TechSpot

AVG says I have win32/heur

By jybaway
Jun 20, 2010
  1. ...but I am under the impression that it seems to be "cleaned," since AVG ran 2 scans that said I had it, and the last day it finally said it found no infections...but it seems to have moved oleacc.dll to the "virus vault" so now I cannot open google chrome anymore, and I also get another oleacc.dll missing error message when I start Windows (i'm running Windows 7 x64 by the way). Also, 32 bit Internet Explorer is mysteriously literally missing from my computer -- what gives?

    I tried the 8 step program and for some reason GMER gives me error messages about the file being in use already, so that doesn't seem to give me anything. When I go to save my Attach and DDS log files, it gives me a "notepad.exe" error message telling me the program cannot open because OLEAC.dll is missing from my computer. I'm on the edge of full fledged panic.

    Help...please?
     
  2. Broni

    Broni Malware Annihilator Posts: 52,892   +344

    Please download ComboFix from Here or Here to your Desktop.

    **Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
    1. Please, never rename Combofix unless instructed.
    2. Close any open browsers.
    3. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
      • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
      NOTE1. If Combofix asks you to install Recovery Console, please allow it.
      NOTE 2. If Combofix asks you to update the program, always do so.
      • Close any open browsers.
      • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
      • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
      • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
    4. Double click on combofix.exe & follow the prompts.
    5. When finished, it will produce a report for you.
    6. Please post the "C:\ComboFix.txt"
    **Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

    Make sure, you re-enable your security programs, when you're done with Combofix.

    DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!
     
  3. jybaway

    jybaway TS Rookie Topic Starter

    I am having serious issues: first, when I double click ComboFix, it says n.pif at the top of the error box, and tells me that it cannot open because OLEACC.dll is missing from my computer.

    Then, it continues for a while, and finally gives me an error message that says that my OS is incompatible with ComboFix (I am running Windows 7 x64).

    What else can I do?

    Thanks again/in advance for any help.
     
  4. Broni

    Broni Malware Annihilator Posts: 52,892   +344

    Oh, OK.
    Neither, GMER, or Combofix will run on 64-bit system.

    ===================================================================

    Download Malwarebytes' Anti-Malware (http://www.majorgeeks.com/Malwarebytes_Anti-Malware_d5756.html) to your desktop.

    * Double-click mbam-setup.exe and follow the prompts to install the program.
    * At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
    * If an update is found, it will download and install the latest version.
    * Once the program has loaded, select Perform quick scan, then click Scan.
    * When the scan is complete, click OK, then Show Results to view the results.
    * Be sure that everything is checked, and click Remove Selected.
    * When completed, a log will open in Notepad.
    * Post the log back here.

    Be sure to restart the computer.

    The log can also be found here:
    C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt
    Or at C:\Program Files\Malwarebytes' Anti-Malware\Logs\log-date.txt

    ======================================================================

    Download SUPERAntiSpyware Free for Home Users:
    http://www.superantispyware.com/

    Print these instructions out.

    * Double-click SUPERAntiSpyware.exe and use the default settings for installation.
    * An icon will be created on your desktop. Double-click that icon to launch the program.
    * If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download and unzip them from here: http://www.superantispyware.com/definitions.html.)
    * Close SUPERAntiSpyware.

    Restart computer in Safe Mode.
    To enter Safe Mode, restart computer, and keep tapping F8 key, until menu appears; pick Safe Mode; you'll see "Safe Mode" in all four corners of your screen

    * Open SUPERAntiSpyware.
    * Under "Configuration and Preferences", click the Preferences button.
    * Click the Scanning Control tab.
    * Under Scanner Options make sure the following are checked (leave all others unchecked):

    • Close browsers before scanning.
      Scan for tracking cookies.
      Terminate memory threats before quarantining.
    * Click the "Close" button to leave the control center screen.
    * Back on the main screen, under "Scan for Harmful Software" click Scan your computer.
    * On the left, make sure you check C:\Fixed Drive.
    * On the right, under "Complete Scan", choose Perform Complete Scan.
    * Click "Next" to start the scan. Please be patient while it scans your computer.
    * After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
    * Make sure everything has a checkmark next to it and click "Next".
    * A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
    * If asked if you want to reboot, click "Yes".
    * To retrieve the removal information after reboot, launch SUPERAntispyware again.

    • Click Preferences, then click the Statistics/Logs tab.
      Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
      If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
      Please copy and paste the Scan Log results in your next reply.
    * Click Close to exit the program.
    Post SUPERAntiSpyware log.
     
  5. Broni

    Broni Malware Annihilator Posts: 52,892   +344

    From jybaway:

     

    Attached Files:

  6. Broni

    Broni Malware Annihilator Posts: 52,892   +344

    Please, post exact error message.
    Does AVG still find same infection?
    If so, I need to know exact AVG message, indicating infected file name and location.

    =====================================================================

    Download OTL to your Desktop.

    * Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
    * Under the Custom Scan box paste this in:



    netsvcs
    drivers32 /all
    %SYSTEMDRIVE%\*.*
    %systemroot%\system32\Spool\prtprocs\w32x86\*.dll
    %systemroot%\system32\*.wt
    %systemroot%\system32\*.ruy
    %systemroot%\Fonts\*.com
    %systemroot%\Fonts\*.dll
    %systemroot%\system32\spool\prtprocs\w32x86\*.tmp
    %systemroot%\*. /mp /s
    /md5start
    oleacc.dll
    /md5stop
    CREATERESTOREPOINT
    %systemroot%\system32\*.dll /lockedfiles
    %systemroot%\Tasks\*.job /lockedfiles
    %systemroot%\System32\config\*.sav
    %systemroot%\system32\user32.dll /md5
    %systemroot%\system32\ws2_32.dll /md5
    %systemroot%\system32\ws2help.dll /md5
    HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs



    * Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
    • When the scan completes, it will open two notepad windows: OTL.txt and Extras.txt. These are saved in the same location as OTL.
    • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post them back here.
     
  7. jybaway

    jybaway TS Rookie Topic Starter

    the error message is the same that i get when i try to open google cchrome. the top of the box says "iaanotif.exe - System Error" and the message says "The program can't start because OLEACC.dll is missing from your computer. Try reinstalling the program to fix this problem." Coincidentally I have tried reinstalling Chrome..it doesn't work.

    AVG found 2 instances of Win32/heur in oleacc.dll on two separate days (06/18 and 06/19): the first was in C:\Windows\SysWOW64\oleacc.dll and it says moved to virus vault. The second was C:\Program Files (x86)\Intel Matrix Storage Manager\IAAnotif.exe (2632). It just says "Reboot is required to finish the action," despite the fact that I've rebooted several times since those dates.

    Every subsequent scan has turned up no infections at all, but I still can't open Chrome, Internet Explorer 32-bit, and get oleacc.dll error messages when I try to save something in notepad as well as the error I get on startup.

    The OTL logs are attached.
     

    Attached Files:

  8. Broni

    Broni Malware Annihilator Posts: 52,892   +344

    OK. Clear enough.
    In the future, if you have any file flagged by heuristic part of your AV program scan, make sure to upload file in question to http://www.virustotal.com/ for security check. False positive happens, so if the files is fine at VirusTotal, simply deny your AV request.

    Please download SystemLook from one of the links below and save it to your Desktop.
    Download Mirror #1
    Download Mirror #2

    • Double-click SystemLook.exe to run it.
    • Vista users:: Right click on SystemLook.exe, click Run As Administrator
    • Copy the content of the following box into the main textfield:
      Code:
      :filefind
      IAAnotif.exe
      
    • Click the Look button to start the scan.
    • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
    Note: The log can also be found on your Desktop entitled SystemLook.txt
     
  9. jybaway

    jybaway TS Rookie Topic Starter

    Okay, here's the logfile. I will definitely take your advice in the future... especially after this nightmare gets fixed!
     

    Attached Files:

  10. Broni

    Broni Malware Annihilator Posts: 52,892   +344

    OK. As you can see from SystemLook log, one file in question is where it suppose to be:
    C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAAnotif.exe
    Now, you have another issue with OLEACC.DLL file, which is suppose to be here:
    C:\Windows\SysWOW64\oleacc.dll
    but it's missing since your AV got rid of it.

    Now, before we go anywhere else, we have to check if IAAnotif.exe file and a replacement for OLEACC.DLL are safe.

    Open Windows Explorer. Go Tools>Folder Options>View tab, put a checkmark next to Show hidden files, and folders.
    Upload following files to http://www.virustotal.com/ for security check:

    - C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAAnotif.exe
    - C:\Windows\winsxs\wow64_microsoft-windows-oleacc_31bf3856ad364e35_6.1.7600.16385_none_d0ce59c770758425\oleacc.dll

    IMPORTANT! If the file is listed as already analyzed, click on Reanalyse file now button.
    Post scan results.
     
  11. jybaway

    jybaway TS Rookie Topic Starter

    Here is the first scan:

    File IAAnotif.exe received on 2010.07.13 12:20:21 (UTC)
    Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED
    Result: 0/42 (0%)
    Loading server information...
    Your file is queued in position: 1.
    Estimated start time is between 38 and 55 seconds.
    Do not close the window until scan is complete.
    The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result.
    If you are waiting for more than five minutes you have to resend your file.
    Your file is being scanned by VirusTotal in this moment,
    results will be shown as they're generated.
    Compact Compact
    Print results Print results
    Your file has expired or does not exists.
    Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time.

    You can wait for web response (automatic reload) or type your email in the form below and click "request" so the system sends you a notification when the scan is finished.
    Email:

