Solve : MalwareBytes fails detecting virus/malware generating Google C

1.	Solve : MalwareBytes fails detecting virus/malware generating Google Chrome popups and r?
Answer» Quote I am still getting a strange version of browser hijack. It only happens in Chrome. The hijacks are seemingly random. Does this happen with other browsers such as FireFox or IE? Quote It occurred to me to tell you that I used to run Windows update religiously until a few years ago, but when MS kept trying to force their other malware tool on me and IE 8/9 every time I'd do an update I started to get suspicious that MS could easily install their own BIGBROTHER-WARE (R)(TM)(C) 2013 on my computer. Then about 2 years ago when I learned they were discontinuing support for XP, (which they have since extend the death date to 2014) i considered that perhaps MS would "Auto-Update" a poison pill to break my XP and force me to upgrade to a newer OS. It's important that you get your updates. Malware just love programs that are not kept up-to-date. I use XP and I've never experiened any problems. Quote Can you tell me if there is something malicious in my HijackThis log from earlier? Hijack is obsolete and is no longer used by malware experts. Quote I've learned that a malware could be removed from the computer, but may leave incorrect browser settings. It's possible. You should uninstall and re-install Chrome. Quote Should I also update drivers of some sort, or is that overkill?? No, that's not necessary. Quote Does this happen with other browsers such as FireFox or IE? Not at all. Quote It's important that you get your updates. Malware just love programs that are not kept up-to-date. I use XP and I've never experiened any problems. I tried updating my system in IE8 and the browser just hangs. Any ideas? I am not able to download the updater even -- the browser hangs and I have to use taskkill to manually kill the process. Is this a sign of "subtle" malware on my machine interfering with a process that could FIND and remove it, or is this a more benign yet still disruptive issue? Or put more succinctly -- what is causing this and how can I resolve it so that I can get my updates? As a reminder, here are my relevant specs: (generated with Belarc Advisor Windows XP Professional Service Pack 3 (build 2600) 2.00 GHz Intel Core2 Duo 2GB RAM Internet Explorer Version 8.00.6001.18702 This is what I have tried so far: Windows update from Firefox 19 -- Fails with error saying I need to use IE6 or greater to update. Windows update from IE8 -- hangs at popup asking permission to install "Windows Update". Rebooted and tried update from IE8 again -- failed. Tried a total of 4 times, all to no avail. Win Update from IE8 -- On one attempt clicked the "More Info" dropdown arrows and received this error: Code: [Select]The instruction at "0x0fc70068" referenced memory at "0x0fc70068". The memory could not be "written upon clicking "Ok", IE closed. Checked WindowsUpdate.log. Entries for the first attempt: Code: [Select]2013-02-19 19:56:47:343 3272 1350 Misc =========== Logging initialized (build: 7.4.7600.226, tz: -0800) =========== 2013-02-19 19:56:47:343 3272 1350 Misc = Process: C:\WINDOWS\system32\rundll32.exe 2013-02-19 19:56:47:343 3272 1350 Misc = Module: C:\WINDOWS\system32\wuapi.dll 2013-02-19 19:56:47:343 3272 1350 ARP Connected to update session. 2013-02-19 19:56:47:343 3272 1350 ARP User is allowed to install published content. 2013-02-19 19:56:48:234 3272 1350 ARP Managed service NOT found. I'm unsure how to proceed from here. The Windows Update was a preliminary process I was going to do before installing COMODO, so now it seems I'm stuck until this issue gets resolved. Quote Hijack is obsolete and is no longer used by malware experts. Thanks for letting me know that. Can you recommend a good one-stop-shop resource that will INFORM me on what the current BEST PRACTICES and TOOLS for malware detection and removal are? Quote You should uninstall and re-install Chrome. Uninstalled, downloaded & Installed Chrome v. 24 -- Worked! Tested and the weird popups issue is now gone. During uninstall I also clicked "delete browsing data", so if anyone if using my steps as an example, that may be a key component to follow. Also, this was the most expedient solution, but I feel like the culprit possibly was a rogue "extension" or "addon" that I downloaded (mostly Firebug add-ons), and in other circumstances I might have investigated that hunch further. I look forward to your next response and appreciate all your help so far. I know I ask a lot of questions and am pretty tenacious about getting high-granularity answers, which can seem annoying to some. But for me, it's just as important (if not more so) to understand the root cause of an issue as it is to know the best fix. Please don't hesitate to let me know if any of my queries are out of the scope of your expertise. Thanks. Quote Does this happen with other browsers such as FireFox or IE? Quote Not at all. Then the problem appears to be with your browser. Go to Microsoft Windows Update and get all critical updates. If you still get an error please try this. •Please download Dial-A-Fix from one of the following mirrors: Primary mirror Secondary mirror •Extract the zip file to your desktop. •Double click Dial-a-Fix.exe to start the program. Dial-A-Fix might give you a lot errors, just ignore them and Click to continue. •Press the green double checkmark box (Looks like this: UNcheck Empty Temp Folders, as well as Adjust Time/Date in the prep section. The prep section should then look like this: •Click on Go •Wait for Dial-A-Fix