dslreports logo
 
    All Forums Hot Topics Gallery
spc
uniqs
97

TheJoker
MVM
join:2001-04-26
Charlottesville, VA

1 recommendation

TheJoker to edale

MVM

to edale

Re: [Adware] Win 7 laptop infected w/ backup ads, browser redire

said by edale:

Browsers and Notepad working after reboot.

And that's the fix for what - rebooting, as there were items that needed to be removed at reboot.

You can delete the following file as it's corrupt:
C:\Users\ROLLIEA\Downloads\DigitalEditing.pps

How is the system running now?
edale
join:2012-01-21
Seattle, WA

edale

Member

Gotcha.

System running closer to normal but seems like opening links (all in dslreports forums) in new tabs in FF would try to take me to some strange google followed by long alphabet soup address that it couldn't find anyway. Need to test this more to get a better description for you.

Also, windows shutdown takes a l-o-n-g time.

If it's OK to push the system and see where it's going to come apart, I'll start doing that.
edale

1 edit

edale to TheJoker

Member

to TheJoker
Just went to download PDF-XChange Viewer to replace Adobe Acrobat Reader, this was the URL listed:
»pdf-xchange-viewer.en.so ··· nic.com/

but the new tab displayed this page instead: Removed

which if I'm not mistaken, was one of the programs I had trouble uninstalling from control panel earlier, on 4/29.
That ilivid logo looks mighty familiar.

Mod note: please do NOT post live links that are questionable
edale

1 edit

edale to TheJoker

Member

to TheJoker
Duplicate posting, removed.
edale

edale to TheJoker

Member

to TheJoker
said by TheJoker:

You can delete the following file as it's corrupt:
C:\Users\ROLLIEA\Downloads\DigitalEditing.pps

Deleted.
said by TheJoker:

How is the system running now?

I attempted some more cleanup of unwanted programs via control panel/programs (uninstall). Some uninstalled correctly, others stubbornly did not.
I went and deleted some of the unwanted folders from the Program files folder.
Downloaded/installed PDF-XChange.

Also added AdBlock extension to FF.

Have not seen any of the numerous popups that were proliferating before.

System seems OK except for:
1. Oddball FF browser redirects
2. Prolonged windows shutdown screen.

TheJoker
MVM
join:2001-04-26
Charlottesville, VA

1 recommendation

TheJoker

MVM

For uninstalling program, you might want to try Revo Uninstaller at »www.revouninstaller.com/ ··· oad.html

Please run AdwCleaner again and post a new log.

Please also run MBAR, update it, and run a new scan and post both the logs.
edale
join:2012-01-21
Seattle, WA

edale

Member

# AdwCleaner v2.300 - Logfile created 05/02/2013 at 08:20:58
# Updated 28/04/2013 by Xplode
# Operating system : Windows 7 Home Premium Service Pack 1 (64 bits)
# User : ROLLIEA - ROLLIEA-PC
# Boot Mode : Normal
# Running from : C:\Users\ROLLIEA\Desktop\adwcleaner.exe
# Option [Search]

***** [Services] *****

***** [Files / Folders] *****

***** [Registry] *****

Key Found : HKCU\Software\Softonic

***** [Internet Browsers] *****

-\\ Internet Explorer v10.0.9200.16537

[OK] Registry is clean.

-\\ Mozilla Firefox v20.0.1 (en-US)

File : C:\Users\ROLLIEA\AppData\Roaming\Mozilla\Firefox\Profiles\s2m5tjo3.default\prefs.js

[OK] File is clean.

-\\ Google Chrome v26.0.1410.64

File : C:\Users\ROLLIEA\AppData\Local\Google\Chrome\User Data\Default\Preferences

[OK] File is clean.

