Think I must have a virus?

[Joeyboy]

Right I use AVG free and it can't find anything but I'm pretty sure I must have got an infection somehow as I haven't installed any new software yet I'm getting this random error message.

I first noticed this two days ago. I was on a forum and I got an error message with something pile "PIE service has stopped working and has to close", the classic windows error message you get when something crashes.

I've gotten this twice in the last 48 hrs, totally randomly. So either this message is from a virus or PIE is an official part of Widows which has suddenly been effected by a virus/spyware etc.

Bar this random message a little under once a day, my computer is working totally fine and I've noticed nothing else. Obviously though I want to get rid of this thing.

I read Osiris's guide(hi Osiris since you frequent this section), it's rather long and complex for my little mind, a lot of it seems to be about what to do if your computer is so badly infected you can barely make anything run and it's crashing n all sorts so you need to boot from CD's and such.

So what do I need to do with something which seems minor, at least for now anyway. What program is the best at detecting infections? I think malwarebytes is used a lot? Should I use that?

 

[Osiris]

You have an infection, run malwarebytes and hijackthis, then post both logs

 

[Joeyboy]

wasn't sure if I should do quick scan or full scan? It was at quick by default so I'm doing that, if it doesn't give you the info I'll do the other.

 

[Joeyboy]

I wasn't sure whether to just click remove selected is malwarebytes has found 6 files, I didn't in case this is the kind of program which can wrongly detect infection where there is none. Though by the names they all sound like spyware, not sure what fake antispyware I ever downloaded...maybe someone else, but it sounds as if some files relate to some antispyware which obviously isn't really.

Malwarebytes log..(I assume I should scan again and click remove selected on these.)

Malwarebytes' Anti-Malware 1.41
Database version: 3222
Windows 6.0.6001 Service Pack 1

24/11/2009 12:31:48
mbam-log-2009-11-24 (12-31-45).txt

Scan type: Quick Scan
Objects scanned: 115627
Time elapsed: 5 minute(s), 28 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 1
Folders Infected: 3
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoActiveDesktopChanges (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> No action taken.

Folders Infected:
C:\Users\Joe\AppData\Roaming\AntiSpywareBot (Rogue.AntiSpywareBot) -> No action taken.
C:\Users\Joe\AppData\Roaming\AntiSpywareBot\Log (Rogue.AntiSpywareBot) -> No action taken.
C:\Users\Joe\AppData\Roaming\AntiSpywareBot\Settings (Rogue.AntiSpywareBot) -> No action taken.

Files Infected:
C:\Users\Joe\AppData\Roaming\AntiSpywareBot\Log\2008 Sep 12 - 09_12_57 PM_207.log (Rogue.AntiSpywareBot) -> No action taken.
C:\Windows\Tasks\AntispywareBot Scheduled Scan.job (Rogue.AntiSpywareBot) -> No action taken.

 

[Joeyboy]

Here is Hijackthis. Lots of things came up but I know your not meant to delete everything this program finds...though things related to "ask.com" always annoy me..

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:36:37, on 24/11/2009
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18319)
Boot mode: Normal