to finish (All the checks marks will be all gone) •Close Dial-A-Fix Quote Go to Microsoft Windows Update and get all critical updates. Upon navigating to that link a modal window pops up with an option to install "Windows Update". When I click install it fails. However, here's something interesting. I decided to see what would happen if I enabled "Automatic Updates". After about 5-10 minutes AU started downloading. In the end I figured a restart was probably required to make the updates take effect -- I was right! The option "Shutdown After Installing Updates" presented itself when I went to reboot. All told, 82 updates were downloaded. Upon reboot I noticed that Windows Firewall had been disabled, presumably by one of the updates that automatically installed. I tried to install Windows Update and it failed/hung again. Subsequently I ran Dial-A-Fix, as per your instructions. No log was generated that I am aware of, however these errors popped up (to avoid unnecessary repetition I put just the dll name) while during program execution: Code: [Select]Error 127: C:\WINDOWS\system32\iesetup.dll is not registerable or the file is corrupted. Your version of iesetup.dll is 8.00.6001.18702. Please contact [emailprotected] so that an exception can be made for your version of this file. .... is not DLLInstall-able or the file is corrupted ... .... system32\imgutil.dll is not registerable or the file is corrupted. ... .... system32\inseng.dll ... .... mshtml.dll ... .... msrating.dll ... .... occache.dll ... .... pngfilt.dll ... .... webcheck.dll ... I don't understand it. Does this give a clue as to what is happening? Also, I have begun to notice the busy hourglass again, consistent, like some registry process is continually polling my CPU. I have had "Process Explorer" installed for many months, but I'm not sure I know how use it. Do you think that could help track-down the virus/malware? I considered uninstalling IE8 because it was installed after SP3, however *I noticed there were a lot (20-30) of items that were dependent on or installed after IE8, so I opted against the uninstall at the point. Again, I appreciate your help so far. Any ideas on why it is locking up, or what to do next? Download Process Explorer: http://technet.microsoft.com/en-us/sysinternals/bb896653.aspx Unzip ProcessExplorer.zip, and double click on procexp.exe* to run the program. Click on View > Select Colunms. In addition to already pre-selected options, make sure, the Command Line is selected, and press OK. Go File>Save As, and save the report as Procexp.txt. Attach the file to your next reply.Here is the log from running Process Explorer v. 15.3: Code: [Select]Process PID CPU Private Bytes Working Set Description Company Name Command Line System Idle Process 0 97.69 0 K 28 K Interrupts n/a 1.54 0 K 0 K Hardware Interrupts and DPCs procexp.exe 1868 0.77 13,200 K 20,688 K Sysinternals Process Explorer Sysinternals - www.sysinternals.com "C:\Documents and Settings\nunya\My Documents\Downloads\ProcessExplorer\procexp.exe" WPFFontCache_v0400.exe 6008 2,012 K 4,548 K wpffontcache_v0400.exe Microsoft Corporation C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe wmiprvse.exe 5028 1,964 K 5,072 K WMI Microsoft Corporation C:\WINDOWS\system32\wbem\wmiprvse.exe winlogon.exe 744 7,292 K 3,056 K Windows NT Logon Application Microsoft Corporation winlogon.exe uphclean.exe 2996 628 K 1,728 K User Profile HIVE Cleanup Service Microsoft Corporation "C:\Program Files\UPHClean\uphclean.exe" TWCApp.exe 2004 105,572 K 131,476 K The Weather Channel App The Weather Channel "C:\Program Files\The Weather Channel\The Weather Channel App\TWCApp.exe" TrueImageMonitor.exe 2220 19,468 K 9,784 K Acronis True Image Monitor Acronis "C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe" System 4 0 K 240 K svchost.exe 1128 24,944 K 36,852 K Generic Host Process for Win32 Services Microsoft Corporation C:\WINDOWS\System32\svchost.exe -k netsvcs svchost.exe 1048 2,852 K 5,456 K Generic Host Process for Win32 Services Microsoft Corporation C:\WINDOWS\system32\svchost.exe -k rpcss svchost.exe 1976 5,920 K 6,876 K Generic Host Process for Win32 Services Microsoft Corporation C:\WINDOWS\system32\svchost.exe -k HPService svchost.exe 2932 5,020 K 8,332 K Generic Host Process for Win32 Services Microsoft Corporation C:\WINDOWS\system32\svchost.exe -k imgsvc svchost.exe 1360 5,004 K 7,200 K Generic Host Process for Win32 Services Microsoft Corporation C:\WINDOWS\system32\svchost.exe -k LocalService svchost.exe 1292 1,372 K 3,732 K Generic Host Process for Win32 Services Microsoft Corporation C:\WINDOWS\system32\svchost.exe -k NetworkService svchost.exe 988 3,204 K 5,340 K Generic Host Process for Win32 Services Microsoft Corporation C:\WINDOWS\system32\svchost.exe -k DcomLaunch svchost.exe 5524 5,448 K 7,440 K Generic Host Process for Win32 Services Microsoft Corporation C:\WINDOWS\system32\svchost.exe -k netsvcs svchost.exe 2432 1,052 K 3,036 K Generic Host Process for Win32 Services Microsoft Corporation C:\WINDOWS\System32\svchost.exe -k HPZ12 svchost.exe 4704 1,608 K 3,580 K Generic Host Process for Win32 Services Microsoft Corporation C:\WINDOWS\System32\svchost.exe -k HTTPFilter svchost.exe 2520 1,044 K 3,008 K Generic Host Process for Win32 Services Microsoft Corporation C:\WINDOWS\System32\svchost.exe -k HPZ12 svchost.exe 664 1,340 K 3,872 K Generic Host Process for Win32 Services Microsoft Corporation C:\WINDOWS\system32\svchost.exe -k LocalService sqlwriter.exe 2868 960 K 3,588 K SQL Server VSS Writer Microsoft Corporation "C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe" sqlservr.exe 