*************************

AdwCleaner[R1].txt - [1232 octets] - [30/04/2013 19:28:11]
AdwCleaner[R2].txt - [1292 octets] - [30/04/2013 20:13:39]
AdwCleaner[R3].txt - [977 octets] - [02/05/2013 08:20:58]
AdwCleaner[S1].txt - [33562 octets] - [29/04/2013 22:47:54]
AdwCleaner[S2].txt - [1358 octets] - [30/04/2013 20:16:32]

########## EOF - C:\AdwCleaner[R3].txt - [1157 octets] ##########
edale

edale to TheJoker

Member

to TheJoker
After Delete:

# AdwCleaner v2.300 - Logfile created 05/02/2013 at 08:22:48
# Updated 28/04/2013 by Xplode
# Operating system : Windows 7 Home Premium Service Pack 1 (64 bits)
# User : ROLLIEA - ROLLIEA-PC
# Boot Mode : Normal
# Running from : C:\Users\ROLLIEA\Desktop\adwcleaner.exe
# Option [Delete]

***** [Services] *****

***** [Files / Folders] *****

***** [Registry] *****

Key Deleted : HKCU\Software\Softonic

***** [Internet Browsers] *****

-\\ Internet Explorer v10.0.9200.16537

[OK] Registry is clean.

-\\ Mozilla Firefox v20.0.1 (en-US)

File : C:\Users\ROLLIEA\AppData\Roaming\Mozilla\Firefox\Profiles\s2m5tjo3.default\prefs.js

[OK] File is clean.

-\\ Google Chrome v26.0.1410.64

File : C:\Users\ROLLIEA\AppData\Local\Google\Chrome\User Data\Default\Preferences

[OK] File is clean.

*************************

AdwCleaner[R1].txt - [1232 octets] - [30/04/2013 19:28:11]
AdwCleaner[R2].txt - [1292 octets] - [30/04/2013 20:13:39]
AdwCleaner[R3].txt - [1226 octets] - [02/05/2013 08:20:58]
AdwCleaner[S1].txt - [33562 octets] - [29/04/2013 22:47:54]
AdwCleaner[S2].txt - [1358 octets] - [30/04/2013 20:16:32]
AdwCleaner[S3].txt - [1160 octets] - [02/05/2013 08:22:48]

########## EOF - C:\AdwCleaner[S3].txt - [1220 octets] ##########
edale

edale to TheJoker

Member

to TheJoker
Malwarebytes Anti-Rootkit BETA 1.05.0.1001
www.malwarebytes.org

Database version: v2013.05.02.04

Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 10.0.9200.16540
ROLLIEA :: ROLLIEA-PC [administrator]

5/2/2013 8:39:10 AM
mbar-log-2013-05-02 (08-39-10).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM | P2P
Scan options disabled:
Objects scanned: 28172
Time elapsed: 6 minute(s), 43 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)
edale

edale to TheJoker

Member

to TheJoker
Nothing found w/ updated MBAR scan.

BUT:

During posting the ADwCleaner log (after delete/reboot) FF took me to another google.com.(insert alphabet soup) page. Page was blank again. I clicked to update the current page, not open in a new tab, but the google.com.(insert alphabet soup) page displayed in a new tab, similar to the previous occurances.
edale

edale

Member

Ctrl+clicking on another listing from a bing search displayed url (I put hyphens in-- don't nobody try to click this or otherwise try this page):
b-i-n-g.i-e-b-z.c-o-m
in the URL, page was blank.

TheJoker
MVM
join:2001-04-26
Charlottesville, VA

1 recommendation

TheJoker

MVM

Please go to VirusTotal and submit the following files for a scan and post the detection results in your next reply:

c:\users\ROLLIEA\AppData\Roaming\Microsoft\Installer\{B829E117-D072-41EA-9606-9826A38D34C1}\SVRTgui.exe1_810EDD9E2F0A4E2BACF86673C38D9F48.exe
c:\users\ROLLIEA\AppData\Roaming\Microsoft\Installer\{B829E117-D072-41EA-9606-9826A38D34C1}\SVRTgui.exe_810EDD9E2F0A4E2BACF86673C38D9F48.exe
c:\users\ROLLIEA\AppData\Roaming\Microsoft\Installer\{B829E117-D072-41EA-9606-9826A38D34C1}\ARPPRODUCTICON.exe
c:\users\ROLLIEA\AppData\Local\DownloadTerms\temp.dat
edale
join:2012-01-21
Seattle, WA

edale

Member

I have the laptop with me at another location where there is wi-fi (public library)(where it has connected easily before) but it is not able to connect to the wi-fi network here. Might have to wait until I get back to a hardwired connection.
edale

edale to TheJoker

Member

to TheJoker
First response by Virus total said:
"This file was already analyzed by Virus Total on 2013-04-02 13:03:40
Detection ration 0/46
You can take a look at the last analysis or analyze it again right now.