    Antivirus Version Last Update Result
    a-squared 5.0.0.31 2010.07.13 -
    AhnLab-V3 2010.07.13.01 2010.07.13 -
    AntiVir 8.2.4.10 2010.07.13 -
    Antiy-AVL 2.0.3.7 2010.07.12 -
    Authentium 5.2.0.5 2010.07.13 -
    Avast 4.8.1351.0 2010.07.13 -
    Avast5 5.0.332.0 2010.07.13 -
    AVG 9.0.0.836 2010.07.13 -
    BitDefender 7.2 2010.07.13 -
    CAT-QuickHeal 11.00 2010.07.13 -
    ClamAV 0.96.0.3-git 2010.07.13 -
    Comodo 5414 2010.07.13 -
    DrWeb 5.0.2.03300 2010.07.13 -
    eSafe 7.0.17.0 2010.07.11 -
    eTrust-Vet 36.1.7703 2010.07.13 -
    F-Prot 4.6.1.107 2010.07.11 -
    F-Secure 9.0.15370.0 2010.07.13 -
    Fortinet 4.1.143.0 2010.07.13 -
    GData 21 2010.07.13 -
    Ikarus T3.1.1.84.0 2010.07.13 -
    Jiangmin 13.0.900 2010.07.13 -
    Kaspersky 7.0.0.125 2010.07.13 -
    McAfee 5.400.0.1158 2010.07.13 -
    McAfee-GW-Edition 2010.1 2010.07.13 -
    Microsoft 1.5902 2010.07.13 -
    NOD32 5274 2010.07.13 -
    Norman 6.05.11 2010.07.13 -
    nProtect 2010-07-13.01 2010.07.13 -
    Panda 10.0.2.7 2010.07.12 -
    PCTools 7.0.3.5 2010.07.13 -
    Prevx 3.0 2010.07.13 -
    Rising 22.56.01.04 2010.07.13 -
    Sophos 4.55.0 2010.07.13 -
    Sunbelt 6574 2010.07.13 -
    SUPERAntiSpyware 4.40.0.1006 2010.07.13 -
    Symantec 20101.1.0.89 2010.07.13 -
    TheHacker 6.5.2.1.312 2010.07.12 -
    TrendMicro 9.120.0.1004 2010.07.13 -
    TrendMicro-HouseCall 9.120.0.1004 2010.07.13 -
    VBA32 3.12.12.6 2010.07.13 -
    ViRobot 2010.7.12.3932 2010.07.13 -
    VirusBuster 5.0.27.0 2010.07.12 -
    Additional information
    File size: 186904 bytes
    MD5...: d1930ca970d4250d891f432419e3d6c9
    SHA1..: d1522fcd4220d12feb02e9b9dba415e50dadeb18
    SHA256: c839ed92d5bcc293081e05f2b199848c37a478a361ba6c3255421a297211c915
    ssdeep: 3072:+yEEzb9/s5p8Uxa1PbOBJ/pI6/Dy1M3Nm2XlGhDbG0cMn5e:+yEEY8U6DOB
    Ny8oDbXe
    PEiD..: -
    PEInfo: PE Structure information

    ( base data )
    entrypointaddress.: 0x76ec
    timedatestamp.....: 0x4ad4c623 (Tue Oct 13 18:25:39 2009)
    machinetype.......: 0x14c (I386)

    ( 4 sections )
    name viradd virsiz rawdsiz ntrpy md5
    .text 0x1000 0x15374 0x16000 6.48 b74ea2431802e7a9934385d2fa220f25
    .rdata 0x17000 0x52d8 0x6000 4.51 fab34ecf8729d339bbb54f99ffc3e12c
    .data 0x1d000 0x63c4 0x3000 2.98 642afd764058a970ba02ec42d21fa7dd
    .rsrc 0x24000 0xb3d8 0xc000 3.92 9236526d3828fbb2c36e1e03d1432e2c