2316 55,964 K 42,260 K SQL Server Windows NT Microsoft Corporation "C:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe" -sSQLEXPRESS spoolsv.exe 1748 8,472 K 11,324 K Spooler SubSystem App Microsoft Corporation C:\WINDOWS\system32\spoolsv.exe snmp.exe 2848 1,532 K 3,976 K SNMP Service Microsoft Corporation C:\WINDOWS\System32\snmp.exe smss.exe 644 176 K 444 K Windows NT Session Manager Microsoft Corporation \SystemRoot\System32\smss.exe smax4pnp.exe 2720 2,532 K 4,928 K SMax4PNP Analog Devices, Inc. "C:\Program Files\Analog Devices\Core\smax4pnp.exe" Skype.exe 2620 55,180 K 60,072 K Skype Skype Technologies S.A. "C:\Program Files\Skype\Phone\Skype.exe" /minimized /regrun services.exe 788 2,012 K 3,864 K Services and Controller app Microsoft Corporation C:\WINDOWS\system32\services.exe schedul2.exe 1168 1,072 K 3,360 K Acronis Scheduler 2 Acronis "C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe" schedhlp.exe 1144 1,092 K 3,664 K Acronis Scheduler Helper Acronis "C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe" scardsvr.exe 1792 944 K 2,772 K Smart Card Resource Management Server Microsoft Corporation C:\WINDOWS\System32\SCardSvr.exe ScanToPCActivationApp.exe 1776 2,684 K 8,292 K ScanToPCActivationApp Hewlett-Packard CO. "C:\Program Files\HP\HP Officejet Pro 8600\Bin\ScanToPCActivationApp.exe" -deviceID "CN298BWHSY05KD:NW" -scfn "HP Officejet Pro 8600 (NET)" -AutoStart 1 Radstgms.exe 2676 1,252 K 3,136 K radstgms Hewlett-Packard "C:\Program Files\Hewlett-Packard\PC COE 3\OV CMS\Radstgms.exe" radsched.exe 2580 856 K 2,752 K radsched Hewlett-Packard "C:\Program Files\Hewlett-Packard\PC COE 3\OV CMS\radsched.exe" radexecd.exe 2540 572 K 2,080 K radexecd Hewlett-Packard "C:\Program Files\Hewlett-Packard\PC COE 3\OV CMS\radexecd.exe" PDVD10Serv.exe 2940 1,124 K 4,128 K PowerDVD RC Service CyberLink Corp. "C:\Program Files\CyberLink\PowerDVD10\PDVD10Serv.exe" oodtray.exe 2992 1,428 K 5,296 K O&O Defrag TrayIcon (Win32) O&O Software GmbH "C:\WINDOWS\system32\oodtray.exe" oodag.exe 2472 2,732 K 5,824 K O&O Defrag Agent (Win32) O&O Software GmbH C:\WINDOWS\system32\oodag.exe olycamdetect.exe 3172 1,260 K 4,696 K OLYMPUS ib Resident Program OLYMPUS IMAGING CORP. "C:\Program Files\Olympus\ib\olycamdetect.exe" /Startup NASvc.exe 2360 2,156 K 4,900 K NeroUpdate Nero AG "C:\Program Files\Nero\Update\NASvc.exe" msseces.exe 3196 5,724 K 10,532 K Microsoft Security Client User Interface Microsoft Corporation "C:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey msraLinkMonitor.exe 2248 672 K 2,504 K Quaranti Application "C:\Program Files\Remote tools\msraLinkMonitor.exe" MsMpEng.exe 1092 55,348 K 60,448 K Antimalware Service Executable Microsoft Corporation "C:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe" msdtc.exe 708 1,948 K 5,156 K MS DTC console program Microsoft Corporation C:\WINDOWS\system32\msdtc.exe mqtgsvc.exe 4088 1,428 K 4,028 K Windows NT MSMQ Trigger Service Microsoft Corporation C:\WINDOWS\system32\mqtgsvc.exe mqsvc.exe 3560 2,160 K 6,232 K Message Queuing Service Microsoft Corporation C:\WINDOWS\system32\mqsvc.exe mDNSResponder.exe 1540 984 K 3,124 K Bonjour Service Apple Inc. "C:\Program Files\Bonjour\mDNSResponder.exe" MDM.EXE 2168 1,184 K 3,804 K Machine Debug Manager Microsoft Corporation "C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE" LWS.exe 3344 8,240 K 13,532 K Camera Software Logitech Inc. "C:\Program Files\Logitech\Logitech WebCam Software\LWS.exe" /hide LVPrcSrv.exe 2148 1,232 K 2,912 K Logitech LVPrcSrv Module. Logitech Inc. "C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe" LSSrvc.exe 2116 684 K 2,620 K Hewlett-Packard Company "C:\Program Files\Common Files\LightScribe\LSSrvc.exe" lsass.exe 800 5,696 K 8,444 K LSA Shell (Export Version) Microsoft Corporation C:\WINDOWS\system32\lsass.exe jqs.exe 2084 2,432 K 1,412 K Java(TM) Quick Starter Service Sun Microsystems, Inc. "C:\Program Files\Java\jre6\bin\jqs.exe" -service -config "C:\Program Files\Java\jre6\lib\deploy\jqs\jqs.conf" iviRegMgr.exe 2064 584 K 2,324 K RegMgr Module InterVideo "C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe" iTunesHelper.exe 3376 11,352 K 16,152 K iTunesHelper Apple Inc. "C:\Program Files\iTunes\iTunesHelper.exe" iPodService.exe 5892 2,448 K 4,160 K iPodService Module (32-bit) Apple Inc. "C:\Program Files\iPod\bin\iPodService.exe" Ida.exe 3424 2,352 K 6,220 K Intelligent Desktop Assistant (IDA) Hewlett-Packard Company "C:\Program Files\Hewlett-Packard\PC COE\IDA.EXE" hpqWmiEx.exe 3096 2,012 K 3,540 K hpqwmiex Module Hewlett-Packard Development Company, L.P. "C:\Program Files\Hewlett-Packard\Shared\hpqWmiEx.exe" HPNetworkCommunicator.exe 4448 4,248 K 6,112 K HPNetworkCommunicator Hewlett-Packard Co. "C:\Program Files\HP\HP Officejet Pro 8600\Bin\HPNetworkCommunicator.exe" GoogleToolbarNotifier.exe 3304 3,404 K 1,748 K GoogleToolbarNotifier Google Inc. "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" googletalk.exe 3472 11,596 K 18,160 K Google Talk Google "C:\Program Files\Google\Google Talk\googletalk.exe" /autostart FolderSizeSvc.exe 1884 2,224 K 4,264 K FolderSize Service Brio "C:\Program Files\FolderSize\FolderSizeSvc.exe" explorer.exe 3912 26,412 K 32,504 K Windows Explorer Microsoft Corporation C:\WINDOWS\Explorer.EXE Everything.exe 3540 9,124 K 11,588 K Everything "C:\Program Files\Everything\Everything.exe" -startup Dropbox.exe 4268 47,124 K 53,532 K Dropbox Dropbox, Inc. "C:\Documents and Settings\nunya\Application Data\Dropbox\bin\Dropbox.exe" /systemstartup ctfmon.exe 3264 948 K 3,912 K CTF Loader Microsoft Corporation "C:\WINDOWS\system32\ctfmon.exe" csrss.exe 