . 2011-04-16 17:50   86528   ----a-w-   c:\windows\system32\iesysprep.dll
2011-04-16 17:50 . 2011-04-16 17:50   76800   ----a-w-   c:\windows\system32\SetIEInstalledDate.exe
2011-04-16 17:50 . 2011-04-16 17:50   74752   ----a-w-   c:\windows\system32\RegisterIEPKEYs.exe
2011-04-16 17:50 . 2011-04-16 17:50   48640   ----a-w-   c:\windows\system32\mshtmler.dll
2011-04-16 17:50 . 2011-04-16 17:50   63488   ----a-w-   c:\windows\system32\tdc.ocx
2011-04-16 17:50 . 2011-04-16 17:50   367104   ----a-w-   c:\windows\system32\html.iec
2011-04-16 17:50 . 2011-04-16 17:50   74752   ----a-w-   c:\windows\system32\iesetup.dll
2011-04-16 17:50 . 2011-04-16 17:50   23552   ----a-w-   c:\windows\system32\licmgr10.dll
2011-04-16 17:50 . 2011-04-16 17:50   1427456   ----a-w-   c:\windows\system32\inetcpl.cpl
2011-04-16 17:50 . 2011-04-16 17:50   420864   ----a-w-   c:\windows\system32\vbscript.dll
2011-04-16 17:50 . 2011-04-16 17:50   2382848   ----a-w-   c:\windows\system32\mshtml.tlb
2011-04-16 17:50 . 2011-04-16 17:50   1797632   ----a-w-   c:\windows\system32\jscript9.dll
2011-04-16 17:50 . 2011-04-16 17:50   152064   ----a-w-   c:\windows\system32\wextract.exe
2011-04-16 17:50 . 2011-04-16 17:50   150528   ----a-w-   c:\windows\system32\iexpress.exe
2011-04-16 17:50 . 2011-04-16 17:50   142848   ----a-w-   c:\windows\system32\ieUnatt.exe
2011-04-16 17:50 . 2011-04-16 17:50   11776   ----a-w-   c:\windows\system32\mshta.exe
2011-04-16 17:50 . 2011-04-16 17:50   101888   ----a-w-   c:\windows\system32\admparse.dll
2011-04-16 17:50 . 2011-04-16 17:50   35840   ----a-w-   c:\windows\system32\imgutil.dll
2011-04-16 17:50 . 2011-04-16 17:50   110592   ----a-w-   c:\windows\system32\IEAdvpack.dll
2011-04-13 22:40 . 2011-04-13 22:40   4284416   ----a-w-   c:\windows\system32\GPhotos.scr
2011-04-11 07:04 . 2011-01-21 22:52   7071056   ----a-w-   c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2011-04-06 23:20 . 2011-04-06 23:20   91424   ----a-w-   c:\windows\system32\dnssd.dll
2011-04-06 23:20 . 2011-04-06 23:20   107808   ----a-w-   c:\windows\system32\dns-sd.exe
2011-03-10 17:03 . 2011-04-15 01:53   1162240   ----a-w-   c:\windows\system32\mfc42u.dll
2011-03-10 17:03 . 2011-04-15 01:53   1136640   ----a-w-   c:\windows\system32\mfc42.dll
2011-03-03 15:42 . 2011-04-15 01:53   739328   ----a-w-   c:\windows\system32\inetcomm.dll
2011-03-03 15:40 . 2011-04-27 21:01   173056   ----a-w-   c:\windows\apppatch\AcXtrnal.dll
2011-03-03 15:40 . 2011-04-27 21:01   542720   ----a-w-   c:\windows\apppatch\AcLayers.dll
2011-03-03 15:40 . 2011-04-27 21:01   458752   ----a-w-   c:\windows\apppatch\AcSpecfc.dll
2011-03-03 15:40 . 2011-04-27 21:01   2159616   ----a-w-   c:\windows\apppatch\AcGenral.dll
2011-03-03 13:25 . 2011-04-15 01:53   2041856   ----a-w-   c:\windows\system32\win32k.sys
2011-03-02 15:44 . 2011-04-15 01:53   86528   ----a-w-   c:\windows\system32\dnsrslvr.dll
2011-02-22 14:13 . 2011-03-22 23:27   288768   ----a-w-   c:\windows\system32\XpsGdiConverter.dll
2011-02-22 13:33 . 2011-03-22 23:27   1068544   ----a-w-   c:\windows\system32\DWrite.dll
2011-02-22 13:33 . 2011-03-22 23:27   797696   ----a-w-   c:\windows\system32\FntCache.dll
2011-02-22 13:24 . 2011-04-15 01:53   213504   ----a-w-   c:\windows\system32\drivers\mrxsmb10.sys
2011-02-22 13:24 . 2011-04-15 01:53   79360   ----a-w-   c:\windows\system32\drivers\mrxsmb20.sys
2011-02-22 13:23 . 2011-04-15 01:53   106496   ----a-w-   c:\windows\system32\drivers\mrxsmb.sys
2011-02-22 13:23 . 2011-04-15 01:53   69632   ----a-w-   c:\windows\system32\drivers\bowser.sys
2011-02-19 00:36 . 2011-02-19 00:36   41984   ----a-w-   c:\windows\system32\drivers\usbaapl.sys
2011-02-19 00:36 . 2011-02-19 00:36   4184352   ----a-w-   c:\windows\system32\usbaaplrc.dll
