Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

HELP! Win32:Adware Gen and Win32:FakeAlert-AJ


  • This topic is locked This topic is locked
22 replies to this topic

#16 emeraldnzl

emeraldnzl

  • Security Colleague
  • 229 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:21 AM

Posted 21 November 2008 - 04:15 PM

Hi thecuz24,

Please download Regsrch from here

Save it to the desktop, unzip and run it.

If you get an alert from your antivirus about scripting, choose to allow the script to run.

Search for SpywareBot and click OK.

Post the logfile from the tool here for me.

Manners are the basis of a civilized society and make everyone's lives just a little happier. They cost nothing but they are worth so much.

 

unite_blue.png

 


BC AdBot (Login to Remove)

 


#17 thecuz24

thecuz24
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:06:21 AM

Posted 21 November 2008 - 05:34 PM

Here ya go.....thanks for the continued support!

REGEDIT4
; RegSrch.vbs Bill James

; Registry search results for string "SpywareBot" 11/21/2008 5:33:03 PM

; NOTE: This file will be deleted when you close WordPad.
; You must manually save this file to a new location if you want to refer to it again later.
; (If you save the file with a .reg extension, you can use it to restore any Registry changes you make to these values.)


[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{024D4C40-C8CE-11DB-9704-005056C00008}]
@="SpywareBot"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{024D4C40-C8CE-11DB-9704-005056C00008}]
"SearchHelper"="SpywareBot"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{024D4C40-C8CE-11DB-9704-005056C00008}]
"System.ApplicationName"="CNet Media.SpywareBot"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{024D4C40-C8CE-11DB-9704-005056C00008}\DefaultIcon]
@="\"C:\\Program Files\\SpywareBot\\SpywareBot.exe\", 0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{024D4C40-C8CE-11DB-9704-005056C00008}\Shell\Open\Command]
@="C:\\Program Files\\SpywareBot\\SpywareBot.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Products\DC3B4479DC37F46429A18156E5D3E9E5]
"ProductName"="SpywareBot"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Products\DC3B4479DC37F46429A18156E5D3E9E5\SourceList]
"PackageName"="SpywareBot.msi"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\DIFx\DriverStore\antispyfil_925D70D4597CEA6F6CA81B19F919798BA44ACB15]
"ProductName"="SpywareBot"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\DIFx\DriverStore\antispyfil_925D70D4597CEA6F6CA81B19F919798BA44ACB15]
"DisplayName"="SpywareBot"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ControlPanel\NameSpace\{024D4C40-C8CE-11DB-9704-005056C00008}]
@="SpywareBot"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders]
"C:\\Program Files\\SpywareBot\\"=""

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders]
"C:\\Program Files\\SpywareBot\\Microsoft.VC80.ATL\\"=""

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders]
"C:\\Program Files\\SpywareBot\\FilterDrv\\"=""

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders]
"C:\\Program Files\\SpywareBot\\Microsoft.VC80.CRT\\"=""

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders]
"C:\\Program Files\\SpywareBot\\Databases\\"=""

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders]
"C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\SpywareBot\\"=""

