3 replies to this topic

[Shabby]

Hi All

Was wondering if anyone can shed some light on my problem. Looking for a new an improved screensaver i came across the beautyscreens website where i downloaded what i thought was a new screensaver. Upon opening and installing the file, which was named Halloween_1, which AVG free 8.5 reported no malicious software, i now get random advertisement windows popping up in internet explorer. I use mozilla firefox and have never used explorer, but randomly internet explorer opens with advertisements. The file was saved in C:/program files (x86)/beautyscreens, which i changed to C:/program files (x86)/ Bullshit Virus. It will not let me delete the Bullshit Virus folder and claims that i need permission to do so. i have tried changing the security settings on the folder, but apparently it is already set to 'Everyone' yet it wont let me delete it. I have tried virus scanners AVG free 8.5 and SUPERantispyware but neither of these find anything amiss. I have run the HijackThis program with the following results:

Upon doing a system scan i got:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:40:47 AM, on 12/11/2009
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18319)
Boot mode: Normal

Running processes:
C:\Program Files\Logitech\GamePanel Software\LCD Manager\Applets\LCDMedia.exe
D:\Games\Steam.exe
C:\Program Files (x86)\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\Program Files (x86)\Electronic Arts\EADM\Core.exe
C:\Program Files (x86)\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files (x86)\Bullshit Virus\Beautyscreens.exe
C:\Program Files (x86)\Analog Devices\SoundMAX\SoundTray.exe
C:\Program Files\ASUS\Ai Suite\AiNap\AiNap.exe
C:\Program Files\ASUS\Ai Suite\AiGear3\CpuPowerMonitor.exe
C:\Program Files (x86)\Analog Devices\Core\smax4pnp.exe
C:\Program Files (x86)\AVG\AVG8\avgtray.exe
C:\Program Files (x86)\Java\jre6\bin\jusched.exe
D:\Movies\iTunesHelper.exe
C:\Program Files (x86)\Mozilla Firefox 3 Beta 5\firefox.exe
D:\Downloads\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
F2 - REG:system.ini: UserInit=userinit.exe
O1 - Hosts: ::1 localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files (x86)\AVG\AVG8\avgssie.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
O4 - HKLM\..\Run: [SoundTray] "C:\Program Files (x86)\Analog Devices\SoundMAX\SoundTray.exe"
O4 - HKLM\..\Run: [Ai Nap] "C:\Program Files\ASUS\Ai Suite\AiNap\AiNap.exe"
O4 - HKLM\..\Run: [CPU Power Monitor] "C:\Program Files\ASUS\Ai Suite\AiGear3\CpuPowerMonitor.exe"
O4 - HKLM\..\Run: [Cpu Level Up help] C:\Program Files\ASUS\Ai Suite\CpuLevelUpHelp.exe
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files (x86)\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [DVDtoiPodConverter_upgrade] "C:\Program Files (x86)\E-Zsoft\DVDtoiPodConverter\DVDtoiPodConverter.exe" /upgrade
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~2\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files (x86)\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files (x86)\VistaCodecPack\QT\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "D:\Movies\iTunesHelper.exe"
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [Steam] "d:\games\steam.exe" -silent
O4 - HKCU\..\Run: [ISUSPM] "C:\Program Files (x86)\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler
O4 - HKCU\..\Run: [MobileConnect.EXE] D:\Bin\MobileConnect.EXE
O4 - HKCU\..\Run: [EA Core] "C:\Program Files (x86)\Electronic Arts\EADM\Core.exe" -silent
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files (x86)\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files (x86)\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: SetPointII.lnk = ?
O13 - Gopher Prefix:
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files (x86)\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files (x86)\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Andrea ADI Filters Service (AEADIFilters) - Unknown owner - C:\Windows\system32\AEADISRV.EXE (file missing)
O23 - Service: @%SystemRoot%\system32\Alg.exe,-112 (ALG) - Unknown owner - C:\Windows\System32\alg.exe (file missing)
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~2\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~2\AVG\AVG8\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files (x86)\Bonjour\mDNSResponder.exe
O23 - Service: @dfsrres.dll,-101 (DFSR) - Unknown owner - C:\Windows\system32\DFSR.exe (file missing)
O23 - Service: @%systemroot%\system32\fxsresm.dll,-118 (Fax) - Unknown owner - C:\Windows\system32\fxssvc.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files (x86)\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: @keyiso.dll,-100 (KeyIso) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @comres.dll,-2797 (MSDTC) - Unknown owner - C:\Windows\System32\msdtc.exe (file missing)
O23 - Service: @%SystemRoot%\System32\netlogon.dll,-102 (Netlogon) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (nvsvc) - Unknown owner - C:\Windows\system32\nvvsvc.exe (file missing)
O23 - Service: PnkBstrA - Unknown owner - C:\Windows\system32\PnkBstrA.exe
O23 - Service: PnkBstrB - Unknown owner - C:\Windows\system32\PnkBstrB.exe
O23 - Service: @%systemroot%\system32\psbase.dll,-300 (ProtectedStorage) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%systemroot%\system32\Locator.exe,-2 (RpcLocator) - Unknown owner - C:\Windows\system32\locator.exe (file missing)
O23 - Service: @%SystemRoot%\system32\samsrv.dll,-1 (SamSs) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%SystemRoot%\system32\SLsvc.exe,-101 (slsvc) - Unknown owner - C:\Windows\system32\SLsvc.exe (file missing)
O23 - Service: @%SystemRoot%\system32\snmptrap.exe,-3 (SNMPTRAP) - Unknown owner - C:\Windows\System32\snmptrap.exe (file missing)
O23 - Service: @%systemroot%\system32\spoolsv.exe,-1 (Spooler) - Unknown owner - C:\Windows\System32\spoolsv.exe (file missing)
O23 - Service: Steam Client Service - Valve Corporation - C:\Program Files (x86)\Common Files\Steam\SteamService.exe
O23 - Service: NVIDIA Stereoscopic 3D Driver Service (Stereo Service) - NVIDIA Corporation - C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe
O23 - Service: @%SystemRoot%\system32\ui0detect.exe,-101 (UI0Detect) - Unknown owner - C:\Windows\system32\UI0Detect.exe (file missing)
O23 - Service: @%SystemRoot%\system32\vds.exe,-100 (vds) - Unknown owner - C:\Windows\System32\vds.exe (file missing)
O23 - Service: @%systemroot%\system32\vssvc.exe,-102 (VSS) - Unknown owner - C:\Windows\system32\vssvc.exe (file missing)
O23 - Service: @%systemroot%\system32\wbengine.exe,-104 (wbengine) - Unknown owner - C:\Windows\system32\wbengine.exe (file missing)
O23 - Service: @%Systemroot%\system32\wbem\wmiapsrv.exe,-110 (wmiApSrv) - Unknown owner - C:\Windows\system32\wbem\WmiApSrv.exe (file missing)
O23 - Service: @%ProgramFiles%\Windows Media Player\wmpnetwk.exe,-101 (WMPNetworkSvc) - Unknown owner - C:\Program Files (x86)\Windows Media Player\wmpnetwk.exe (file missing)