2011-02-18 14:03 . 2011-04-15 01:53   305152   ----a-w-   c:\windows\system32\drivers\srv.sys
2011-02-18 14:03 . 2011-04-15 01:53   146432   ----a-w-   c:\windows\system32\drivers\srv2.sys
2011-02-18 14:03 . 2011-04-15 01:53   102400   ----a-w-   c:\windows\system32\drivers\srvnet.sys
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 125952]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-21 202240]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RtHDVCpl"="RtHDVCpl.exe" [2008-01-17 4907008]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-02-12 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-02-12 166424]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-02-12 133656]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-01-31 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2010-11-30 997408]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-04-14 421160]
"Malwarebytes' Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2010-12-21 963976]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-01-07 253672]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"AvgUninstallURL"="start http:" [X]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]
2009-04-11 00:57   10536   ----a-w-   c:\program files\Citrix\GoToAssist\514\g2awinlogon.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\DRIVERS\NisDrvWFP.sys [2010-10-25 54144]
R3 NisSrv;Microsoft Network Inspection;c:\program files\Microsoft Security Client\Antimalware\NisSrv.exe [2010-11-11 206360]
R3 PCDSRVC{E9D79540-57D5953E-06020101}_0;PCDSRVC{E9D79540-57D5953E-06020101}_0 - PCDR Kernel Mode Service Helper Driver;c:\program files\dell support center\pcdsrvc.pkms [2010-11-18 21744]
R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]
S1 MpKsl87e5d2f4;MpKsl87e5d2f4;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{898AA554-85B6-4DA6-8B8B-24B6CD3A3F2B}\MpKsl87e5d2f4.sys [2011-05-18 28752]
S2 AERTFilters;Andrea RT Filters Service;c:\windows\system32\AERTSrv.exe [2007-12-05 77824]
S3 MpNWMon;Microsoft Malware Protection Network Driver;c:\windows\system32\DRIVERS\MpNWMon.sys [2010-10-25 43392]
.
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - MPKSL87E5D2F4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation   REG_MULTI_SZ      FontCache
.
Contents of the 'Scheduled Tasks' folder
.
2011-05-12 c:\windows\Tasks\PCDoctorBackgroundMonitorTask.job
- c:\program files\Dell Support Center\uaclauncher.exe [2010-11-18 15:13]
.
2011-05-17 c:\windows\Tasks\SystemToolsDailyTest.job
- c:\program files\Dell Support Center\pcdrcui.exe [2010-11-18 15:13]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
uInternet Settings,ProxyOverride = *.local
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-05-18 07:57
Windows 6.0.6002 Service Pack 2 NTFS
.
scanning hidden processes ... 
.
scanning hidden autostart entries ...
.
scanning hidden files ... 
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\PCDSRVC{E9D79540-57D5953E-06020101}_0]
"ImagePath"="\??\c:\program files\dell support center\pcdsrvc.pkms"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
   d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,34,eb,d9,2e,da,30,d7,47,9b,65,d0,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
   d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,34,eb,d9,2e,da,30,d7,47,9b,65,d0,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'Explorer.exe'(268)
c:\program files\iWonIE\bar\1.bin\idbrstub.dll
.
Completion time: 2011-05-18  07:58:27
ComboFix-quarantined-files.txt  2011-05-18 14:58
ComboFix2.txt  2011-05-18 14:50
.
Pre-Run: 216,171,003,904 bytes free
Post-Run: 216,143,429,632 bytes free
.
- - End Of File - - D4813AC69F01429494D702ED9BA6FD8C