    ( 12 imports )
    > KERNEL32.dll: SetFilePointer, FlushFileBuffers, GetCurrentProcess, HeapAlloc, HeapFree, VirtualProtect, VirtualAlloc, GetSystemInfo, VirtualQuery, RtlUnwind, ExitProcess, GetStartupInfoA, GetCommandLineA, HeapReAlloc, HeapSize, TerminateProcess, GetCPInfo, VirtualFree, IsBadWritePtr, QueryPerformanceCounter, GetCurrentProcessId, GetSystemTimeAsFileTime, LCMapStringA, LCMapStringW, GetStdHandle, UnhandledExceptionFilter, FreeEnvironmentStringsA, GetEnvironmentStrings, FreeEnvironmentStringsW, GetEnvironmentStringsW, SetHandleCount, GetFileType, SetUnhandledExceptionFilter, GetStringTypeA, GetStringTypeW, IsBadReadPtr, IsBadCodePtr, SetStdHandle, GlobalGetAtomNameA, HeapCreate, GetOEMCP, GlobalAddAtomA, GlobalFindAtomA, GlobalDeleteAtom, lstrcatA, lstrcmpW, GetProcAddress, lstrcpyA, GetCurrentThreadId, GlobalFlags, lstrcmpA, TlsFree, LocalReAlloc, TlsSetValue, TlsAlloc, TlsGetValue, EnterCriticalSection, GlobalHandle, GlobalReAlloc, LeaveCriticalSection, LocalAlloc, GetModuleFileNameA, InterlockedIncrement, InterlockedDecrement, DeleteCriticalSection, InitializeCriticalSection, RaiseException, SetLastError, GlobalFree, GlobalAlloc, GlobalLock, GlobalUnlock, GetSystemDefaultLangID, ConvertDefaultLocale, EnumResourceLanguagesA, GetCurrentDirectoryA, SetCurrentDirectoryA, FindFirstFileA, FindNextFileA, FindClose, FormatMessageA, LocalFree, CreateEventA, lstrcpynA, CreateFileA, SetNamedPipeHandleState, CreateThread, ResetEvent, WaitForMultipleObjects, GetOverlappedResult, ReadFile, GetTickCount, CloseHandle, SetEvent, WaitForSingleObject, TerminateThread, WriteFile, Sleep, CreateMutexA, FindResourceA, LoadResource, LockResource, SizeofResource, FreeLibrary, LoadLibraryA, GetModuleHandleA, lstrlenA, lstrcmpiA, GetVersion, GetLastError, WideCharToMultiByte, MultiByteToWideChar, GetVersionExA, GetThreadLocale, GetLocaleInfoA, GetACP, HeapDestroy, InterlockedExchange
    > USER32.dll: CallWindowProcA, SystemParametersInfoA, IsIconic, GetWindowPlacement, CopyRect, SetMenuItemBitmaps, ModifyMenuA, EnableMenuItem, CheckMenuItem, GetMenuCheckMarkDimensions, LoadBitmapA, SetWindowLongA, SetWindowsHookExA, CallNextHookEx, GetKeyState, PeekMessageA, ValidateRect, ClientToScreen, GetWindow, GetDlgCtrlID, PtInRect, GetFocus, GetClassNameA, GetParent, GetLastActivePopup, IsWindowEnabled, UnhookWindowsHookEx, LoadCursorA, GetSystemMetrics, GetSysColor, GetSysColorBrush, GetMenuItemID, GetMenuItemCount, GetSubMenu, EnableWindow, MessageBoxA, GetMessageA, DispatchMessageA, CreateWindowExA, UnregisterClassA, RegisterClassExA, DefWindowProcA, wsprintfA, EndDialog, GetCursorPos, CreatePopupMenu, DestroyMenu, GetAsyncKeyState, SetForegroundWindow, TrackPopupMenuEx, InsertMenuItemA, SetTimer, KillTimer, DestroyIcon, DialogBoxParamA, SetWindowPos, AdjustWindowRect, GetWindowLongA, GetClientRect, LoadStringA, CreateDialogParamA, PostMessageA, DestroyWindow, LoadImageA, SetWindowTextA, MessageBeep, GetDlgItem, GetWindowTextA, GetDC, SendMessageA, DrawTextA, ReleaseDC, ScreenToClient, RegisterClassA, GetWindowRect, PostQuitMessage, GetMenuState, GetDesktopWindow, MoveWindow, GrayStringA, DrawTextExA, TabbedTextOutA, RegisterWindowMessageA, WinHelpA, GetCapture, GetClassLongA, GetClassInfoExA, SetPropA, GetPropA, RemovePropA, GetForegroundWindow, GetTopWindow, GetMessageTime, GetMessagePos, LoadIconA, MapWindowPoints, GetMenu, AdjustWindowRectEx, GetClassInfoA
    > GDI32.dll: DeleteObject, PtVisible, RectVisible, TextOutA, ExtTextOutA, Escape, SetViewportOrgEx, OffsetViewportOrgEx, SetViewportExtEx, ScaleViewportExtEx, SetWindowExtEx, DeleteDC, GetStockObject, SetMapMode, RestoreDC, SaveDC, SetBkColor, SetTextColor, GetClipBox, ScaleWindowExtEx, SelectObject, GetDeviceCaps, CreateBitmap
    > WINSPOOL.DRV: DocumentPropertiesA, OpenPrinterA, ClosePrinter
    > comdlg32.dll: GetOpenFileNameA
    > ADVAPI32.dll: RegCloseKey, RegOpenKeyExA, RegOpenKeyA, RegCreateKeyA, RegSetValueExA, RegQueryValueExA
    > SHELL32.dll: ShellExecuteA, SHGetFolderPathA, Shell_NotifyIconA
    > ole32.dll: CoInitializeEx, CoCreateInstance
    > OLEAUT32.dll: -, -, -, -, -
    > COMCTL32.dll: -
    > ISDI.dll: __1Sdi@@QAE@XZ, _getHandles@Sdi@@QAE_AW4_Error@1@PAPAXPAKKPAXKK@Z, _getCount@Sdi@@QAEKKPAXKK@Z, __0Sdi@@QAE@_N@Z, _getTable@Sdi@@QAE_AW4_Error@1@W4_TableType@1@PAX1@Z
    > OLEACC.dll: LresultFromObject, CreateStdAccessibleObject

    ( 0 exports )
    RDS...: NSRL Reference Data Set
    -
    pdfid.: -
    trid..: Win32 Executable MS Visual C++ (generic) (65.2%)
    Win32 Executable Generic (14.7%)
    Win32 Dynamic Link Library (generic) (13.1%)
    Generic Win/DOS Executable (3.4%)
    DOS Executable Generic (3.4%)
    sigcheck:
    publisher....: Intel Corporation
    copyright....: Copyright(C) Intel Corporation 2003-2009
    product......: RAID Event Monitor
    description..: Event Monitor User Notification Tool
    original name: IAAnotif.exe
    internal name: IAAnotif
    file version.: 8.9.4.1004
    comments.....:
    signers......: Intel Corporation
    VeriSign Class 3 Code Signing 2004 CA
    Class 3 Public Primary Certification Authority
    signing date.: 8:25 PM 10/13/2009
    verified.....: -
     
  12. jybaway

    jybaway TS Rookie Topic Starter

    And here's oleacc.dll:

    File oleacc.dll received on 2010.07.13 12:28:23 (UTC)
    Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED
    Result: 0/42 (0%)
    Loading server information...
    Your file is queued in position: 1.
    Estimated start time is between 38 and 55 seconds.
    Do not close the window until scan is complete.
    The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result.
    If you are waiting for more than five minutes you have to resend your file.
    Your file is being scanned by VirusTotal in this moment,
    results will be shown as they're generated.
    Compact Compact
    Print results Print results
    Your file has expired or does not exists.
    Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time.