Running processes:
C:\Program Files\ASUS\Six Engine\SixEngine.exe
C:\Windows\vVX1000.exe
C:\Program Files (x86)\Electronic Arts\EADM\Core.exe
C:\Program Files (x86)\Skype\Phone\Skype.exe
C:\Program Files (x86)\FinePixViewer\QuickDCF2.exe
C:\Program Files (x86)\BBC iPlayer Desktop\BBC iPlayer Desktop.exe
C:\Program Files (x86)\Trillian\trillian.exe
C:\Program Files (x86)\Common Files\Real\Update_OB\realsched.exe
C:\Program Files (x86)\Razer\Copperhead\razerhid.exe
C:\Program Files (x86)\iTunes\iTunesHelper.exe
C:\Program Files (x86)\OpenOffice.org 2.4\program\soffice.exe
C:\Program Files (x86)\Java\jre6\bin\jusched.exe
C:\Program Files (x86)\Razer\Copperhead\razerofa.exe
C:\Program Files (x86)\AVG\AVG9\avgtray.exe
C:\Program Files (x86)\OpenOffice.org 2.4\program\soffice.BIN
C:\PROGRAM FILES (X86)\MOZILLA FIREFOX\FIREFOX.EXE
C:\Program Files (x86)\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = Bing
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = Ask.com Search Engine - Better Web Search
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = MSN.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = Bing
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = Bing
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = MSN.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
F2 - REG:system.ini: UserInit=userinit.exe
O1 - Hosts: ::1 localhost
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: AskBar BHO - {201f27d4-3704-41d6-89c1-aa35e39143ed} - C:\Program Files (x86)\AskBarDis\bar\bin\askBar.dll (file missing)
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files (x86)\AVG\AVG9\avgssie.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
O3 - Toolbar: Ask Toolbar - {3041d03e-fd4b-44e0-b742-2d9b88305f98} - C:\Program Files (x86)\AskBarDis\bar\bin\askBar.dll (file missing)
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files (x86)\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [razer] "C:\Program Files (x86)\Razer\Copperhead\razerhid.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [LifeCam] "C:\Program Files (x86)\Microsoft LifeCam\LifeExp.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files (x86)\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
O4 - HKLM\..\Run: [AVG9_TRAY] C:\PROGRA~2\AVG\AVG9\avgtray.exe
O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" /install /silent
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [EA Core] "C:\Program Files (x86)\Electronic Arts\EADM\Core.exe" -silent
O4 - HKCU\..\Run: [Steam] "C:\Program Files (x86)\Steam\Steam.exe" -silent
O4 - HKCU\..\Run: [Comrade.exe] C:\Program Files (x86)\GameSpy\Comrade\Comrade.exe
O4 - HKCU\..\Run: [BAloud4] C:\Program Files (x86)\Texthelp Systems\Browsealoud\4.0 Virtual\BAloud4.exe
O4 - HKCU\..\Run: [VirtualBrowseAloud] C:\Users\Joe\Downloads\Browsealoud.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files (x86)\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Startup: BBC iPlayer Desktop.lnk = C:\Program Files (x86)\BBC iPlayer Desktop\BBC iPlayer Desktop.exe
O4 - Startup: OpenOffice.org 2.4.lnk = C:\Program Files (x86)\OpenOffice.org 2.4\program\quickstart.exe
O4 - Startup: Trillian.lnk = C:\Program Files (x86)\Trillian\trillian.exe
O4 - Global Startup: ExifLauncher2.lnk = C:\Program Files (x86)\FinePixViewer\QuickDCF2.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~2\MICROS~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~2\MICROS~1\OFFICE11\REFIEBAR.DLL
O13 - Gopher Prefix:
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files (x86)\AVG\AVG9\avgpp.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~2\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: @%SystemRoot%\system32\Alg.exe,-112 (ALG) - Unknown owner - C:\Windows\System32\alg.exe (file missing)
O23 - Service: AMD External Events Utility - Unknown owner - C:\Windows\system32\atiesrxx.exe (file missing)
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: ASP.NET State Service (aspnet_state) - Unknown owner - C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe (file missing)
O23 - Service: AVG Free WatchDog (avg9wd) - AVG Technologies CZ, s.r.o. - C:\Program Files (x86)\AVG\AVG9\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files (x86)\Bonjour\mDNSResponder.exe
O23 - Service: Cepstral License Server - Cepstral, LLC - C:\Program Files (x86)\Cepstral\bin\CepstralLicSrv.exe
O23 - Service: @dfsrres.dll,-101 (DFSR) - Unknown owner - C:\Windows\system32\DFSR.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files (x86)\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files (x86)\iPod\bin\iPodService.exe
O23 - Service: @keyiso.dll,-100 (KeyIso) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @comres.dll,-2797 (MSDTC) - Unknown owner - C:\Windows\System32\msdtc.exe (file missing)
O23 - Service: @%SystemRoot%\System32\netlogon.dll,-102 (Netlogon) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: PnkBstrA - Unknown owner - C:\Windows\system32\PnkBstrA.exe
O23 - Service: @%systemroot%\system32\psbase.dll,-300 (ProtectedStorage) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%systemroot%\system32\Locator.exe,-2 (RpcLocator) - Unknown owner - C:\Windows\system32\locator.exe (file missing)
O23 - Service: @%SystemRoot%\system32\samsrv.dll,-1 (SamSs) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: Scramby Server (ScrambyServer) - RapidSolution Software AG - C:\Program Files (x86)\RapidSolution\Scramby\ScrambyServer.exe
O23 - Service: @%SystemRoot%\system32\SLsvc.exe,-101 (slsvc) - Unknown owner - C:\Windows\system32\SLsvc.exe (file missing)
O23 - Service: @%SystemRoot%\system32\snmptrap.exe,-3 (SNMPTRAP) - Unknown owner - C:\Windows\System32\snmptrap.exe (file missing)
O23 - Service: @%systemroot%\system32\spoolsv.exe,-1 (Spooler) - Unknown owner - C:\Windows\System32\spoolsv.exe (file missing)
O23 - Service: Steam Client Service - Valve Corporation - C:\Program Files (x86)\Common Files\Steam\SteamService.exe
O23 - Service: @%SystemRoot%\system32\ui0detect.exe,-101 (UI0Detect) - Unknown owner - C:\Windows\system32\UI0Detect.exe (file missing)
O23 - Service: @%SystemRoot%\system32\vds.exe,-100 (vds) - Unknown owner - C:\Windows\System32\vds.exe (file missing)
O23 - Service: @%systemroot%\system32\vssvc.exe,-102 (VSS) - Unknown owner - C:\Windows\system32\vssvc.exe (file missing)
O23 - Service: @%Systemroot%\system32\wbem\wmiapsrv.exe,-110 (wmiApSrv) - Unknown owner - C:\Windows\system32\wbem\WmiApSrv.exe (file missing)
O23 - Service: @%ProgramFiles%\Windows Media Player\wmpnetwk.exe,-101 (WMPNetworkSvc) - Unknown owner - C:\Program Files (x86)\Windows Media Player\wmpnetwk.exe (file missing)