--
End of file - 8452 bytes

I then ran the generate startup log list and got:

StartupList report, 12/11/2009, 11:53:21 AM
StartupList version: 1.52.2
Started from : D:\Downloads\HiJackThis.EXE
Detected: Windows Vista SP1 (WinNT 6.00.1905)
Detected: Internet Explorer v7.00 (7.00.6001.18319)
* Using default options
==================================================

Running processes:

C:\Program Files\Logitech\GamePanel Software\LCD Manager\Applets\LCDMedia.exe
D:\Games\Steam.exe
C:\Program Files (x86)\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\Program Files (x86)\Electronic Arts\EADM\Core.exe
C:\Program Files (x86)\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files (x86)\Bullshit Virus\Beautyscreens.exe
C:\Program Files (x86)\Analog Devices\SoundMAX\SoundTray.exe
C:\Program Files\ASUS\Ai Suite\AiNap\AiNap.exe
C:\Program Files\ASUS\Ai Suite\AiGear3\CpuPowerMonitor.exe
C:\Program Files (x86)\Analog Devices\Core\smax4pnp.exe
C:\Program Files (x86)\AVG\AVG8\avgtray.exe
C:\Program Files (x86)\Java\jre6\bin\jusched.exe
D:\Movies\iTunesHelper.exe
C:\Program Files (x86)\Mozilla Firefox 3 Beta 5\firefox.exe
D:\Downloads\HiJackThis.exe
C:\Windows\SysWOW64\NOTEPAD.EXE

--------------------------------------------------

Listing of startup folders:

Shell folders Common Startup:
[C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup]
SetPointII.lnk = ?

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = userinit.exe

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

SoundTray = "C:\Program Files (x86)\Analog Devices\SoundMAX\SoundTray.exe"
Ai Nap = "C:\Program Files\ASUS\Ai Suite\AiNap\AiNap.exe"
CPU Power Monitor = "C:\Program Files\ASUS\Ai Suite\AiGear3\CpuPowerMonitor.exe"
Cpu Level Up help = C:\Program Files\ASUS\Ai Suite\CpuLevelUpHelp.exe
AppleSyncNotifier = C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
SoundMAXPnP = C:\Program Files (x86)\Analog Devices\Core\smax4pnp.exe
DVDtoiPodConverter_upgrade = "C:\Program Files (x86)\E-Zsoft\DVDtoiPodConverter\DVDtoiPodConverter.exe" /upgrade
AVG8_TRAY = C:\PROGRA~2\AVG\AVG8\avgtray.exe
Adobe Reader Speed Launcher = "C:\Program Files (x86)\Adobe\Reader 8.0\Reader\Reader_sl.exe"
SunJavaUpdateSched = "C:\Program Files (x86)\Java\jre6\bin\jusched.exe"
QuickTime Task = "C:\Program Files (x86)\VistaCodecPack\QT\QTTask.exe" -atboottime
iTunesHelper = "D:\Movies\iTunesHelper.exe"