    You can wait for web response (automatic reload) or type your email in the form below and click "request" so the system sends you a notification when the scan is finished.
    Email:

    Antivirus Version Last Update Result
    a-squared 5.0.0.31 2010.07.13 -
    AhnLab-V3 2010.07.13.01 2010.07.13 -
    AntiVir 8.2.4.10 2010.07.13 -
    Antiy-AVL 2.0.3.7 2010.07.12 -
    Authentium 5.2.0.5 2010.07.13 -
    Avast 4.8.1351.0 2010.07.13 -
    Avast5 5.0.332.0 2010.07.13 -
    AVG 9.0.0.836 2010.07.13 -
    BitDefender 7.2 2010.07.13 -
    CAT-QuickHeal 11.00 2010.07.13 -
    ClamAV 0.96.0.3-git 2010.07.13 -
    Comodo 5414 2010.07.13 -
    DrWeb 5.0.2.03300 2010.07.13 -
    eSafe 7.0.17.0 2010.07.11 -
    eTrust-Vet 36.1.7703 2010.07.13 -
    F-Prot 4.6.1.107 2010.07.11 -
    F-Secure 9.0.15370.0 2010.07.13 -
    Fortinet 4.1.143.0 2010.07.13 -
    GData 21 2010.07.13 -
    Ikarus T3.1.1.84.0 2010.07.13 -
    Jiangmin 13.0.900 2010.07.13 -
    Kaspersky 7.0.0.125 2010.07.13 -
    McAfee 5.400.0.1158 2010.07.13 -
    McAfee-GW-Edition 2010.1 2010.07.13 -
    Microsoft 1.5902 2010.07.13 -
    NOD32 5274 2010.07.13 -
    Norman 6.05.11 2010.07.13 -
    nProtect 2010-07-13.01 2010.07.13 -
    Panda 10.0.2.7 2010.07.12 -
    PCTools 7.0.3.5 2010.07.13 -
    Prevx 3.0 2010.07.13 -
    Rising 22.56.01.04 2010.07.13 -
    Sophos 4.55.0 2010.07.13 -
    Sunbelt 6574 2010.07.13 -
    SUPERAntiSpyware 4.40.0.1006 2010.07.13 -
    Symantec 20101.1.0.89 2010.07.13 -
    TheHacker 6.5.2.1.312 2010.07.12 -
    TrendMicro 9.120.0.1004 2010.07.13 -
    TrendMicro-HouseCall 9.120.0.1004 2010.07.13 -
    VBA32 3.12.12.6 2010.07.13 -
    ViRobot 2010.7.12.3932 2010.07.13 -
    VirusBuster 5.0.27.0 2010.07.12 -
    Additional information
    File size: 233472 bytes
    MD5...: cbd010bfbed9657c3813400aad03cf8a
    SHA1..: cdcb3a2845dfbf61000e5291eb3d8d5e65db362d
    SHA256: 2dd60a291d8f4a44d7d638c83a46cfa618525a72b9d975fb81f8f403699b9ae6
    ssdeep: 3072:/RjrwYo7juVuox3UMGgx7ZWytNLO9WhACKNhkc/jt+1rvc3bDZXFGGR7Imf
    mz9gi:/RjRRbTZWyQXCwhP/jw1rshRw9J
    PEiD..: -
    PEInfo: PE Structure information

    ( base data )
    entrypointaddress.: 0x3089
    timedatestamp.....: 0x4a5bdac8 (Tue Jul 14 01:09:28 2009)
    machinetype.......: 0x14c (I386)

    ( 5 sections )
    name viradd virsiz rawdsiz ntrpy md5
    .text 0x1000 0x2eee3 0x2f000 6.57 703acc729b6d0594b5c2012a8dc2f1d3
    .orpc 0x30000 0x157 0x200 4.27 7a9f0482dd8b98a20e6ac1c562902856
    .data 0x31000 0x1a28 0x1a00 2.74 ade700194be681930c99a15ce4949dfa
    .rsrc 0x33000 0x54d0 0x5600 4.39 99bd35ebc318ddc30daadcfcf6559df6
    .reloc 0x39000 0x28bc 0x2a00 6.51 9efa7bbefc8673b8c5f19e5cf962577e