712 1,772 K 4,420 K Client Server Runtime Process Microsoft Corporation C:\WINDOWS\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,3072,512 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ProfileControl=Off MaxRequestThreads=16 COEMsgDisplay.exe 456 1,068 K 4,184 K COEMsgDisplay Utility Hewlett Packard "C:\Program Files\Hewlett-Packard\PC COE\COEMsgDisplay.exe" COCIManager.exe 3792 2,764 K 5,232 K Camera Control Interface Logitech Inc. "C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe" -Embedding CLMLSvc.exe 3696 4,184 K 6,888 K CyberLink MediaLibray Service CyberLink "C:\Program Files\CyberLink\Power2Go\CLMLSvc.exe" btwdins.exe 1156 1,868 K 2,672 K Bluetooth Support Server Broadcom Corporation. "c:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe" BTTray.exe 4168 3,476 K 5,552 K Bluetooth Tray Application Broadcom Corporation. "C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe" brs.exe 3832 948 K 3,060 K brs cyberlink "C:\Program Files\Cyberlink\Shared files\brs.exe" ati2evxx.exe 1220 944 K 3,496 K ATI External Event Utility EXE Module ATI Technologies Inc. Ati2evxx.exe -Client ati2evxx.exe 956 788 K 3,188 K ATI External Event Utility EXE Module ATI Technologies Inc. C:\WINDOWS\system32\Ati2evxx.exe AppleMobileDeviceService.exe 1300 10,216 K 13,928 K MobileDeviceService Apple Inc. "C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe" alg.exe 6132 1,188 K 3,688 K Application Layer Gateway Service Microsoft Corporation C:\WINDOWS\System32\alg.exe afcdpsrv.exe 1248 1,600 K 4,712 K File Level CDP Manager Service Acronis "C:\Program Files\Common Files\Acronis\CDP\afcdpsrv.exe" Sorry, I've been sick the today. I hope that's what you needed. Let me know if you need anything else. Thanks. Oh, almost forgot: Since I discovered that shutting my machine off is the way to install new "Automatic-Updates", I've done that 4 times so far. Each time it says there are 6 updates to install. It never gives me any error, but doesn't it seem like too much of a coincidence that it's the exact same number of updates 3 times in a row?Oops. I just realized you ask for the file to be attached, not cut/pasted, so here it is. Thanks. [recovering disk space, attachment deleted by admin]I can't see anything amiss in the processes. The only thing I can suggest is to use your taskmanager and stop each process except explorer.exe until you find a process that may be causing the hourglass waiting.* [SOLVED:] * Strangely the hourglass issue has disappeared and I can't identify anything that might have made that happen, except possibly allowing auto-update to proceed. Thanks for all your help and patience. * FOR ANYONE ELSE READING THIS * I don't really know what the exact solution was. What I do know is that it was likely a combination of all the anti-malware tools used and then enabling automatic updates in the end. The malware prevention steps I will be taking are: Download & install Comodo Cleaning Essentials 2.5 Download & install Comodo 5.5 NOTE: At the time of this writing, version 6 of Comodo Personal Firewall/Comodo Internet Security was just realeased, and hence there are very little YouTube or web-based instructional DIY tutorials on configuring the new interface, which is significantly different for the first time in half a decade. Therefore, I am installing the 2nd latest version, which is 5.5. Thanks again and Kudos to you SuperDave, without who's help I would have been quite lost!!! :0)> * Kudos Given * * Topic Marked "SOLVED" Good Job! Let's do some cleanup. To uninstall ComboFix* Click the Start button. Click Run. For Vista: type in Run in the Start search, and click on Run in the results pane. In the field, type in ComboFix /uninstall (Note: Make sure there's a space between the word ComboFix and the forward-slash.) Then, press Enter, or click OK. This will uninstall ComboFix, delete its folders and files, hides System files and folders, and resets System Restore. ********************************************** Click Start> Computer> right click the C Drive and choose Properties> enter Click Disk Cleanup from there. Click OK on the Disk Cleanup Screen. Click Yes on the Confirmation screen. This runs the Disk Cleanup utility along with other selections if you have chosen any. (if you had a lot System Restore points, you will see a significant change in the free space in C drive) ******************************************* I suggest using WOT - Web of Trust. WOT is a free Internet security addon for your browser. It will keep you safe from online scams, identity theft, spyware, spam, viruses and unreliable shopping sites. WOT warns you before you interact with a risky website. It's easy and it's free. SpywareBlaster- Secure your Internet Explorer to make it harder for ActiveX programs to run on your computer. Also stop certain cookies from being added to your computer when running Mozilla based browsers like Firefox. * Using SpywareBlaster to protect your computer from Spyware and Malware * If you don't know what ActiveX controls are, see here Protect yourself against spyware using the Immunize feature in Spybot - Search & Destroy. Guide: Use Spybot's Immunize Feature to prevent spyware infection in real-time. Note: To ensure you have the latest Immunizations always update Spybot - Search & Destroy before Immunizing. Spybot - Search & Destroy FAQ Check out Keeping Yourself Safe On The Web for tips and free tools to help keep you safe in the future. Also see Slow Computer? It may not be Malware for free cleaning/maintenance tools to help keep your computer running smoothly. Safe Surfing!