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

Sidebar = C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
ehTray.exe = C:\Windows\ehome\ehTray.exe
Steam = "d:\games\steam.exe" -silent
ISUSPM = "C:\Program Files (x86)\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler
MobileConnect.EXE = D:\Bin\MobileConnect.EXE
EA Core = "C:\Program Files (x86)\Electronic Arts\EADM\Core.exe" -silent
WMPNSCFG = C:\Program Files (x86)\Windows Media Player\WMPNSCFG.exe
SUPERAntiSpyware = C:\Program Files (x86)\SUPERAntiSpyware\SUPERAntiSpyware.exe

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

[OptionalComponents]
=

--------------------------------------------------

File association entry for .HTA:
HKEY_CLASSES_ROOT\htafile\shell\open\command

(Default) = C:\Windows\SysWOW64\mshta.exe "%1" %*

--------------------------------------------------

Shell & screensaver key from C:\Windows\SYSTEM.INI:

Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*

Shell & screensaver key from Registry:

Shell=explorer.exe
SCRNSAVE.EXE=C:\Windows\System32/HALLOW~1.SCR
drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry key not found*
HKLM\..\Policies: Shell=*Registry value not found*[/b][/b]

--------------------------------------------------


Enumerating Browser Helper Objects:

(no name) - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
WormRadar.com IESiteBlocker.NavFilter - C:\Program Files (x86)\AVG\AVG8\avgssie.dll - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}
(no name) - (no file) - {5C255C8A-E604-49b4-9D64-90988571CECB}
(no name) - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll - {9030D464-4C02-4ABF-8ECC-5164760863C6}
(no name) - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll - {DBC80044-A445-435b-BC74-9C25C1C588A9}

--------------------------------------------------

Enumerating Winsock LSP files:

NameSpace #1: C:\Windows\system32\NLAapi.dll
NameSpace #2: C:\Windows\system32\napinsp.dll
NameSpace #3: C:\Windows\system32\pnrpnsp.dll
NameSpace #4: C:\Windows\system32\pnrpnsp.dll

--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

WebCheck: C:\Windows\SysWOW64\webcheck.dll

--------------------------------------------------
End of report, 5,927 bytes
Report generated in 0.031 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only


If i am understanding this correctly HijackThis is saying that the beautyscreens program is opening on startup, which maybe why i need special permission to delete it as the computer thinks its a key program in its startup routine.

Any help with this problem would be greatly appreciated, and i hope i have provided enough information.

Cheers

[LDTate]

DO NOT use any TOOLS such as Combofix, SmitfraudFix, MBAM, Vundofix, or HijackThis fixes without supervision.

Doing so could make your pc inoperatible and could require a full reinstall of your OS, losing all your programs and data.

Vista users:
1. These tools MUST be run from the executable. (.exe) every time you run them
2. With Admin Rights (Right click, choose "Run as Administrator")

Stay with this topic until I give you the all clean post.

You might want to print these instructions out.

I suggest you do this:

Please do not delete anything unless instructed to.


Please download ATF Cleaner by Atribune.
Download - ATF Cleaner»
Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All

Click the Empty Selected button.

(If you use FireFox or the Opera browser
To keep saved passwords, click No at the prompt.)

It's normal after running ATF cleaner that the PC will be slower to boot the first time or two.

Next:

Please download Malwarebytes' Anti-Malware to your desktop.

• Double-click mbam-setup.exe and follow the prompts to install the program.
• At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
• If an update is found, it will download and install the latest version.
• Once the program has loaded, select Perform quick scan, then click Scan.
  
• When the scan is complete, click OK, then Show Results to view the results.
• 
• Then click Remove Selected .
• When completed, a log will open in Notepad. Please save it to a convenient location and post the results.
• Note: If you receive a notice that some of the items couldn't be removed, that they have been added to the delete on reboot list, please reboot.

Also "copy/paste" a new HijackThis log file into this thread.

Also please describe how your computer behaves at the moment.


Please don't attach the scans / logs, use "copy/paste". .

[Shabby]

Cheers for the help/advise i think i got the problem sorted. I ran my computer in safe mode and this allowed me to delete the 'Beautyscreens' folder. I shut down and restarted my computer immediately after and it is now gone, and so far no more advertisement pop ups. Hopefully it stays gone Cheers again.

[LDTate]

If you're happy, I'm happy