    ( 10 imports )
    > msvcrt.dll: memset, __dllonexit, _unlock, _amsg_exit, _initterm, _XcptFilter, realloc, _except_handler4_common, _onexit, swprintf_s, memcpy, wcscpy_s, wcscat_s, _ftol2_sse, _wcslwr_s, wcsstr, _beginthreadex, strncpy_s, memmove, _vsnwprintf, _ftol2, malloc, free, _lock
    > ntdll.dll: EtwGetTraceLoggerHandle, EtwRegisterTraceGuidsW, EtwUnregisterTraceGuids, EtwLogTraceEvent, EtwGetTraceEnableLevel, EtwGetTraceEnableFlags
    > API_MS_Win_Core_LocalRegistry_L1_1_0.dll: RegCreateKeyExW, RegDeleteValueW, RegOpenKeyExW, RegQueryValueExW, RegCloseKey, RegSetValueExW, RegQueryInfoKeyW, RegEnumValueW, RegEnumKeyExW
    > API_MS_Win_Core_ProcessThreads_L1_1_0.dll: GetCurrentProcessId, GetCurrentThreadId, OpenProcessToken, TerminateProcess, CreateThread, GetExitCodeThread, GetCurrentProcess
    > API_MS_Win_Security_Base_L1_1_0.dll: GetSidSubAuthority, GetTokenInformation, FreeSid, CheckTokenMembership, AllocateAndInitializeSid, SetSecurityDescriptorSacl, InitializeAcl, InitializeSecurityDescriptor
    > USER32.dll: SetForegroundWindow, DefWindowProcW, RegisterHotKey, MessageBeep, CreateWindowExW, RegisterClassExW, DispatchMessageW, TranslateMessage, GetMessageW, SetTimer, RemovePropW, SetParent, RegisterClassW, SetPropW, CharPrevW, KillTimer, EnumThreadWindows, SetRectEmpty, IsWindowEnabled, GetKeyState, VkKeyScanW, OemKeyScan, DestroyWindow, UnregisterHotKey, RegisterWindowMessageW, SetWindowsHookExW, UnhookWindowsHookEx, EnumWindows, GetCursorPos, WindowFromPoint, IsMenu, SendMessageTimeoutW, SetRect, SetScrollInfo, GetScrollInfo, IsZoomed, GetSystemMetrics, GetMenuStringW, IsRectEmpty, GetMenu, GetMenuState, GetMenuItemID, MenuItemFromPoint, GetSubMenu, GetMenuItemInfoW, GetMenuItemCount, GetClientRect, IntersectRect, GetClassNameW, MapVirtualKeyW, GetKeyNameTextW, GetDlgItem, GetForegroundWindow, LoadCursorW, GetPropW, GetShellWindow, CharNextW, CharLowerBuffW, LoadStringW, IsChild, GetWindow, IsWindow, MapWindowPoints, GetWindowRect, GetDC, SystemParametersInfoW, ReleaseDC, GetKeyboardLayout, PostMessageW, FindWindowExW, GetWindowLongW, FindWindowW, IsWindowVisible, ScreenToClient, PtInRect, ClientToScreen, SendMessageW, GetWindowThreadProcessId, GetDesktopWindow, GetParent
    > GDI32.dll: DeleteObject, LPtoDP, GetDCOrgEx, CreateFontW, SelectObject, GetCharABCWidthsW
    > KERNEL32.dll: LoadResource, DelayLoadFailureHook, InterlockedCompareExchange, LoadLibraryExA, QueryPerformanceCounter, GetSystemTimeAsFileTime, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GlobalUnlock, lstrlenW, InterlockedDecrement, InterlockedIncrement, InterlockedExchange, CompareStringW, GetLocaleInfoW, LocalAlloc, LocalFree, GetLastError, OpenProcess, CloseHandle, GetVersionExW, GetModuleHandleW, GetProcAddress, FindResourceW, lstrlenA, lstrcatW, GetModuleFileNameW, lstrcpynW, HeapDestroy, lstrcmpiW, lstrcpyW, VirtualQuery, GetSystemInfo, VirtualAlloc, VirtualProtect, GetModuleHandleExW, K32GetModuleBaseNameW, GlobalAlloc, GlobalFree, GetTickCount, DisableThreadLibraryCalls, FreeLibrary, LoadLibraryExW, LoadLibraryW, WriteProcessMemory, CreateFileMappingW, EnterCriticalSection, LeaveCriticalSection, DuplicateHandle, MapViewOfFile, UnmapViewOfFile, GlobalGetAtomNameW, DeleteCriticalSection, InitializeCriticalSection, GlobalFindAtomW, GlobalDeleteAtom, GlobalAddAtomW, WideCharToMultiByte, SetLastError, GetVersionExA, WaitForSingleObject, Sleep, ReadProcessMemory, GetThreadLocale, lstrcmpW, GlobalLock, MultiByteToWideChar, SizeofResource
    > ole32.dll: CoTaskMemRealloc, CoInitialize, CoUnmarshalInterface, CreateStreamOnHGlobal, GetHGlobalFromStream, CoReleaseMarshalData, CoMarshalInterThreadInterfaceInStream, CoInitializeEx, CoGetInterfaceAndReleaseStream, CoUninitialize, CoTaskMemFree, ReleaseStgMedium, CoTaskMemAlloc, CoCreateInstance, HWND_UserSize, HWND_UserMarshal, HWND_UserUnmarshal, HWND_UserFree, HMENU_UserSize, HMENU_UserMarshal, HMENU_UserUnmarshal, HMENU_UserFree, CoMarshalInterface
    > RPCRT4.dll: NdrDllGetClassObject, NdrDllCanUnloadNow, NdrCStdStubBuffer_Release, NdrCStdStubBuffer2_Release, NdrDllRegisterProxy, NdrDllUnregisterProxy, CStdStubBuffer_DebugServerRelease, CStdStubBuffer_DebugServerQueryInterface, CStdStubBuffer_CountRefs, CStdStubBuffer_IsIIDSupported, CStdStubBuffer_Invoke, CStdStubBuffer_Disconnect, CStdStubBuffer_Connect, CStdStubBuffer_AddRef, CStdStubBuffer_QueryInterface, NdrStubCall2, NdrStubForwardingFunction, IUnknown_Release_Proxy, IUnknown_AddRef_Proxy, IUnknown_QueryInterface_Proxy, NdrOleFree, NdrOleAllocate