I chose Reanalyze.

Response:

(the devil/angel meter had devil 1, angel 0.)

SHA256: deef30e052eaa8220a8c9868aa45cc3532d6b5a4b34e439421d55c6a4d207f21
File name: _IsIcoRes.exe
Detection ratio: 0 / 46
Analysis date: 2013-05-03 00:59:16 UTC ( 0 minutes ago )

(the following list had green checkmarks between the two columns)

Agnitum 20130502
AhnLab-V3 20130502
AntiVir 20130503
Antiy-AVL 20130502
Avast 20130503
AVG 20130502
BitDefender 20130503
ByteHero 20130430
CAT-QuickHeal 20130502
ClamAV 20130503
Commtouch 20130503
Comodo 20130503
DrWeb 20130503
Emsisoft 20130503
eSafe 20130501
ESET-NOD32 20130502
F-Prot 20130502
F-Secure 20130503
Fortinet 20130503
GData 20130503
Ikarus 20130503
Jiangmin 20130502
K7AntiVirus 20130502
K7GW 20130502
Kaspersky 20130503
Kingsoft 20130502
Malwarebytes 20130503
McAfee 20130503
McAfee-GW-Edition 20130502
Microsoft 20130503
MicroWorld-eScan 20130503
NANO-Antivirus 20130503
Norman 20130502
nProtect 20130502
Panda 20130502
PCTools 20130502
Sophos 20130503
SUPERAntiSpyware 20130503
Symantec 20130503
TheHacker 20130502
TotalDefense 20130502
TrendMicro 20130503
TrendMicro-HouseCall 20130503
VBA32 20130502
VIPRE 20130503
ViRobot 20130503
edale

edale

Member

from the Additional info tab:

ssdeep
768:SMAyAdTmPJbgqcnDccThMsBmsmBaEX3bsvL7cxjKcL9d:SdU81cc9MmIFXya9d
TrID
Win32 Executable MS Visual C++ (generic) (64.5%)
Win32 Dynamic Link Library (generic) (13.6%)
Win32 Executable (generic) (13.4%)
Generic Win/DOS Executable (4.1%)
DOS Executable Generic (4.1%)
PEiD packer identifier
Armadillo v1.71
ExifTool

SubsystemVersion.........: 4.0
InitializedDataSize......: 53248
ImageVersion.............: 0.0
ProductName..............: InstallShield
FileVersionNumber........: 12.0.0.58849
UninitializedDataSize....: 0
LanguageCode.............: English (U.S.)
FileFlagsMask............: 0x003f
CharacterSet.............: Unicode
LinkerVersion............: 6.0
OriginalFilename.........: _IsIcoRes.exe
MIMEType.................: application/octet-stream
Subsystem................: Windows GUI
FileVersion..............: 12.0.58849
TimeStamp................: 2007:01:20 07:15:38+01:00
FileType.................: Win32 EXE
PEType...................: PE32
InternalName.............: _IsIcoRes.exe
FileAccessDate...........: 2013:05:03 01:59:41+01:00
ProductVersion...........: 12.0
FileDescription..........: InstallShield
OSVersion................: 4.0
FileCreateDate...........: 2013:05:03 01:59:41+01:00
FileOS...................: Windows NT 32-bit
LegalCopyright...........: Copyright (C) 2006 Macrovision Corporation
MachineType..............: Intel 386 or later, and compatibles
CompanyName..............: Macrovision Corporation
CodeSize.................: 16384
FileSubtype..............: 0
ProductVersionNumber.....: 12.0.0.0
EntryPoint...............: 0x1005
ObjectFileType...........: Executable application

Sigcheck

publisher................: Macrovision Corporation
product..................: InstallShield
internal name............: _IsIcoRes.exe
copyright................: Copyright (C) 2006 Macrovision Corporation
original name............: _IsIcoRes.exe
file version.............: 12.0.58849
description..............: InstallShield

Portable Executable structural information

Compilation timedatestamp.....: 2007-01-20 06:15:38
Target machine................: Intel 386 or later processors and compatible processors
Entry point address...........: 0x00001005

PE Sections...................:

