Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected With Unknown Spyware Which Tries To Sell Antispyware To Me


  • This topic is locked This topic is locked
2 replies to this topic

#1 janee

janee

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:05:41 PM

Posted 19 November 2007 - 06:15 AM

Hi there,

I really hope someone can help me out here.

My problem – I do not know how to remove spyware that infected my computer.
I do not know a name for the malware on my system.

When my system became infected, 2 icons appeared in the notification section of my toolbar.
Both had regular pop-ups guiding me to anti-spyware pages. I was stupid at first and followed the link (didn't download anything there) – I realised they were manipulating me when I realised the link would take me to a different (all dodgy) anti-spyware dealer each time.

I have followed Bleepingcomputers 'preparation guide for use before posting a hijackthis log'

Before this problem I only had AVAST free anti-virus software as protection.
I use firefox – explorer is installed on my pc though (os: windows xp)

Some details concerning my attempts at cleaning up:

1.I have run Ad-aware 4 times, it did not find 'critical objects' but did list cookies and 'mru' objects (sorry that might be the wrong acronym – something like that though – you'll know what i mean if you've run ad-aware) --- which I removed each time.
2.I have run spy-bot 4 times (restarts and 1 safe boot between runs) – the first run listed 27 'red' objects – the second 7 or 8 red objects and the last two runs came up clean.
3.I ran housecall antivirus – it removed some stuff – but left me with a huge list of 'vulnerabilities' --- which makes little sense to me.
4.I ran mcafee twice – and as they suggested I disabled system restore for the run

After all of this, one of the icons disappeared, but the other is still with me – the icon is a shield shape that switches between, being blue with a question mark on it, and, red with a cross on it.
The pop-up emanating from it reads:


“System alert!

System have detected a number of active spyware applications that may impact the performance of your computer.
Click the icon to get rid of unwanted spyware by downloading an up-to-date anti spyware solution”


Here is the hijackthis log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:47:14 PM, on 2007/11/19
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
E:\WINDOWS\System32\smss.exe
E:\WINDOWS\system32\winlogon.exe
E:\WINDOWS\system32\services.exe
E:\WINDOWS\system32\lsass.exe
E:\WINDOWS\system32\Ati2evxx.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
E:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
E:\Program Files\Alwil Software\Avast4\ashServ.exe
E:\WINDOWS\system32\spoolsv.exe
E:\WINDOWS\ATKKBService.exe
E:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
E:\Program Files\Alwil Software\Avast4\ashWebSv.exe
E:\WINDOWS\system32\Ati2evxx.exe
E:\WINDOWS\Explorer.EXE
E:\Program Files\ATI Technologies\ATI.ACE\cli.exe
E:\Program Files\Analog Devices\Core\smax4pnp.exe
E:\Program Files\Analog Devices\SoundMAX\Smax4.exe
E:\Program Files\Java\jre1.6.0\bin\jusched.exe
E:\Program Files\DAEMON Tools\daemon.exe
E:\Program Files\Winamp\winampa.exe
E:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
E:\WINDOWS\system32\ctfmon.exe
E:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
E:\Program Files\Surecom\Common\RaUI.exe
E:\Program Files\OpenOffice.org 2.0\program\soffice.exe
E:\Program Files\OpenOffice.org 2.0\program\soffice.BIN
E:\Program Files\ATI Technologies\ATI.ACE\cli.exe
E:\Program Files\ATI Technologies\ATI.ACE\cli.exe
E:\Program Files\Mozilla Firefox\firefox.exe
E:\Program Files\PartyGaming\PartyGaming.exe
F:\In\anti\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {23B760D6-C98B-450B-9B32-26C7775CDF83} - E:\Program Files\Video Add-on\isfmdl.dll (file missing)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - E:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - E:\Program Files\Java\jre1.6.0\bin\ssv.dll
O3 - Toolbar: IE Custom Tools - {70CC76D5-A4EE-4F25-9931-B109A63E298E} - E:\Program Files\Video Add-on\ictmdl.dll (file missing)
O4 - HKLM\..\Run: [ATICCC] "E:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [SoundMAXPnP] E:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [SoundMAX] "E:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [JMB36X Configure] E:\WINDOWS\system32\JMRaidTool.exe boot
O4 - HKLM\..\Run: [NeroFilterCheck] E:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "E:\Program Files\Java\jre1.6.0\bin\jusched.exe"
O4 - HKLM\..\Run: [DAEMON Tools] "E:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [WinampAgent] E:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [avast!] E:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [CTFMON.EXE] E:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] E:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] E:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] E:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] E:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] E:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Startup: OpenOffice.org 2.0.lnk = E:\Program Files\OpenOffice.org 2.0\program\quickstart.exe
O4 - Global Startup: Surecom Wireless Utility.lnk = E:\Program Files\Surecom\Common\RaUI.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra button: 3 Piggs Poker - {4835CF45-71B5-4c6c-BBE0-350DCD75D237} - E:\Microgaming\Poker\3piggspokerMPP\MPPoker.exe
O9 - Extra button: (no name) - {9034A523-D068-4BE8-A284-9DF278BE776E} - http://www.topsoftwarefeed.com/redirect.php (file missing)
O9 - Extra 'Tools' menuitem: IE Anti-Spyware - {9034A523-D068-4BE8-A284-9DF278BE776E} - http://www.topsoftwarefeed.com/redirect.php (file missing)
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - E:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - E:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - E:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - E:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O22 - SharedTaskScheduler: haeckel - {8373a2e0-bdd0-42bd-b4ec-ba5451eb6607} - E:\WINDOWS\system32\moywh.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - E:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - E:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - E:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATK Keyboard Service (ATKKeyboardService) - ASUSTeK COMPUTER INC. - E:\WINDOWS\ATKKBService.exe
O23 - Service: avast! Antivirus - ALWIL Software - E:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - E:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - E:\Program Files\Alwil Software\Avast4\ashWebSv.exe

--
End of file - 6104 bytes[/size][/size]



PLEASE help.

Thank you for your time

Jaco

Edited by KoanYorel, 19 November 2007 - 11:29 AM.
Email address removed to protect from spammers


BC AdBot (Login to Remove)

 


m

#2 Rosty

Rosty

    Skydive junkie


  • Malware Response Team
  • 1,220 posts
  • OFFLINE
  •  
  • Local time:12:41 AM

Posted 23 November 2007 - 02:26 PM

Hi,
welcome to Bleepingcomputer. My name is Rosty and I'm going to help you with your log.

Please download SmitfraudFix (by S!Ri)
Extract the content (a folder named SmitfraudFix) to your Desktop.

Double-click smitfraudfix.exe
Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply.

Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
http://www.beyondlogic.org/consulting/proc...processutil.htm

Regards,

Rosty.
Posted Image
Proud member of ASAP since 2007

#3 Rosty

Rosty

    Skydive junkie


  • Malware Response Team
  • 1,220 posts
  • OFFLINE
  •  
  • Local time:12:41 AM

Posted 06 December 2007 - 01:21 PM

Due to the lack of feedback, this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team
a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.

Regards,

Rosty.
Posted Image
Proud member of ASAP since 2007




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users