Pesky Malware

[Aaron11]

I have some sort of malware/adware/spyware on my PC and can't get rid of it. When Windows starts, an IE window pops up with a web page advertising some German DSL. Anyways, I've done three Avast full system scans (1 thorough, 2 normal). 4 Malwarebytes scans and fixed all errors, and one Spybot S&D scan and fixed any errors. Plus, I've ran ccleaner twice and cheacked everyrthing. I also used the registry cleaner and fixed all errors. Despite what I've done, the pop-up still show up when Windows starts. I'm running Windows 7 Ultimate 64-bit, so an Avast boot-time scan is not an option. Attached is a hijackthis log. Also, one thing worth noting, it doesn't always pop-up, maybe 4/5 start-ups or so. However, when I ran this log, the pop-up had shown and I did the log when the ie window was still open. Any help would be appreciated. Thanks in advance.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:32:31 PM, on 12/31/2009
Platform: Unknown Windows (WinNT 6.01.3504)
MSIE: Internet Explorer v8.00 (8.00.7600.16385)
Boot mode: Normal

Running processes:
C:\Program Files\Alwil Software\Avast4\ashDisp.exe
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\reader_sl.exe
C:\Program Files (x86)\Java\jre6\bin\jusched.exe
C:\Program Files (x86)\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = [url]http://go.microsoft.com/fwlink/?LinkId=54896[/url]
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = [url]http://go.microsoft.com/fwlink/?LinkId=69157[/url]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [url]http://go.microsoft.com/fwlink/?LinkId=69157[/url]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = [url]http://go.microsoft.com/fwlink/?LinkId=54896[/url]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = [url]http://go.microsoft.com/fwlink/?LinkId=54896[/url]
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = [url]http://go.microsoft.com/fwlink/?LinkId=69157[/url]
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = 
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = 
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = 
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~2\MICROS~1\Office14\GROOVEEX.DLL
O2 - BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: URLRedirectionBHO - {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\PROGRA~2\MICROS~1\Office14\URLREDIR.DLL
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
O4 - HKLM\..\Run: [ATICustomerCare] "C:\Program Files (x86)\ATI\ATICustomerCare\ATICustomerCare.exe"
O4 - HKLM\..\Run: [avast!] "C:\Program Files\Alwil Software\Avast4\ashDisp.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files (x86)\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [BCSSync] "C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe" /DelayServices
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'NETWORK SERVICE')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~2\MICROS~1\Office14\EXCEL.EXE/3000
O8 - Extra context menu item: Se&nd to OneNote - res://C:\PROGRA~2\MICROS~1\Office14\ONBttnIE.dll/105
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: Se&nd to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIE.dll
O9 - Extra button: OneNote Lin&ked Notes - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIELinkedNotes.dll
O9 - Extra 'Tools' menuitem: OneNote Lin&ked Notes - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIELinkedNotes.dll
O10 - Unknown file in Winsock LSP: c:\program files (x86)\common files\microsoft shared\windows live\wlidnsp.dll
O10 - Unknown file in Winsock LSP: c:\program files (x86)\common files\microsoft shared\windows live\wlidnsp.dll
O13 - Gopher Prefix: 
O18 - Filter hijack: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL
O23 - Service: @%SystemRoot%\system32\Alg.exe,-112 (ALG) - Unknown owner - C:\Windows\System32\alg.exe (file missing)
O23 - Service: AMD External Events Utility - Unknown owner - C:\Windows\system32\atiesrxx.exe (file missing)
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: @%SystemRoot%\system32\efssvc.dll,-100 (EFS) - Unknown owner - C:\Windows\System32\lsass.exe (file missing)
O23 - Service: @%systemroot%\system32\fxsresm.dll,-118 (Fax) - Unknown owner - C:\Windows\system32\fxssvc.exe (file missing)
O23 - Service: @keyiso.dll,-100 (KeyIso) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @comres.dll,-2797 (MSDTC) - Unknown owner - C:\Windows\System32\msdtc.exe (file missing)
O23 - Service: @%SystemRoot%\System32\netlogon.dll,-102 (Netlogon) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: PnkBstrA - Unknown owner - C:\Windows\system32\PnkBstrA.exe
O23 - Service: PnkBstrB - Unknown owner - C:\Windows\system32\PnkBstrB.exe
O23 - Service: @%systemroot%\system32\psbase.dll,-300 (ProtectedStorage) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%systemroot%\system32\Locator.exe,-2 (RpcLocator) - Unknown owner - C:\Windows\system32\locator.exe (file missing)
O23 - Service: @%SystemRoot%\system32\samsrv.dll,-1 (SamSs) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%SystemRoot%\system32\snmptrap.exe,-3 (SNMPTRAP) - Unknown owner - C:\Windows\System32\snmptrap.exe (file missing)
O23 - Service: @%systemroot%\system32\spoolsv.exe,-1 (Spooler) - Unknown owner - C:\Windows\System32\spoolsv.exe (file missing)
O23 - Service: @%SystemRoot%\system32\sppsvc.exe,-101 (sppsvc) - Unknown owner - C:\Windows\system32\sppsvc.exe (file missing)
O23 - Service: Steam Client Service - Valve Corporation - C:\Program Files (x86)\Common Files\Steam\SteamService.exe
O23 - Service: @%SystemRoot%\system32\ui0detect.exe,-101 (UI0Detect) - Unknown owner - C:\Windows\system32\UI0Detect.exe (file missing)
O23 - Service: @%SystemRoot%\system32\vaultsvc.dll,-1003 (VaultSvc) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%SystemRoot%\system32\vds.exe,-100 (vds) - Unknown owner - C:\Windows\System32\vds.exe (file missing)
O23 - Service: @%systemroot%\system32\vssvc.exe,-102 (VSS) - Unknown owner - C:\Windows\system32\vssvc.exe (file missing)
O23 - Service: @%systemroot%\system32\wbengine.exe,-104 (wbengine) - Unknown owner - C:\Windows\system32\wbengine.exe (file missing)
O23 - Service: @%Systemroot%\system32\wbem\wmiapsrv.exe,-110 (wmiApSrv) - Unknown owner - C:\Windows\system32\wbem\WmiApSrv.exe (file missing)
O23 - Service: @%PROGRAMFILES%\Windows Media Player\wmpnetwk.exe,-101 (WMPNetworkSvc) - Unknown owner - C:\Program Files (x86)\Windows Media Player\wmpnetwk.exe (file missing)