Solve : MalwareBytes fails detecting virus/malware generating Google Chrome popups and r?

Answer»

Quote

I am still getting a strange version of browser hijack. It only happens in Chrome. The hijacks are seemingly random.

Does this happen with other browsers such as FireFox or IE?
Quote

It occurred to me to tell you that I used to run Windows update religiously until a few years ago, but when MS kept trying to force their other malware tool on me and IE 8/9 every time I'd do an update I started to get suspicious that MS could easily install their own BIGBROTHER-WARE (R)(TM)(C) 2013 on my computer. Then about 2 years ago when I learned they were discontinuing support for XP, (which they have since extend the death date to 2014) i considered that perhaps MS would "Auto-Update" a poison pill to break my XP and force me to upgrade to a newer OS.

It's important that you get your updates. Malware just love programs that are not kept up-to-date. I use XP and I've never experiened any problems.
Quote

Can you tell me if there is something malicious in my HijackThis log from earlier?

Hijack is obsolete and is no longer used by malware experts.
Quote

I've learned that a malware could be removed from the computer, but may leave incorrect browser settings.

It's possible. You should uninstall and re-install Chrome.
Quote

Should I also update drivers of some sort, or is that overkill??

No, that's not necessary.
Quote

Does this happen with other browsers such as FireFox or IE?

Not at all.

Quote

It's important that you get your updates. Malware just love programs that are not kept up-to-date. I use XP and I've never experiened any problems.

I tried updating my system in IE8 and the browser just hangs. Any ideas? I am not able to download the updater even -- the browser hangs and I have to use taskkill to manually kill the process. Is this a sign of "subtle" malware on my machine interfering with a process that could FIND and remove it, or is this a more benign yet still disruptive issue? Or put more succinctly -- what is causing this and how can I resolve it so that I can get my updates?

As a reminder, here are my relevant specs:
(generated with Belarc Advisor

Windows XP Professional Service Pack 3 (build 2600)
2.00 GHz Intel Core2 Duo
2GB RAM
Internet Explorer Version 8.00.6001.18702

This is what I have tried so far:

Windows update from Firefox 19 -- Fails with error saying I need to use IE6 or greater to update.
Windows update from IE8 -- hangs at popup asking permission to install "Windows Update".
Rebooted and tried update from IE8 again -- failed. Tried a total of 4 times, all to no avail.

Win Update from IE8 -- On one attempt clicked the "More Info" dropdown arrows and received this error:

Code: [Select]The instruction at "0x0fc70068" referenced memory at "0x0fc70068". The memory could not be "written upon clicking "Ok", IE closed.

Checked WindowsUpdate.log. Entries for the first attempt:

Code: [Select]2013-02-19 19:56:47:343 3272 1350 Misc =========== Logging initialized (build: 7.4.7600.226, tz: -0800) ===========
2013-02-19 19:56:47:343 3272 1350 Misc = Process: C:\WINDOWS\system32\rundll32.exe
2013-02-19 19:56:47:343 3272 1350 Misc = Module: C:\WINDOWS\system32\wuapi.dll
2013-02-19 19:56:47:343 3272 1350 ARP Connected to update session.
2013-02-19 19:56:47:343 3272 1350 ARP User is allowed to install published content.
2013-02-19 19:56:48:234 3272 1350 ARP Managed service NOT found.

I'm unsure how to proceed from here. The Windows Update was a preliminary process I was going to do before installing COMODO, so now it seems I'm stuck until this issue gets resolved.

Quote

Hijack is obsolete and is no longer used by malware experts.

Thanks for letting me know that. Can you recommend a good one-stop-shop resource that will INFORM me on what the current BEST PRACTICES and TOOLS for malware detection and removal are?

Quote

You should uninstall and re-install Chrome.

Uninstalled, downloaded & Installed Chrome v. 24 -- Worked! Tested and the weird popups issue is now gone. During uninstall I also clicked "delete browsing data", so if anyone if using my steps as an example, that may be a key component to follow. Also, this was the most expedient solution, but I feel like the culprit possibly was a rogue "extension" or "addon" that I downloaded (mostly Firebug add-ons), and in other circumstances I might have investigated that hunch further.

I look forward to your next response and appreciate all your help so far. I know I ask a lot of questions and am pretty tenacious about getting high-granularity answers, which can seem annoying to some. But for me, it's just as important (if not more so) to understand the root cause of an issue as it is to know the best fix. Please don't hesitate to let me know if any of my queries are out of the scope of your expertise. Thanks.

Quote

Does this happen with other browsers such as FireFox or IE?

Quote

Not at all.

Then the problem appears to be with your browser.

Go to Microsoft Windows Update and get all critical updates.

If you still get an error please try this.

•Please download Dial-A-Fix from one of the following mirrors:

Primary mirror
Secondary mirror

•Extract the zip file to your desktop.

•Double click Dial-a-Fix.exe to start the program. Dial-A-Fix might give you a lot errors, just ignore them and Click
to continue.

•Press the green double checkmark box (Looks like this:

UNcheck Empty Temp Folders, as well as Adjust Time/Date in the prep section. The prep section should then look like this:

•Click on Go

•Wait for Dial-A-Fix to finish (All the checks marks will be all gone)

•Close Dial-A-Fix
Quote

Go to Microsoft Windows Update and get all critical updates.

Upon navigating to that link a modal window pops up with an option to install "Windows Update". When I click install it fails. However, here's something interesting. I decided to see what would happen if I enabled "Automatic Updates". After about 5-10 minutes AU started downloading. In the end I figured a restart was probably required to make the updates take effect -- I was right! The option "Shutdown After Installing Updates" presented itself when I went to reboot. All told, 82 updates were downloaded.

Upon reboot I noticed that Windows Firewall had been disabled, presumably by one of the updates that automatically installed.

I tried to install Windows Update and it failed/hung again.

Subsequently I ran Dial-A-Fix, as per your instructions. No log was generated that I am aware of, however these errors popped up (to avoid unnecessary repetition I put just the dll name) while during program execution:
Code: [Select]Error 127: C:\WINDOWS\system32\iesetup.dll is not registerable or the file is corrupted. Your version of iesetup.dll is 8.00.6001.18702. Please contact [emailprotected] so that an exception can be made for your version of this file.