    ( 24 exports )
    AccessibleChildren, AccessibleObjectFromEvent, AccessibleObjectFromPoint, AccessibleObjectFromWindow, CreateStdAccessibleObject, CreateStdAccessibleProxyA, CreateStdAccessibleProxyW, DllCanUnloadNow, DllGetClassObject, DllRegisterServer, DllUnregisterServer, GetOleaccVersionInfo, GetProcessHandleFromHwnd, GetRoleTextA, GetRoleTextW, GetStateTextA, GetStateTextW, IID_IAccessible, IID_IAccessibleHandler, LIBID_Accessibility, LresultFromObject, ObjectFromLresult, PropMgrClient_LookupProp, WindowFromAccessibleObject
    RDS...: NSRL Reference Data Set
    -
    pdfid.: -
    trid..: DirectShow filter (58.3%)
    Windows OCX File (35.7%)
    Win32 Executable Generic (2.4%)
    Win32 Dynamic Link Library (generic) (2.1%)
    Generic Win/DOS Executable (0.5%)
    sigcheck:
    publisher....: Microsoft Corporation
    copyright....: (c) Microsoft Corporation. All rights reserved.
    product......: Microsoft_ Windows_ Operating System
    description..: Active Accessibility Core Component
    original name: OLEACC.DLL
    internal name: OLEACC
    file version.: 7.0.0.0 (win7_rtm.090713-1255)
    comments.....: n/a
    signers......: -
    signing date.: -
    verified.....: Unsigned
     
  13. Broni

    Broni Malware Annihilator Posts: 52,892   +344

    Very good :)

    Now, open Windows Explorer, navigate to:
    C:\Windows\winsxs\wow64_microsoft-windows-oleacc_31bf3856ad364e35_6.1.7600.16385_none_d0ce59c770758425
    Copy oleacc.dll file from there and paste it into:
    C:\Windows\SysWOW64
    Restart computer and see, if this solves your Chrome issue.

    Then, if AVG complains again about oleacc.dll, or IAAnotif.exe, create an exception for those two files, or whatever it takes for AVG not to scan those two files (I don't use AVG, so I'm not 100% sure, how it's done).

    Report on progress and then I'll analyze your OTL files.
     
  14. jybaway

    jybaway TS Rookie Topic Starter

    Eureka!! It works! :) I am having no issues, it seems: no errors at startup and no issues with Chrome.

    What's next? Also, what antivirus do you recommend?

    Thank you thank you thank you a hundred million times over!
     
  15. Broni

    Broni Malware Annihilator Posts: 52,892   +344

    Great news :) :)

    I'm not a big fan of AVG, but, if it works for you, leave it alone. False positives happen with any security program.

    ====================================================================

    Update your Java version here: http://www.java.com/en/download/installed.jsp
    Uninstall all previous Java versions, through Add\Remove (Programs & Features in Vista/7).

    ====================================================================

    Run OTL
    • Under the Custom Scans/Fixes box at the bottom, paste in the following

      Code:
      :OTL
      O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found.
      O4 - HKLM..\Run: []  File not found
      O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktop = 1
      O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktopChanges = 1
      O18:[b]64bit:[/b] - Protocol\Handler\avgsecuritytoolbar {F2DDE6B2-9684-4A55-86D4-E255E237B77C} - Reg Error: Key error. File not found
      O18:[b]64bit:[/b] - Protocol\Handler\grooveLocalGWS {88FED34C-F0CA-4636-A375-3CB6248B04CD} - Reg Error: Key error. File not found
      O18:[b]64bit:[/b] - Protocol\Handler\livecall {828030A1-22C1-4009-854F-8E305202313F} - Reg Error: Key error. File not found
      O18:[b]64bit:[/b] - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - Reg Error: Key error. File not found
      O18:[b]64bit:[/b] - Protocol\Handler\ms-itss {0A9007C0-4076-11D3-8789-0000F8105754} - Reg Error: Key error. File not found
      O18:[b]64bit:[/b] - Protocol\Handler\msnim {828030A1-22C1-4009-854F-8E305202313F} - Reg Error: Key error. File not found
      O18:[b]64bit:[/b] - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - Reg Error: Key error. File not found
      O18:[b]64bit:[/b] - Protocol\Handler\wlmailhtml {03C514A3-1EFB-4856-9F99-10D7BE1653C0} - Reg Error: Key error. File not found
      O20:[b]64bit:[/b] - HKLM Winlogon: VMApplet - (/pagefile) -  File not found
      O20 - HKLM Winlogon: VMApplet - (/pagefile) -  File not found
      O21:[b]64bit:[/b] - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - CLSID or File not found.
      O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - CLSID or File not found.
      O33 - MountPoints2\{f9a391d2-10f3-11df-ac23-806e6f6e6963}\Shell - "" = AutoRun
      O33 - MountPoints2\{f9a391d2-10f3-11df-ac23-806e6f6e6963}\Shell\AutoRun\command - "" = G:\Viewer.exe -- [2003/09/24 16:05:54 | 000,821,248 | R--- | M] ()
      [2010/04/13 13:56:18 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Common Files\Symantec Shared
      
