PDA

View Full Version : Super anti Spyware reports file and registry entries as adware.



Colpol
20-12-2008, 05:43 PM
Hi folks.
Ran SASW on my system. It came back with

ADWARE.HB Helper(12 items)
Files
c:\program files\IE toolbar\eco bar\tbhelper.dll
Registry Keys
10 lines with addresses HKCR\CLSID then "numbers/letter" some of which have
InprocServer32
InprocServer32#thread
ProgID
TypeLib
VersionIndependentProgram
HKCR\URLSearchHook.ToolbarURLSearchHook
HKCR\URLSearchHook.ToolbarURLSearchHook1
HKLM\Software\Classes\CLSID\("Numbers and letters")

Hope this makes sense. Unable to extract the relevent entries from SASW so have had to write it out.
Anyway
Deleted the relevent entries but it came back so Disabled System restore and emptied recycle bin and ran it again. Still came back.
Is it part of the windows protected file system???

Here is My HJT log. Maybe something in there.
BTW the entry
023 Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\Windows\System32\LEXBCES.EXE
Refers to the Lexmark Printer I had months ago. I delete it with HJT but it seems stuck in place and keeps coming back. Not woried about it just curious as to why it will not remove.


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:23:47 p.m., on 20/12/2008
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\RtHDVCpl.exe
C:\Program Files\Alwil Software\Avast4\ashDisp.exe
C:\Program Files\ScanSoft\OmniPagePro12.0\opware12.exe
C:\Windows\system32\schtasks.exe
C:\Program Files\COMODO\SafeSurf\cssurf.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Brother\ControlCenter3\brccMCtl.exe
C:\Program Files\SUPERAntiSpyware\SUPERANTISPYWARE.EXE
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\FireTrust\MailWasher Pro\MailWasher.exe
C:\Windows\system32\jusched.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\system32\wuauclt.exe
C:\Program Files\Windows Mail\WinMail.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_NZ&c=74&bd=Presario&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_NZ&c=74&bd=Presario&pf=desktop
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = localhost;*.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [SunJavaUpdateReg] "C:\Windows\system32\jureg.exe"
O4 - HKLM\..\Run: [BrMfcWnd] C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe /AUTORUN
O4 - HKLM\..\Run: [ControlCenter3] C:\Program Files\Brother\ControlCenter3\brctrcen.exe /autorun
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [Opware12] "C:\Program Files\ScanSoft\OmniPagePro12.0\Opware12.exe"
O4 - HKLM\..\Run: [COMODO SafeSurf] "C:\Program Files\COMODO\SafeSurf\cssurf.exe" -s
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\RunOnce: [Launcher] %WINDIR%\SMINST\launcher.exe
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Startup: MailWasherPro.lnk = C:\Program Files\FireTrust\MailWasher Pro\MailWasher.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O13 - Gopher Prefix:
O20 - AppInit_DLLs: C:\Windows\system32\guard32.dll C:\Windows\system32\cssdll32.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762# # (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: COMODO Firewall Pro Helper Service (cmdAgent) - Unknown owner - C:\Program Files\COMODO\Firewall\cmdagent.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - c:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\Windows\System32\LEXBCES.EXE
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - c:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--
End of file - 7564 bytes

Thanks
Colin

Speedy Gonzales
20-12-2008, 05:51 PM
Uninstall all versions of Java then update it

Tick these then tick fix checked

Close browsers

Did you uninstall the printer drivers, you didn't just delete its folder did you?

O4 - HKLM\..\Run: [SunJavaUpdateReg] "C:\Windows\system32\jureg.exe"

O4 - HKLM\..\Run: C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe /AUTORUN

O4 - HKLM\..\Run: [ControlCenter3] C:\Program Files\Brother\ControlCenter3\brctrcen.exe /autorun

O4 - HKLM\..\RunOnce: [Launcher] %WINDIR%\SMINST\launcher.exe

[B]If you didnt do this tick these 2

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

Do a scan with malwarebytes

Colpol
20-12-2008, 06:37 PM
That was quick. No wonder your nick is speedy.
I uninstalled the printer.
Unistalled java but auto install wont work(Installer cannot proceed with the current Internet Connction Settings) so downloading for manual install.
Removed entries as suggested.
The entries found by SASW were not found by Malwarebytes before but on your suggestion am scanning again.