Name Virtual Address Virtual Size Raw Size Entropy MD5
.text 4096 13742 16384 5.95 125d4361997b933c25cdfaa441c403f6
.rdata 20480 1952 4096 3.17 15e13969f0737bb4ec50592b029c02f2
.data 24576 10716 12288 0.36 9b57a8510b2e985a48115bbaee120bb5
.rsrc 36864 36676 36864 5.39 4ba0d276eb6299f76d3bfa93dc0a4dba

PE Imports....................:

[[KERNEL32.dll]]
HeapFree, GetStdHandle, LCMapStringW, SetHandleCount, GetOEMCP, LCMapStringA, HeapDestroy, ExitProcess, GetEnvironmentStringsW, GetVersionExA, GetModuleFileNameA, RtlUnwind, LoadLibraryA, FreeEnvironmentStringsA, GetStartupInfoA, GetEnvironmentStrings, GetCPInfo, UnhandledExceptionFilter, MultiByteToWideChar, FreeEnvironmentStringsW, GetCommandLineA, GetProcAddress, WideCharToMultiByte, GetStringTypeA, GetModuleHandleA, WriteFile, GetCurrentProcess, GetACP, HeapReAlloc, GetStringTypeW, TerminateProcess, GetEnvironmentVariableA, HeapCreate, VirtualFree, GetFileType, HeapAlloc, GetVersion, VirtualAlloc

PE Resources..................:

Resource type Number of resources
RT_ICON 5
RT_GROUP_ICON 1
RT_VERSION 1
RT_MANIFEST 1

Resource language Number of resources
NEUTRAL 7

ENGLISH US 1

Symantec Reputation
Suspicious.Insight
ClamAV PUA Engine
Possibly Unwanted Application. While not necessarily malicious, the scanned file presents certain characteristics which depending on the user policies and environment may or may not represent a threat. For full details see: »www.clamav.net/index.php ··· &lang=en .
First seen by VirusTotal
2012-04-05 03:16:23 UTC ( 1 year ago )
Last seen by VirusTotal
2013-05-03 00:59:16 UTC ( 6 minutes ago )
File names (max. 25)

SVRTgui.exe_810EDD9E2F0A4E2BACF86673C38D9F48.exe
ARPPRODUCTICON.exe
00D8E06B0033AE2820C20131601FE50015D6202D.exe
ARPPRODUCTICON.exe
SVRTgui.exe1_810EDD9E2F0A4E2BACF86673C38D9F48.exe
A0019751.exe
file-4563098_exe
_IsIcoRes.exe
edale

edale to TheJoker

Member

to TheJoker
Second file results:

(similar preamble about file already having been analysed)

(devil 1, angel 0)

SHA256: deef30e052eaa8220a8c9868aa45cc3532d6b5a4b34e439421d55c6a4d207f21
SHA1: 119c915604c4d8a5de3d7357dc2401fdddadbfd7
MD5: b9693ffe7ada752dbe588c0e004df4c4
File size: 72.0 KB ( 73728 bytes )
File name: _IsIcoRes.exe
File type: Win32 EXE
Detection ratio: 0 / 46
Analysis date: 2013-05-03 00:59:16 UTC ( 11 minutes ago )
0
1
Less details

Analysis
Additional information
Comments
Votes

Antivirus Result Update
Agnitum 20130502
AhnLab-V3 20130502
AntiVir 20130503
Antiy-AVL 20130502
Avast 20130503
AVG 20130502
BitDefender 20130503
ByteHero 20130430
CAT-QuickHeal 20130502
ClamAV 20130503
Commtouch 20130503
Comodo 20130503
DrWeb 20130503
Emsisoft 20130503
eSafe 20130501
ESET-NOD32 20130502
F-Prot 20130502
F-Secure 20130503
Fortinet 20130503
GData 20130503
Ikarus 20130503
Jiangmin 20130502
K7AntiVirus 20130502
K7GW 20130502
Kaspersky 20130503
Kingsoft 20130502
Malwarebytes 20130503
McAfee 20130503
McAfee-GW-Edition 20130502
Microsoft 20130503
MicroWorld-eScan 20130503
NANO-Antivirus 20130503
Norman 20130502
nProtect 20130502
Panda 20130502
PCTools 20130502
Sophos 20130503
SUPERAntiSpyware 20130503
Symantec 20130503
TheHacker 20130502
TotalDefense 20130502
TrendMicro 20130503
TrendMicro-HouseCall 20130503
VBA32 20130502
VIPRE 20130503
ViRobot 20130503