--
End of file - 7895 bytes

 

[TechieSooner]

Cool tool that checks all these entries for you: http://www.hijackthis.de

And FWIW- they're all OK.

What process is the IE window running under- it isn't listed. That might be your problem?

 

[evilsofa]

Is it possible to post a screenshot of the offending pop-up?

 

[Aaron11]

Is it possible to post a screenshot of the offending pop-up?

I ran hijackthis while the ie pop-up window was open and submitted it to that sight some one else posted, and still nothing.

 

[TechieSooner]

Anything in msconfig???
I mean there's nothing in the hijackthis to launch IE.

 

[Aaron11]

Anything in msconfig???
I mean there's nothing in the hijackthis to launch IE.

Nope, nothing. It puzzles me because every program I try doesn't detect anything, but there has to be something since it pops up on start-up. Sometimes I hear click noises from system sounds as if a malicous process is trying to accumulate user clicks, but then there's nothing in the processes. Does it seem like a reformat is the only option? I could try system restore to see if that does anything. I wonder if it has to do with a program I installed. I can't really think of any that would do this though.

 

[TechieSooner]

Try creating a second user profile- login with that.
Problem still there?

If not, just copy across your docs to the new profile and delete the old one.

 

[InvisiBill]

Try Autoruns. That shows the most startup stuff of any util I've found.

 

[willyspuddle]

Combofix has been my go to tool when Malwarebytes cannot remove all the nasties.