.... is not DLLInstall-able or the file is corrupted ...

.... system32\imgutil.dll is not registerable or the file is corrupted. ...

.... system32\inseng.dll ...

.... mshtml.dll ...

.... msrating.dll ...

.... occache.dll ...

.... pngfilt.dll ...

.... webcheck.dll ...

I don't understand it. Does this give a clue as to what is happening? Also, I have begun to notice the busy hourglass again, consistent, like some registry process is continually polling my CPU. I have had "Process Explorer" installed for many months, but I'm not sure I know how use it. Do you think that could help track-down the virus/malware?

I considered uninstalling IE8 because it was installed after SP3, however I noticed there were a lot (20-30) of items that were dependent on or installed after IE8, so I opted against the uninstall at the point. Again, I appreciate your help so far. Any ideas on why it is locking up, or what to do next?
Download Process Explorer: http://technet.microsoft.com/en-us/sysinternals/bb896653.aspx
Unzip ProcessExplorer.zip, and double click on procexp.exe to run the program.
Click on View > Select Colunms.
In addition to already pre-selected options, make sure, the Command Line is selected, and press OK.
Go File>Save As, and save the report as Procexp.txt.
Attach the file to your next reply.Here is the log from running Process Explorer v. 15.3:

Code: [Select]Process PID CPU Private Bytes Working Set Description Company Name Command Line
System Idle Process 0 97.69 0 K 28 K
Interrupts n/a 1.54 0 K 0 K Hardware Interrupts and DPCs
procexp.exe 1868 0.77 13,200 K 20,688 K Sysinternals Process Explorer Sysinternals - www.sysinternals.com "C:\Documents and Settings\nunya\My Documents\Downloads\ProcessExplorer\procexp.exe"
WPFFontCache_v0400.exe 6008 2,012 K 4,548 K wpffontcache_v0400.exe Microsoft Corporation C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe
wmiprvse.exe 5028 1,964 K 5,072 K WMI Microsoft Corporation C:\WINDOWS\system32\wbem\wmiprvse.exe
winlogon.exe 744 7,292 K 3,056 K Windows NT Logon Application Microsoft Corporation winlogon.exe
uphclean.exe 2996 628 K 1,728 K User Profile HIVE Cleanup Service Microsoft Corporation "C:\Program Files\UPHClean\uphclean.exe"
TWCApp.exe 2004 105,572 K 131,476 K The Weather Channel App The Weather Channel "C:\Program Files\The Weather Channel\The Weather Channel App\TWCApp.exe"
TrueImageMonitor.exe 2220 19,468 K 9,784 K Acronis True Image Monitor Acronis "C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe"
System 4 0 K 240 K
svchost.exe 1128 24,944 K 36,852 K Generic Host Process for Win32 Services Microsoft Corporation C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe 1048 2,852 K 5,456 K Generic Host Process for Win32 Services Microsoft Corporation C:\WINDOWS\system32\svchost.exe -k rpcss
svchost.exe 1976 5,920 K 6,876 K Generic Host Process for Win32 Services Microsoft Corporation C:\WINDOWS\system32\svchost.exe -k HPService
svchost.exe 2932 5,020 K 8,332 K Generic Host Process for Win32 Services Microsoft Corporation C:\WINDOWS\system32\svchost.exe -k imgsvc
svchost.exe 1360 5,004 K 7,200 K Generic Host Process for Win32 Services Microsoft Corporation C:\WINDOWS\system32\svchost.exe -k LocalService
svchost.exe 1292 1,372 K 3,732 K Generic Host Process for Win32 Services Microsoft Corporation C:\WINDOWS\system32\svchost.exe -k NetworkService
svchost.exe 988 3,204 K 5,340 K Generic Host Process for Win32 Services Microsoft Corporation C:\WINDOWS\system32\svchost.exe -k DcomLaunch
svchost.exe 5524 5,448 K 7,440 K Generic Host Process for Win32 Services Microsoft Corporation C:\WINDOWS\system32\svchost.exe -k netsvcs
svchost.exe 2432 1,052 K 3,036 K Generic Host Process for Win32 Services Microsoft Corporation C:\WINDOWS\System32\svchost.exe -k HPZ12
svchost.exe 4704 1,608 K 3,580 K Generic Host Process for Win32 Services Microsoft Corporation C:\WINDOWS\System32\svchost.exe -k HTTPFilter
svchost.exe 2520 1,044 K 3,008 K Generic Host Process for Win32 Services Microsoft Corporation C:\WINDOWS\System32\svchost.exe -k HPZ12
svchost.exe 664 1,340 K 3,872 K Generic Host Process for Win32 Services Microsoft Corporation C:\WINDOWS\system32\svchost.exe -k LocalService
sqlwriter.exe 2868 960 K 3,588 K SQL Server VSS Writer Microsoft Corporation "C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe"
sqlservr.exe 2316 55,964 K 42,260 K SQL Server Windows NT Microsoft Corporation "C:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe" -sSQLEXPRESS
spoolsv.exe 1748 8,472 K 11,324 K Spooler SubSystem App Microsoft Corporation C:\WINDOWS\system32\spoolsv.exe
snmp.exe 2848 1,532 K 3,976 K SNMP Service Microsoft Corporation C:\WINDOWS\System32\snmp.exe
smss.exe 644 176 K 444 K Windows NT Session Manager Microsoft Corporation \SystemRoot\System32\smss.exe
smax4pnp.exe 2720 2,532 K 4,928 K SMax4PNP Analog Devices, Inc. "C:\Program Files\Analog Devices\Core\smax4pnp.exe"
Skype.exe 2620 55,180 K 60,072 K Skype Skype Technologies S.A. "C:\Program Files\Skype\Phone\Skype.exe" /minimized /regrun
services.exe 788 2,012 K 3,864 K Services and Controller app Microsoft Corporation C:\WINDOWS\system32\services.exe
schedul2.exe 1168 1,072 K 3,360 K Acronis Scheduler 2 Acronis "C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe"
schedhlp.exe 1144 1,092 K 3,664 K Acronis Scheduler Helper Acronis "C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe"
scardsvr.exe 1792 944 K 2,772 K Smart Card Resource Management Server Microsoft Corporation C:\WINDOWS\System32\SCardSvr.exe
ScanToPCActivationApp.exe 1776 2,684 K 8,292 K ScanToPCActivationApp Hewlett-Packard CO. "C:\Program Files\HP\HP Officejet Pro 8600\Bin\ScanToPCActivationApp.exe" -deviceID "CN298BWHSY05KD:NW" -scfn "HP Officejet Pro 8600 (NET)" -AutoStart 1