from the additional info tab:

ssdeep
768:SMAyAdTmPJbgqcnDccThMsBmsmBaEX3bsvL7cxjKcL9d:SdU81cc9MmIFXya9d
TrID
Win32 Executable MS Visual C++ (generic) (64.5%)
Win32 Dynamic Link Library (generic) (13.6%)
Win32 Executable (generic) (13.4%)
Generic Win/DOS Executable (4.1%)
DOS Executable Generic (4.1%)
PEiD packer identifier
Armadillo v1.71
ExifTool

SubsystemVersion.........: 4.0
InitializedDataSize......: 53248
ImageVersion.............: 0.0
ProductName..............: InstallShield
FileVersionNumber........: 12.0.0.58849
UninitializedDataSize....: 0
LanguageCode.............: English (U.S.)
FileFlagsMask............: 0x003f
CharacterSet.............: Unicode
LinkerVersion............: 6.0
OriginalFilename.........: _IsIcoRes.exe
MIMEType.................: application/octet-stream
Subsystem................: Windows GUI
FileVersion..............: 12.0.58849
TimeStamp................: 2007:01:20 07:15:38+01:00
FileType.................: Win32 EXE
PEType...................: PE32
InternalName.............: _IsIcoRes.exe
FileAccessDate...........: 2013:05:03 01:59:41+01:00
ProductVersion...........: 12.0
FileDescription..........: InstallShield
OSVersion................: 4.0
FileCreateDate...........: 2013:05:03 01:59:41+01:00
FileOS...................: Windows NT 32-bit
LegalCopyright...........: Copyright (C) 2006 Macrovision Corporation
MachineType..............: Intel 386 or later, and compatibles
CompanyName..............: Macrovision Corporation
CodeSize.................: 16384
FileSubtype..............: 0
ProductVersionNumber.....: 12.0.0.0
EntryPoint...............: 0x1005
ObjectFileType...........: Executable application

Sigcheck

publisher................: Macrovision Corporation
product..................: InstallShield
internal name............: _IsIcoRes.exe
copyright................: Copyright (C) 2006 Macrovision Corporation
original name............: _IsIcoRes.exe
file version.............: 12.0.58849
description..............: InstallShield

Portable Executable structural information

Compilation timedatestamp.....: 2007-01-20 06:15:38
Target machine................: Intel 386 or later processors and compatible processors
Entry point address...........: 0x00001005

PE Sections...................:

Name Virtual Address Virtual Size Raw Size Entropy MD5
.text 4096 13742 16384 5.95 125d4361997b933c25cdfaa441c403f6
.rdata 20480 1952 4096 3.17 15e13969f0737bb4ec50592b029c02f2
.data 24576 10716 12288 0.36 9b57a8510b2e985a48115bbaee120bb5
.rsrc 36864 36676 36864 5.39 4ba0d276eb6299f76d3bfa93dc0a4dba

PE Imports....................:

[[KERNEL32.dll]]
HeapFree, GetStdHandle, LCMapStringW, SetHandleCount, GetOEMCP, LCMapStringA, HeapDestroy, ExitProcess, GetEnvironmentStringsW, GetVersionExA, GetModuleFileNameA, RtlUnwind, LoadLibraryA, FreeEnvironmentStringsA, GetStartupInfoA, GetEnvironmentStrings, GetCPInfo, UnhandledExceptionFilter, MultiByteToWideChar, FreeEnvironmentStringsW, GetCommandLineA, GetProcAddress, WideCharToMultiByte, GetStringTypeA, GetModuleHandleA, WriteFile, GetCurrentProcess, GetACP, HeapReAlloc, GetStringTypeW, TerminateProcess, GetEnvironmentVariableA, HeapCreate, VirtualFree, GetFileType, HeapAlloc, GetVersion, VirtualAlloc

PE Resources..................:

Resource type Number of resources
RT_ICON 5
RT_GROUP_ICON 1
RT_VERSION 1
RT_MANIFEST 1