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\4873D204062D3EF41A15258F27DF232D]
"DC3B4479DC37F46429A18156E5D3E9E5"="C:\\Program Files\\SpywareBot\\Microsoft.VC80.CRT\\Microsoft.VC80.CRT.manifest"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\4E129C07E82679546B3BD62B07D6D38B]
"DC3B4479DC37F46429A18156E5D3E9E5"="C:\\Program Files\\SpywareBot\\SpywareBot.url"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\70ED0D154A612BE4FA4C842D5D2D33A9]
"DC3B4479DC37F46429A18156E5D3E9E5"="C:\\Program Files\\SpywareBot\\SpywareBot.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\8E8921244096502458EC66DA3D54C81A]
"DC3B4479DC37F46429A18156E5D3E9E5"="C:\\Program Files\\SpywareBot\\SpywareBotSrv.srv.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\8ECE46A3F5C4928449308B419FF35E0F]
"DC3B4479DC37F46429A18156E5D3E9E5"="C:\\Program Files\\SpywareBot\\Microsoft.VC80.ATL\\Microsoft.VC80.ATL.manifest"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\92A88CC5852834E41A756E7D879974D9]
"DC3B4479DC37F46429A18156E5D3E9E5"="01:\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\SpywareBot"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\C5C1A405238F4774EA4927B216767BB4]
"DC3B4479DC37F46429A18156E5D3E9E5"="C:\\Program Files\\SpywareBot\\Databases\\Spy.ref"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\EB093AAF2A3286447B64922B2F4DDF4B]
"DC3B4479DC37F46429A18156E5D3E9E5"="C:\\Program Files\\SpywareBot\\FilterDrv\\antispyfilter.cat"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\DC3B4479DC37F46429A18156E5D3E9E5\InstallProperties]
"DisplayName"="SpywareBot"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\DC3B4479DC37F46429A18156E5D3E9E5\InstallProperties]
"URLUpdateInfo"="http://www.spywarebot.com/"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\DC3B4479DC37F46429A18156E5D3E9E5\InstallProperties]
"URLInfoAbout"="http://www.spywarebot.com/"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\DC3B4479DC37F46429A18156E5D3E9E5\InstallProperties]
"InstallLocation"="C:\\Program Files\\SpywareBot\\"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_SPYWAREBOTSRV]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_SPYWAREBOTSRV\0000]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_SPYWAREBOTSRV\0000]
"Service"="SpywareBotSrv"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_SPYWAREBOTSRV\0000]
"DeviceDesc"="SpywareBot Scanning Engine"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_SPYWAREBOTSRV]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_SPYWAREBOTSRV\0000]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_SPYWAREBOTSRV\0000]
"Service"="SpywareBotSrv"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_SPYWAREBOTSRV\0000]
"DeviceDesc"="SpywareBot Scanning Engine"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SPYWAREBOTSRV]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SPYWAREBOTSRV\0000]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SPYWAREBOTSRV\0000]
"Service"="SpywareBotSrv"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SPYWAREBOTSRV\0000]
"DeviceDesc"="SpywareBot Scanning Engine"

[HKEY_USERS\S-1-5-21-854245398-299502267-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu2\Programs\SpywareBot]

#18 emeraldnzl

emeraldnzl

  • Security Colleague
  • 229 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:21 AM

Posted 22 November 2008 - 03:47 PM

Hello thecuz24,

A few entries left behind by SpywareBot. To get rid of them we will have to edit your computers registry.

Before we proceed we need to backup your Registry. Making changes to your computers registry is a dangerous proceedure and backup will allow us to recover information if necessary.

Download and install ERUNT (Emergency Recovery Utility NT) from here lars Hederer or here Snapfiles.com.

Click on ERUNT and follow the prompts to backup your registry to a location of your choosing.

-----Step 2-----

Next, we need to create a folder.

Right click on your desktop and scroll down to New and click on Folder to create a folder named SWReg.

Please download SWReg from here and save it to the new folder you have named SWReg.

-----Step 3-----

Now we will edit your computers registry and get rid of those SpywareBot entries.

Copy the text from the following Code box, by highlighting all the text and right click, Select Copy. (or use the Ctrl+C keyboard shortcut)

swreg acl HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_SPYWAREBOTSRV\0000 /GE:F >> result.txt

swreg acl HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_SPYWAREBOTSRV /GE:F >> result.txt

swreg acl HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_SPYWAREBOTSRV\0000 /GE:F >> result.txt

swreg acl HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_SPYWAREBOTSRV /GE:F >> result.txt

swreg acl HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SPYWAREBOTSRV\0000 /GE:F >> result.txt

swreg acl HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SPYWAREBOTSRV /GE:F >> result.txt

swreg delete HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_SPYWAREBOTSRV\0000 >> result.txt

swreg delete HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_SPYWAREBOTSRV >> result.txt

swreg delete HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_SPYWAREBOTSRV\0000 >> result.txt

swreg delete HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_SPYWAREBOTSRV >> result.txt

swreg delete HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SPYWAREBOTSRV\0000 >> result.txt

swreg delete HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SPYWAREBOTSRV >> result.txt

swreg delete HKEY_USERS\S-1-5-21-854245398-299502267-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu2\Programs\SpywareBot >> result.txt

swreg delete HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{024D4C40-C8CE-11DB-9704-005056C00008}\Shell\Open\Command >> result.txt

swreg delete HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{024D4C40-C8CE-11DB-9704-005056C00008}\DefaultIcon >> result.txt

swreg delete HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{024D4C40-C8CE-11DB-9704-005056C00008} >> result.txt

swreg delete HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Products\DC3B4479DC37F46429A18156E5D3E9E5\SourceList >> result.txt

swreg delete HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Products\DC3B4479DC37F46429A18156E5D3E9E5 >> result.txt

swreg delete HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\DIFx\DriverStore\antispyfil_925D70D4597CEA6F6CA81B19F919798BA44ACB15 >> result.txt

swreg delete HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ControlPanel\NameSpace\{024D4C40-C8CE-11DB-9704-005056C00008} >> result.txt