Radstgms.exe 2676 1,252 K 3,136 K radstgms Hewlett-Packard "C:\Program Files\Hewlett-Packard\PC COE 3\OV CMS\Radstgms.exe"
radsched.exe 2580 856 K 2,752 K radsched Hewlett-Packard "C:\Program Files\Hewlett-Packard\PC COE 3\OV CMS\radsched.exe"
radexecd.exe 2540 572 K 2,080 K radexecd Hewlett-Packard "C:\Program Files\Hewlett-Packard\PC COE 3\OV CMS\radexecd.exe"
PDVD10Serv.exe 2940 1,124 K 4,128 K PowerDVD RC Service CyberLink Corp. "C:\Program Files\CyberLink\PowerDVD10\PDVD10Serv.exe"
oodtray.exe 2992 1,428 K 5,296 K O&O Defrag TrayIcon (Win32) O&O Software GmbH "C:\WINDOWS\system32\oodtray.exe"
oodag.exe 2472 2,732 K 5,824 K O&O Defrag Agent (Win32) O&O Software GmbH C:\WINDOWS\system32\oodag.exe
olycamdetect.exe 3172 1,260 K 4,696 K OLYMPUS ib Resident Program OLYMPUS IMAGING CORP. "C:\Program Files\Olympus\ib\olycamdetect.exe" /Startup
NASvc.exe 2360 2,156 K 4,900 K NeroUpdate Nero AG "C:\Program Files\Nero\Update\NASvc.exe"
msseces.exe 3196 5,724 K 10,532 K Microsoft Security Client User Interface Microsoft Corporation "C:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey
msraLinkMonitor.exe 2248 672 K 2,504 K Quaranti Application "C:\Program Files\Remote tools\msraLinkMonitor.exe"
MsMpEng.exe 1092 55,348 K 60,448 K Antimalware Service Executable Microsoft Corporation "C:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe"
msdtc.exe 708 1,948 K 5,156 K MS DTC console program Microsoft Corporation C:\WINDOWS\system32\msdtc.exe
mqtgsvc.exe 4088 1,428 K 4,028 K Windows NT MSMQ Trigger Service Microsoft Corporation C:\WINDOWS\system32\mqtgsvc.exe
mqsvc.exe 3560 2,160 K 6,232 K Message Queuing Service Microsoft Corporation C:\WINDOWS\system32\mqsvc.exe
mDNSResponder.exe 1540 984 K 3,124 K Bonjour Service Apple Inc. "C:\Program Files\Bonjour\mDNSResponder.exe"
MDM.EXE 2168 1,184 K 3,804 K Machine Debug Manager Microsoft Corporation "C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE"
LWS.exe 3344 8,240 K 13,532 K Camera Software Logitech Inc. "C:\Program Files\Logitech\Logitech WebCam Software\LWS.exe" /hide
LVPrcSrv.exe 2148 1,232 K 2,912 K Logitech LVPrcSrv Module. Logitech Inc. "C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe"
LSSrvc.exe 2116 684 K 2,620 K Hewlett-Packard Company "C:\Program Files\Common Files\LightScribe\LSSrvc.exe"
lsass.exe 800 5,696 K 8,444 K LSA Shell (Export Version) Microsoft Corporation C:\WINDOWS\system32\lsass.exe
jqs.exe 2084 2,432 K 1,412 K Java(TM) Quick Starter Service Sun Microsystems, Inc. "C:\Program Files\Java\jre6\bin\jqs.exe" -service -config "C:\Program Files\Java\jre6\lib\deploy\jqs\jqs.conf"
iviRegMgr.exe 2064 584 K 2,324 K RegMgr Module InterVideo "C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe"
iTunesHelper.exe 3376 11,352 K 16,152 K iTunesHelper Apple Inc. "C:\Program Files\iTunes\iTunesHelper.exe"
iPodService.exe 5892 2,448 K 4,160 K iPodService Module (32-bit) Apple Inc. "C:\Program Files\iPod\bin\iPodService.exe"
Ida.exe 3424 2,352 K 6,220 K Intelligent Desktop Assistant (IDA) Hewlett-Packard Company "C:\Program Files\Hewlett-Packard\PC COE\IDA.EXE"
hpqWmiEx.exe 3096 2,012 K 3,540 K hpqwmiex Module Hewlett-Packard Development Company, L.P. "C:\Program Files\Hewlett-Packard\Shared\hpqWmiEx.exe"
HPNetworkCommunicator.exe 4448 4,248 K 6,112 K HPNetworkCommunicator Hewlett-Packard Co. "C:\Program Files\HP\HP Officejet Pro 8600\Bin\HPNetworkCommunicator.exe"
GoogleToolbarNotifier.exe 3304 3,404 K 1,748 K GoogleToolbarNotifier Google Inc. "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
googletalk.exe 3472 11,596 K 18,160 K Google Talk Google "C:\Program Files\Google\Google Talk\googletalk.exe" /autostart
FolderSizeSvc.exe 1884 2,224 K 4,264 K FolderSize Service Brio "C:\Program Files\FolderSize\FolderSizeSvc.exe"
explorer.exe 3912 26,412 K 32,504 K Windows Explorer Microsoft Corporation C:\WINDOWS\Explorer.EXE
Everything.exe 3540 9,124 K 11,588 K Everything "C:\Program Files\Everything\Everything.exe" -startup
Dropbox.exe 4268 47,124 K 53,532 K Dropbox Dropbox, Inc. "C:\Documents and Settings\nunya\Application Data\Dropbox\bin\Dropbox.exe" /systemstartup
ctfmon.exe 3264 948 K 3,912 K CTF Loader Microsoft Corporation "C:\WINDOWS\system32\ctfmon.exe"
csrss.exe 712 1,772 K 4,420 K Client Server Runtime Process Microsoft Corporation C:\WINDOWS\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,3072,512 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ProfileControl=Off MaxRequestThreads=16
COEMsgDisplay.exe 456 1,068 K 4,184 K COEMsgDisplay Utility Hewlett Packard "C:\Program Files\Hewlett-Packard\PC COE\COEMsgDisplay.exe"
COCIManager.exe 3792 2,764 K 5,232 K Camera Control Interface Logitech Inc. "C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe" -Embedding
CLMLSvc.exe 3696 4,184 K 6,888 K CyberLink MediaLibray Service CyberLink "C:\Program Files\CyberLink\Power2Go\CLMLSvc.exe"
btwdins.exe 1156 1,868 K 2,672 K Bluetooth Support Server Broadcom Corporation. "c:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe"
BTTray.exe 4168 3,476 K 5,552 K Bluetooth Tray Application Broadcom Corporation. "C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe"
brs.exe 3832 948 K 3,060 K brs cyberlink "C:\Program Files\Cyberlink\Shared files\brs.exe"
ati2evxx.exe 1220 944 K 3,496 K ATI External Event Utility EXE Module ATI Technologies Inc. Ati2evxx.exe -Client
ati2evxx.exe 956 788 K 3,188 K ATI External Event Utility EXE Module ATI Technologies Inc. C:\WINDOWS\system32\Ati2evxx.exe
AppleMobileDeviceService.exe 1300 10,216 K 13,928 K MobileDeviceService Apple Inc. "C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe"
alg.exe 6132 1,188 K 3,688 K Application Layer Gateway Service Microsoft Corporation C:\WINDOWS\System32\alg.exe
afcdpsrv.exe 1248 1,600 K 4,712 K File Level CDP Manager Service Acronis "C:\Program Files\Common Files\Acronis\CDP\afcdpsrv.exe"