Resource language Number of resources
NEUTRAL 7

ENGLISH US 1

Symantec Reputation
Suspicious.Insight
ClamAV PUA Engine
Possibly Unwanted Application. While not necessarily malicious, the scanned file presents certain characteristics which depending on the user policies and environment may or may not represent a threat. For full details see: »www.clamav.net/index.php ··· &lang=en .
First seen by VirusTotal
2012-04-05 03:16:23 UTC ( 1 year ago )
Last seen by VirusTotal
2013-05-03 00:59:16 UTC ( 12 minutes ago )
File names (max. 25)

SVRTgui.exe_810EDD9E2F0A4E2BACF86673C38D9F48.exe
ARPPRODUCTICON.exe
00D8E06B0033AE2820C20131601FE50015D6202D.exe
ARPPRODUCTICON.exe
SVRTgui.exe1_810EDD9E2F0A4E2BACF86673C38D9F48.exe
A0019751.exe
file-4563098_exe
_IsIcoRes.exe
edale

edale to TheJoker

Member

to TheJoker
Third file results:

similar preamble

devil 1, angel 0

SHA256: deef30e052eaa8220a8c9868aa45cc3532d6b5a4b34e439421d55c6a4d207f21
SHA1: 119c915604c4d8a5de3d7357dc2401fdddadbfd7
MD5: b9693ffe7ada752dbe588c0e004df4c4
File size: 72.0 KB ( 73728 bytes )
File name: _IsIcoRes.exe
File type: Win32 EXE
Detection ratio: 0 / 44
Analysis date: 2013-05-03 01:13:50 UTC ( 2 minutes ago )
0
1
Less details

Analysis
Additional information
Comments
Votes

Antivirus Result Update
Agnitum 20130502
AhnLab-V3 20130502
AntiVir 20130503
Antiy-AVL 20130502
Avast 20130503
AVG 20130502
BitDefender 20130503
ByteHero 20130424
CAT-QuickHeal 20130502
ClamAV 20130503
Commtouch 20130503
Comodo 20130503
Emsisoft 20130503
eSafe 20130501
ESET-NOD32 20130502
F-Prot 20130502
F-Secure 20130503
Fortinet 20130503
GData 20130503
Ikarus 20130503
Jiangmin 20130502
K7AntiVirus 20130502
K7GW 20130502
Kaspersky 20130503
Kingsoft 20130502
Malwarebytes 20130503
McAfee 20130503
McAfee-GW-Edition 20130502
Microsoft 20130503
MicroWorld-eScan 20130503
NANO-Antivirus 20130503
Norman 20130502
nProtect 20130502
Panda 20130502
PCTools 20130503
Sophos 20130503
SUPERAntiSpyware 20130503
Symantec 20130503
TheHacker 20130502
TotalDefense 20130502
TrendMicro-HouseCall 20130503
VBA32 20130502
VIPRE 20130503
ViRobot 20130503

From the additional info tab:

ssdeep
768:SMAyAdTmPJbgqcnDccThMsBmsmBaEX3bsvL7cxjKcL9d:SdU81cc9MmIFXya9d
TrID
Win32 Executable MS Visual C++ (generic) (64.5%)
Win32 Dynamic Link Library (generic) (13.6%)
Win32 Executable (generic) (13.4%)
Generic Win/DOS Executable (4.1%)
DOS Executable Generic (4.1%)
PEiD packer identifier
Armadillo v1.71
ExifTool

SubsystemVersion.........: 4.0
InitializedDataSize......: 53248
ImageVersion.............: 0.0
ProductName..............: InstallShield
FileVersionNumber........: 12.0.0.58849
UninitializedDataSize....: 0
LanguageCode.............: English (U.S.)
FileFlagsMask............: 0x003f
CharacterSet.............: Unicode
LinkerVersion............: 6.0
OriginalFilename.........: _IsIcoRes.exe
MIMEType.................: application/octet-stream
Subsystem................: Windows GUI
FileVersion..............: 12.0.58849
TimeStamp................: 2007:01:20 06:15:38+00:00
FileType.................: Win32 EXE
PEType...................: PE32
InternalName.............: _IsIcoRes.exe
FileAccessDate...........: 2013:05:03 02:14:48+01:00
ProductVersion...........: 12.0
FileDescription..........: InstallShield
OSVersion................: 4.0
FileCreateDate...........: 2013:05:03 02:14:48+01:00
FileOS...................: Windows NT 32-bit
LegalCopyright...........: Copyright (C) 2006 Macrovision Corporation
MachineType..............: Intel 386 or later, and compatibles
CompanyName..............: Macrovision Corporation
CodeSize.................: 16384
FileSubtype..............: 0
ProductVersionNumber.....: 12.0.0.0
EntryPoint...............: 0x1005
ObjectFileType...........: Executable application