Speedy Gonzales
20-12-2008, 06:46 PM
Then reboot after that. If its still there disable system restore

Colpol
20-12-2008, 08:24 PM
Then reboot after that. If its still there disable system restore

OK. Did the HJT bit.
Java updated.
SR was still disabled from previous efforts.
Scanned with both MWB and SASW. Nothing found by MWB. Same set found by SASW
Restarted.
Rescanned with SASW Damn entries still present?????????????:badpc::badpc:

Speedy Gonzales
20-12-2008, 08:58 PM
Use trojan remover then. Install update click on scan

Then select all options under utilities

Dont use this tho if Vista is 64 bit, its not compatible with 64 bit

Colpol
20-12-2008, 10:24 PM
Use trojan remover then. Install update click on scan

Then select all options under utilities

Dont use this tho if Vista is 64 bit, its not compatible with 64 bit

Hi Speedy.
Installed and ran Trojan Remover. Found nothing. SASW still finds them.:badpc::mad::groan:

Speedy Gonzales
20-12-2008, 10:34 PM
Did you update it / select everything under utilities as well, then reboot?

Or if youre game you can do this (http://www.symantec.com/security_response/writeup.jsp?docid=2004-121917-4147-99&tabid=3)

If theres an entry in add/remove programs called rich media uninstall it

Colpol
20-12-2008, 11:10 PM
Did you update it / select everything under utilities as well, then reboot?

Or if youre game you can do this (http://www.symantec.com/security_response/writeup.jsp?docid=2004-121917-4147-99&tabid=3)

If theres an entry in add/remove programs called rich media uninstall it

Thanks Speedy.
Installed it but it would not update. Couldnt find the servers to dowload from. Will try again tomorrow morning.
That procedure looks to scary.

Nothing in Add/Remove called rich Media.
Will try the update tomorrow.

Cheers
Colin

pctek
21-12-2008, 09:44 AM
Hi folks.
Ran SASW on my system. It came back with

ADWARE.HB Helper(12 items)

c:\program files\IE toolbar\eco bar\tbhelper.dll
Registry Keys
10 lines with addresses HKCR\CLSID then "numbers/letter" some of which


Remove them manually.

Colpol
21-12-2008, 10:19 AM
Back at it.
Updated Trojan Remover manually and rescanned. Nothing found.
Any other suggestions.
Could it be a system file that restores itself, or a false detection by SASW.

Colpol
21-12-2008, 06:13 PM
Remove them manually.

I could do that but would like to know what they do before I try it just in case it is a vital thingy,as it keeps returning after it is deleted.

Colpol
21-12-2008, 11:19 PM
Found the solution:clap
Found a program call True Sword which did a brilliant job.

Thanks for all the suggestions offered

Speedy Gonzales
21-12-2008, 11:23 PM
hmmm I wouldnt be so sure about that

If this is it (http://www.symantec.com/security_response/writeup.jsp?docid=2006-062816-5804-99&tabid=1)

It looks like it maybe a rogue program / misleading , and it gives you false info

Colpol
22-12-2008, 10:48 AM
hmmm I wouldnt be so sure about that

If this is it (http://www.symantec.com/security_response/writeup.jsp?docid=2006-062816-5804-99&tabid=1)

It looks like it maybe a rogue program / misleading , and it gives you false info

Interesting.
I dl the program,Scanned it with all programs on my system, gave "spam" email address for registration then entered reg number. Ran program and it found and removed the problem.
Rescanned system with SASW and problem gone. no signs of any other infections(real or otherwise) were found/reported by the program.