Sorry, I've been sick the today. I hope that's what you needed. Let me know if you need anything else. Thanks.

Oh, almost forgot: Since I discovered that shutting my machine off is the way to install new "Automatic-Updates", I've done that 4 times so far. Each time it says there are 6 updates to install. It never gives me any error, but doesn't it seem like too much of a coincidence that it's the exact same number of updates 3 times in a row?Oops. I just realized you ask for the file to be attached, not cut/pasted, so here it is. Thanks.

[recovering disk space, attachment deleted by admin]I can't see anything amiss in the processes. The only thing I can suggest is to use your taskmanager and stop each process except explorer.exe until you find a process that may be causing the hourglass waiting.*** [SOLVED:] ***

Strangely the hourglass issue has disappeared and I can't identify anything that might have made that happen, except possibly allowing auto-update to proceed. Thanks for all your help and patience.

*** FOR ANYONE ELSE READING THIS ***
I don't really know what the exact solution was. What I do know is that it was likely a combination of all the anti-malware tools used and then enabling automatic updates in the end.

The malware prevention steps I will be taking are:

Download & install Comodo Cleaning Essentials 2.5
Download & install Comodo 5.5

NOTE: At the time of this writing, version 6 of Comodo Personal Firewall/Comodo Internet Security was just realeased, and hence there are very little YouTube or web-based instructional DIY tutorials on configuring the new interface, which is significantly different for the first time in half a decade. Therefore, I am installing the 2nd latest version, which is 5.5.

Thanks again and Kudos to you SuperDave, without who's help I would have been quite lost!!! :0)>

* Kudos Given *
* Topic Marked "SOLVED" *Good Job! Let's do some cleanup.

To uninstall ComboFix

Click the Start button. Click Run. For Vista: type in Run in the Start search, and click on Run in the results pane.
In the field, type in ComboFix /uninstall

(Note: Make sure there's a space between the word ComboFix and the forward-slash.)

Then, press Enter, or click OK.
This will uninstall ComboFix, delete its folders and files, hides System files and folders, and resets System Restore.

************************************************
Click Start> Computer> right click the C Drive and choose Properties> enter
Click Disk Cleanup from there.

Click OK on the Disk Cleanup Screen.
Click Yes on the Confirmation screen.

This runs the Disk Cleanup utility along with other selections if you have chosen any. (if you had a lot System Restore points, you will see a significant change in the free space in C drive)
*********************************************
I suggest using WOT - Web of Trust. WOT is a free Internet security addon for your browser. It will keep you safe from online scams, identity theft, spyware, spam, viruses and unreliable shopping sites. WOT warns you before you interact with a risky website. It's easy and it's free.

SpywareBlaster- Secure your Internet Explorer to make it harder for ActiveX programs to run on your computer. Also stop certain cookies from being added to your computer when running Mozilla based browsers like Firefox.
* Using SpywareBlaster to protect your computer from Spyware and Malware
* If you don't know what ActiveX controls are, see here

Protect yourself against spyware using the Immunize feature in Spybot - Search & Destroy. Guide: Use Spybot's Immunize Feature to prevent spyware infection in real-time. Note: To ensure you have the latest Immunizations always update Spybot - Search & Destroy before Immunizing. Spybot - Search & Destroy FAQ

Check out Keeping Yourself Safe On The Web for tips and free tools to help keep you safe in the future.

Also see Slow Computer? It may not be Malware for free cleaning/maintenance tools to help keep your computer running smoothly.
Safe Surfing!

Solve : MalwareBytes fails detecting virus/malware generating Google Chrome popups and r?

Discussion

No Comment Found

Related InterviewSolutions

Reply to Comment