Sigcheck

publisher................: Macrovision Corporation
product..................: InstallShield
internal name............: _IsIcoRes.exe
copyright................: Copyright (C) 2006 Macrovision Corporation
original name............: _IsIcoRes.exe
file version.............: 12.0.58849
description..............: InstallShield

Portable Executable structural information

Compilation timedatestamp.....: 2007-01-20 06:15:38
Target machine................: Intel 386 or later processors and compatible processors
Entry point address...........: 0x00001005

PE Sections...................:

Name Virtual Address Virtual Size Raw Size Entropy MD5
.text 4096 13742 16384 5.95 125d4361997b933c25cdfaa441c403f6
.rdata 20480 1952 4096 3.17 15e13969f0737bb4ec50592b029c02f2
.data 24576 10716 12288 0.36 9b57a8510b2e985a48115bbaee120bb5
.rsrc 36864 36676 36864 5.39 4ba0d276eb6299f76d3bfa93dc0a4dba

PE Imports....................:

[[KERNEL32.dll]]
HeapFree, GetStdHandle, LCMapStringW, SetHandleCount, GetOEMCP, LCMapStringA, HeapDestroy, ExitProcess, GetEnvironmentStringsW, GetVersionExA, GetModuleFileNameA, RtlUnwind, LoadLibraryA, FreeEnvironmentStringsA, GetStartupInfoA, GetEnvironmentStrings, GetCPInfo, UnhandledExceptionFilter, MultiByteToWideChar, FreeEnvironmentStringsW, GetCommandLineA, GetProcAddress, WideCharToMultiByte, GetStringTypeA, GetModuleHandleA, WriteFile, GetCurrentProcess, GetACP, HeapReAlloc, GetStringTypeW, TerminateProcess, GetEnvironmentVariableA, HeapCreate, VirtualFree, GetFileType, HeapAlloc, GetVersion, VirtualAlloc

PE Resources..................:

Resource type Number of resources
RT_ICON 5
RT_GROUP_ICON 1
RT_VERSION 1
RT_MANIFEST 1

Resource language Number of resources
NEUTRAL 7

ENGLISH US 1

Symantec Reputation
Suspicious.Insight
ClamAV PUA Engine
Possibly Unwanted Application. While not necessarily malicious, the scanned file presents certain characteristics which depending on the user policies and environment may or may not represent a threat. For full details see: »www.clamav.net/index.php ··· &lang=en .
First seen by VirusTotal
2012-04-05 03:16:23 UTC ( 1 year ago )
Last seen by VirusTotal
2013-05-03 01:13:50 UTC ( 3 minutes ago )
File names (max. 25)

SVRTgui.exe_810EDD9E2F0A4E2BACF86673C38D9F48.exe
ARPPRODUCTICON.exe
00D8E06B0033AE2820C20131601FE50015D6202D.exe
ARPPRODUCTICON.exe
SVRTgui.exe1_810EDD9E2F0A4E2BACF86673C38D9F48.exe
A0019751.exe
file-4563098_exe
_IsIcoRes.exe
edale

1 edit

edale to TheJoker

Member

to TheJoker
4th file:

Upload error
temp.dat file not found
Check the file name and try again.

Checking the HD via windows explorer, that folder, DownloadTerms, is empty, set for read only (files only). Folder options set to display hidden, system, executable, etc.
edale

edale to TheJoker

Member

to TheJoker
Oh, I just noticed something. Was MSE and SAS supposed to be turned off for these scans?

Computer is behaving well, save for the continuing intermittent browser redirect (emerging pattern: sporadic opening of bogus blank page in a new tab, when new tab was not requested. URL along the lines of google.com.(alphabet soup).

I will be away from the computer for approx. 4 hours.

TheJoker
MVM
join:2001-04-26
Charlottesville, VA

1 edit

1 recommendation

TheJoker

MVM

Please run a scan with Kaspersky Rescue Disk.