--
End of file - 9250 bytes

 

[Osiris]

When you ran malwarebytes you need to remove the infections, remove them, then run it again and post a new log

Uninstall ASK from add/remove then post a new hijackthis log

 

[Joeyboy]

When you ran malwarebytes you need to remove the infections, remove them, then run it again and post a new log

Uninstall ASK from add/remove then post a new hijackthis log

Couldn't find ASK, could it be it's finding remnants from an old install?

 

[Osiris]

Remove

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = Ask.com Search Engine - Better Web Search

O2 - BHO: AskBar BHO - {201f27d4-3704-41d6-89c1-aa35e39143ed} - C:\Program Files (x86)\AskBarDis\bar\bin\askBar.dll (file missing)

O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)

O3 - Toolbar: Ask Toolbar - {3041d03e-fd4b-44e0-b742-2d9b88305f98} - C:\Program Files (x86)\AskBarDis\bar\bin\askBar.dll (file missing)

 

[Joeyboy]

ok here's the malwarebytes log after removing those 6, looks clean now.

Malwarebytes' Anti-Malware 1.41
Database version: 3222
Windows 6.0.6001 Service Pack 1

24/11/2009 23:47:02
mbam-log-2009-11-24 (23-47-02).txt

Scan type: Quick Scan
Objects scanned: 115810
Time elapsed: 5 minute(s), 25 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

 

[Osiris]

Yes that looks good