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Also Superantispyware picks up things missed by Malwarebytes and I find it more effective than Spybot.

Cheers!

 

[Captain Colonoscopy]

you should always turn off system restore when you're having malware problems. Malware likes to hide in system restore points to come back from the grave. Turn off system restore and boot into safe mode. Run CCleaner, MBAM, SuperAntiSpyware and CCleaner again using the registry fixer.
Posted via [H] Mobile Device

 

[Aaron11]

Try creating a second user profile- login with that.
Problem still there?

If not, just copy across your docs to the new profile and delete the old one.

Tried, that problem exists across all user accounts.

you should always turn off system restore when you're having malware problems. Malware likes to hide in system restore points to come back from the grave. Turn off system restore and boot into safe mode. Run CCleaner, MBAM, SuperAntiSpyware and CCleaner again using the registry fixer.
Posted via [H] Mobile Device

I tried doing this. Malwarebytes didn't detect anything, neither did ccleaner registry cleaner, however superantispyware detected 7 tracking cookies. One of the tracking cookies was in fact from euro4click.de (the site of the offending pop-up). I fixed all issues within superantispyware and rebooted into Windows normally. Problem still existed! I ran four more superantispyware scans and resolved all that reappeared (the tracking cookie from the website kept reappearing). I then went and set IE to block all cookies (I don't use IE, but I figured it would help since the pop-up opens in an IE window). I also ran two more Malwarebytes scan, which yeilded no problems. I'm currently running ANOTHER superantispyware scan and another avast scan. This malware is really pissing me off. It seems to me that the only option is to reformat, but I want to avoid that at all costs.

Btw, this only adds to my computer troubles right now. I currently have a problem with my monitor (a red vertical line displays on the left side of the screen when certain colors are displayed.). I'm hoping to RMA it to Newegg, but my return expired 12/27! I hope they exchange it, or else I'll have to go through Acer (which would take a lot longer.)

 

[evilsofa]

You could try blocking euro4click.de in your hosts file, but that would not satisfy me as that would only solve a symptom and not the malware causing the problem.

Try using anti-rootkit software like Root Revealer and Sophos Anti-Rootkit.

 

[TechieSooner]

The problem isn't your cookies or anything like that...

iexplore.exe is launching automatically, that's the first problem.

IDK- the fact it's running on multiple accounts is very odd...
Here's a thought I had: Run a find accross the whole registry on that euroclick.de address or whatever it is... See if anything pops up. If it does, notate (or take screenshots) where it's at. Be sure to list out all occurances of it.

 

[Aaron11]

The problem isn't your cookies or anything like that...

iexplore.exe is launching automatically, that's the first problem.

IDK- the fact it's running on multiple accounts is very odd...
Here's a thought I had: Run a find accross the whole registry on that euroclick.de address or whatever it is... See if anything pops up. If it does, notate (or take screenshots) where it's at. Be sure to list out all occurances of it.

Here's what came up when I did a registry search for the euros4click thing. Nothing looks like it has anything to do with the malware itself.

EDIT: Just finished Sophos Anti-rootkit scan. It returned nothing.

 

[TechieSooner]

Did it startup in safe mode too, or not? If not- this is probably fixable.

For the heck of it... Just verify these things

1) Nothing in the startup folder?
2) Check under HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Run
3) Check the Task Scheduler

 

[Aaron11]

Did it startup in safe mode too, or not? If not- this is probably fixable.

For the heck of it... Just verify these things

1) Nothing in the startup folder?
2) Check under HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Run
3) Check the Task Scheduler

I checked everything. The ie windows does not pop-up in safe mode.

 

[TechieSooner]

I'm at a loss then

 

[hawk82]

Try running combofix? At this point, I'd probably give in and backup, reformat and reinstall.

 

[Aaron11]

Try running combofix? At this point, I'd probably give in and backup, reformat and reinstall.

Combofix doesn't support 64-bit (what I'm currently running). I guess I'll just reformat.