      
      :Services
      
      :Reg
      
      :Files
      
      :Commands
      [purity]
      [emptytemp]
      [emptyflash]
      [resethosts]
      [Reboot]
    • Then click the Run Fix button at the top
    • Let the program run unhindered, reboot the PC when it is done
    • You will get a log that shows the results of the fix. Please post it.
    • Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.
     
  16. jybaway

    jybaway TS Rookie Topic Starter

    okay, updated/uninstalled Java... and here is my OTL log.

    i'm not sure how to thank you enough for your help - is there anything i can do in return?

    also, is there some other antivirus that you recommend that is better? this is my first ever free antivirus and i had it for about two months before this happened, if even, and before that i have never, ever had any kind of virus issue at all. and while i understand false positives happen, is there some program that is less likely to do it/is generally better? i don't mind shelling out the money if it saves me this headache in the future.
     

    Attached Files:

  17. Broni

    Broni Malware Annihilator Posts: 52,892   +344

    If you're a lady, I'll take a kiss, if you're a guy, sorry, "Thank you" will do :) :)

    As I said, false positives may happen with any security program. Now, you know what to do, if it'll happen again. If any doubts, I'll be around :)

    Now...

    1. Download Temp File Cleaner (TFC)
    Double click on TFC.exe to run the program.
    Click on Start button to begin cleaning process.
    TFC will close all running programs, and it may ask you to restart computer.


    2. Go to Kaspersky website and perform an online antivirus scan.

    1. Disable your active antivirus program.
    2. Read through the requirements and privacy statement and click on Accept button.
    3. It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
    4. When the downloads have finished, click on Settings.
    5. Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:

    • Spyware, Adware, Dialers, and other potentially dangerous programs
      [*] Archives
      [*] Mail databases
    6. Click on My Computer under Scan.
    7. Once the scan is complete, it will display the results. Click on View Scan Report.
    8. You will see a list of infected items there. Click on Save Report As....
    9. Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button. Then post it here.
     
  18. jybaway

    jybaway TS Rookie Topic Starter

    okay, cleaned temp files and ran kaspersky; log is attached.

    now, please tell me where i can personally deliver that kiss? :blush:
     

    Attached Files:

  19. Broni

    Broni Malware Annihilator Posts: 52,892   +344

    Hahahahahaha.......:)


    OTL Clean-Up
    Clean up with OTL:

    * Double-click OTL.exe to start the program.
    * Close all other programs apart from OTL as this step will require a reboot
    * On the OTL main screen, press the CLEANUP button
    * Say Yes to the prompt and then allow the program to reboot your computer.

    If you still have any tools or logs leftover on your computer you can go ahead and delete those off of your computer now.

    ==================================================================

    Your computer is clean [​IMG]

    1. We need to reset system restore to prevent your computer from being accidentally reinfected by using some old restore point(s). We'll create fresh, clean restore point.

    Turn off System Restore:

    - Windows XP:
    1. Click Start.
    2. Right-click the My Computer icon, and then click Properties.
    3. Click the System Restore tab.
    4. Check "Turn off System Restore".
    5. Click Apply.
    6. When turning off System Restore, the existing restore points will be deleted. Click Yes to do this.
    7. Click OK.
    - Windows Vista and 7:
    1. Click Start.
    2. Right-click the Computer icon, and then click Properties.
    3. Click on System Protection under the Tasks column on the left side
    4. Click on Continue on the "User Account Control" window that pops up
    5. Under the System Protection tab, find Available Disks
    6. Uncheck the box for any drive you wish to disable system restore on (in most cases, drive "C:")
    7. When turning off System Restore, the existing restore points will be deleted. Click "Turn System Restore Off" on the popup window to do this.
    8. Click OK

    2. Restart computer.

    3. Turn System Restore on.

    4. Make sure, Windows Updates are current.

    5. If any Trojan was listed among your infection(s), make sure, you change all of your on-line important passwords (bank account(s), secured web sites, etc.) immediately!

    6. Download, and install WOT (Web OF Trust): http://www.mywot.com/. It'll warn you (in most cases) about dangerous web sites.

    7. Run defrag at your convenience.

    8. Read How did I get infected?, With steps so it does not happen again!: http://www.bleepingcomputer.com/forums/topic2520.html

    9. Please, let me know, how is your computer doing.
     
  20. Broni

    Broni Malware Annihilator Posts: 52,892   +344

    The issue appears to be resolved.
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...