swreg delete HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\4873D204062D3EF41A15258F27DF232D >> result.txt

swreg delete HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\4E129C07E82679546B3BD62B07D6D38B >> result.txt

swreg delete HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\70ED0D154A612BE4FA4C842D5D2D33A9 >> result.txt

swreg delete HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\8E8921244096502458EC66DA3D54C81A >> result.txt

swreg delete HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\8ECE46A3F5C4928449308B419FF35E0F >> result.txt

swreg delete HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\92A88CC5852834E41A756E7D879974D9 >> result.txt

swreg delete HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\C5C1A405238F4774EA4927B216767BB4 >> result.txt

swreg delete HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\EB093AAF2A3286447B64922B2F4DDF4B >> result.txt

swreg delete HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\DC3B4479DC37F46429A18156E5D3E9E5\InstallProperties >> result.txt

notepad result.txt

Paste it into Notepad. Right click in the window and select Paste. (or use Ctrl+V)
* Save the file in the same folder you saved SWReg to. Make sure Type is All Files, and name it Fixreg.bat
* Double click on the file created and click Yes when asked to merge the information into the Registry
* In the end Notepad will open with some text. Please post that back here.

The above Registry file was written specifically for this infection on this person's computer. It should NOT to be used on another computer, as it may cause serious damage causing the computer to become unusable.

Once you have carried out this task reboot.

So when you return please post
  • the Notepad text
  • and tell me if SpywareBot is still showing up anywhere

Manners are the basis of a civilized society and make everyone's lives just a little happier. They cost nothing but they are worth so much.

 

unite_blue.png

 


#19 thecuz24

thecuz24
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:06:21 AM

Posted 22 November 2008 - 05:33 PM

hey emerald.....did what you asked. It didn't ask me to merge anything into the registry though. Here are the results that popped up in the notepad. SpywareBot is no longer showing up in Control Panel or Add/Remove Programs. I'm guessing it worked. THANKS!

Registrykey: "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_SPYWAREBOTSRV\0000"
Granting Registry rights (F access for This Key) for "Everyone"
Registrykey: "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_SPYWAREBOTSRV"
Granting Registry rights (F access for This Key) for "Everyone"
Registrykey: "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_SPYWAREBOTSRV\0000"
Granting Registry rights (F access for This Key) for "Everyone"
Registrykey: "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_SPYWAREBOTSRV"
Granting Registry rights (F access for This Key) for "Everyone"
Registrykey: "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SPYWAREBOTSRV\0000"
Granting Registry rights (F access for This Key) for "Everyone"
Registrykey: "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SPYWAREBOTSRV"
Granting Registry rights (F access for This Key) for "Everyone"

Error: Key: system\currentcontrolset\enum\root\legacy_spywarebotsrv\0000 does not exist!


Error: Key: system\currentcontrolset\enum\root\legacy_spywarebotsrv does not exist!


Error: Key: s-1-5-21-854245398-299502267-725345543-1003\software\microsoft\windows\currentversion\explorer\menuorder\start does not exist!

Edited by thecuz24, 22 November 2008 - 05:36 PM.


#20 emeraldnzl

emeraldnzl

  • Security Colleague
  • 229 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:21 AM

Posted 23 November 2008 - 01:55 PM

I'm guessing it worked.


Yep, looks like it.

You can uninstall ERUNT through the Add or Remove Programs utility although you may like to keep it. It is a very good way to back up your registry. If you do decide to keep it please read the Documentation text which tells you about how to use it.

You can delete RegSrch and the batch file we used.

After that your all done, have a safe and happy computing day!

Manners are the basis of a civilized society and make everyone's lives just a little happier. They cost nothing but they are worth so much.

 

unite_blue.png

 


#21 thecuz24

thecuz24
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:06:21 AM

Posted 23 November 2008 - 02:26 PM

thanks emerald....i appreciate all your help.

Edited by thecuz24, 23 November 2008 - 02:26 PM.


#22 emeraldnzl

emeraldnzl

  • Security Colleague
  • 229 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:21 AM

Posted 23 November 2008 - 08:41 PM

Your very welcome. :thumbsup:

Manners are the basis of a civilized society and make everyone's lives just a little happier. They cost nothing but they are worth so much.

 

unite_blue.png

 


#23 Shaba

Shaba

    Koutsi


  • Members
  • 7,872 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:01:21 PM

Posted 24 November 2008 - 01:56 AM

Since this issue appears resolved ... this Topic is closed. Glad we could help.

If you need this topic reopened, please request this by sending the moderating team
a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
Microsoft MVP Consumer Security
Posted Image

Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users