[Corrine]

Hi, Daisy.

Are you still getting the "Error loading C:/users etc. etc. The specified module could not be found." at startup?

With IE 9, the default location for saving files on your computer is C:\Users\Susan\Downloads.  If you select "Save as" by clicking the down arrow next to "Save" from the download notification at the bottom of the screen, you can browser to another location for saving the file. 

Custom CFScript

Note: The following instructions were created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

• Please open Notepad (Click Start -> Run -> type notepad in the Open field -> OK).  Copy/Paste all of the text present inside the code box below:

Code Select Expand


Folder::
c:\program files\iWonIE

File::
Uninstall iWon Toolbar.dll


• Save this as CFScript.txt and place it on your desktop.
• Close any open browsers.
• Close/disable all antivirus and anti-malware programs so they do not interfere with the running of ComboFix.
  
  
  
  
  


• Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
• ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
• When finished, it will produce a log for you. Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.

[Daisy]

Are you still getting the "Error loading C:/users etc. etc. The specified module could not be found." at startup?

No--I am getting this message: "Windows has blocked some Start-Up Programs.  Windows blocks programs that require permission to run when Windows starts.  Click to view blocked programs."  There are about 12-15 on the System Configuration list with checked boxes next to each. 

With IE 9, the default location for saving files on your computer is C:\Users\Susan\Downloads.  If you select "Save as" by clicking the down arrow next to "Save" from the download notification at the bottom of the screen, you can browser to another location for saving the file.       OK--got it.

I'll go ahead with the rest of the instructions now.

[Daisy]

Notepad gives me no opportunities to "Click Start - > Run....etc.
There is no code box.  Notepad just looks like a blank page with File Edit Format View Help across the top.
Am I in the right place?

[Daisy]

Corrine, I am feeling overwhelmed.  I have ComboFix but not the .exe.  I see the application which is "pev" and something called "snapshot."

You must be losing patience with me, and if you feel it would more appropriate, I am willing to take the computer in to
the shop for the work it needs.  I feed bad about the time you have put in with me knowing some of the trouble is my
lack of understanding of all the programs and systems which run the computer.

[Corrine]

No--I am getting this message: "Windows has blocked some Start-Up Programs.  Windows blocks programs that require permission to run when Windows starts.  Click to view blocked programs."  There are about 12-15 on the System Configuration list with checked boxes next to each. 

Are these known programs that you use (i.e., Roxio, Microsoft Office programs, Windows Live, etc.) or unrecognized names.  Can you provide a list or screen copy of what is shown as blocked?

Notepad gives me no opportunities to "Click Start - > Run....etc.
There is no code box.  Notepad just looks like a blank page with File Edit Format View Help across the top.
Am I in the right place?

First you have to copy the code I provided with the ComboFix instructions.  Paste the information from within the code box in the above instructions in the open Notepad.  Then select File > Save as > ComboFix.txt

Corrine, I am feeling overwhelmed.  I have ComboFix but not the .exe.  I see the application which is "pev" and something called "snapshot."

It sounds as though you have the settings to hide common file extensions.  See the instructions on how to show the extensions:  Show or hide file name extensions.

By the way, if ComboFix is still in your "downloads" folder (C:\Users\Susan\Downloads), you need to navigate to that location and right-click ComboFix.  Select cut.  Go to C:\Users\Susan\Desktop and paste ComboFix there. 

Now when you save the text file with the code to your desktop, you will be able to drag it on top of ComboFix to run.

You must be losing patience with me, and if you feel it would more appropriate, I am willing to take the computer in to
the shop for the work it needs.  I feed bad about the time you have put in with me knowing some of the trouble is my
lack of understanding of all the programs and systems which run the computer.

If you take your computer to a shop, you won't learn anything.  At least I hope I'm helping you to learn a few more things about  your computer (i.e., how to unzip a file, save as).  That is the best part of what I do -- hopefully helping the people I help learn more about their computers and security during the process.

[Daisy]

I tried to take a screenshot but did not know how to paste it in here. (I could paste into a WP document, but not here.)  The manufacturers in the system configuration window/startup tab are Realtek (HD Audio), Intel, Microsoft, Adobe, Apple, Sun Microsys, and Malawarebytes.  Each has a checked box by it.

Am I to save the notebook page as ComboFix.txt or CFScript.txt?

[Daisy]

I fixed the file name extensions and have found ComboFix.exe.  It is on the desktop.

[Daisy]

One more question:

Do I need to disable Malawarebytes, not purchased version?  Last time you said I did not.  Just Microsoft Security.

[Corrine]

Oops, sorry.  Yes, save the Notepad page as CFScript.txt.  Good catch!

No, you do not need to disable Malwarebytes.

Just to let you know, all the script is going to do is get rid of the iWonIE garbage since it is still showing.