Read all these directions before proceeding.

Be sure to read these:
Download Kaspersky Rescue Disk 10
How to record Kaspersky Rescue Disk 10 to an USB device and boot my computer from it?
How to record Kaspersky Rescue Disk 10 to a CD/DVD and boot my computer from the disk?

When you have the .ISO file downloaded, you need to create a bootable disk or flash drive with it, using a clean PC to do that. The .ISO file is a disk image. It should NOT be burned as a regular file. You need a program like ImgBurn that can burn an .ISO image. A CD/DVD is best as there is no way anything can write on it after it is made. If the system you burn the disk on has Windows 7, you don't need an extra program, just follow these directions to burn the image to disk:
»windows.microsoft.com/en ··· iso-file
»technet.microsoft.com/en ··· 080.aspx

Summarizing:

- Go to a clean PC.
- Download the .iso image file.
- Create a CD (or flash drive if you prefer).
- At the infected PC: put the disk in the drive and reboot.

Follow the directions here, but you will find some differences.

Familiarize yourself with How to create a report file in Kaspersky Rescue Disk 10?

Print the following directions:

Boot from Kaspersky Rescue Disk 10:

- Insert the Kaspersky Rescue Disk CD into your CD/DVD drive and boot the computer (you may need to change the boot sequence in your system's BIOS to boot from the CD/DVD drive).
- Press any key. A loading wizard will start (you will see the menu to select the required language). If you do not press any key in 10 seconds, the computer boots from hard drive automatically.
- Select the required interface language using the arrow-keys on your keyboard.
- Press the Enter key on the keyboard.
- In the start up wizard window that opens, select the Kaspersky Rescue Disk. Graphic Mode
- Click Enter.
- Click '1' to accept the agreement.
- Select operating system from dropdown menu (select Windows whatever)
- Select Objects to scan: check Disk boot sectors, Hidden startup objects, C:
- Click My Update Center and update if any available
- Back to other tab and click Start Object Scan (this may take several hours)
- When scan has completed save a report:
-- On the upper part of the Kaspersky Rescue Disk window, click on the Report link.
-- On the bottom right hand corner of the Protection status - Kaspersky Rescue Disk window, click on the Detailed Report button.
-- On the upper right hand corner of the Detailed report window, click on the Save button.
-- After clicking Detailed Report and 'SAVE', a browse window opens.
-- Double-click on the \
-- Click 'disks'.
-- All your drives will be shown and you can easily double-click C and save the report to C:\KasperskyRescueDisk10.txt.
-- Click on the Save button.
-- The report has been saved to the file.
- Remove the disk from the drive (or disconnect USB) and reboot normally.
Please post the log from Kaspersky Rescue Disk and note any errors encountered.
edale
join:2012-01-21
Seattle, WA

edale

Member

Sorry for the delay. Took a while to download the 303MB file. Then the laptop did not want to boot off the CD, no matter what the boot settings were. Now I'm in, and will post the report as soon as it finishes updating and scanning.

I have it set to scan:

Disk boot sectors
Hidden startup objects
C:
sda1
sda2
edale

edale to TheJoker

Member

to TheJoker
said by TheJoker:

- When scan has completed save a report:
-- On the upper part of the Kaspersky Rescue Disk window, click on the Report link.
-- On the bottom right hand corner of the Protection status - Kaspersky Rescue Disk window, click on the Detailed Report button.
-- On the upper right hand corner of the Detailed report window, click on the Save button.
-- After clicking Detailed Report and 'SAVE', a browse window opens.
-- Double-click on the \
-- Click 'disks'.
-- All your drives will be shown and you can easily double-click C and save the report to C:\KasperskyRescueDisk10.txt.
-- Click on the Save button.
-- The report has been saved to the file.
- Remove the disk from the drive (or disconnect USB) and reboot normally.
Please post the log from Kaspersky Rescue Disk and note any errors encountered.

I did this, saving a file I named "kav10.txt" which is nowhere to be found on the HD. I am gravely sorry about this.

From my memory, it did not find much, only one non-virus. It was listed as adware, in the FF roaming folder. When the alert box for it displayed, I set to delete it.

It found a dozen other similar items in the same location, but did not give option to delete those.

Again, sorry for the non-log. I spent a good bit of time searching for it.

Getting discouraged here.