Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

help after virus infection


  • Please log in to reply
16 replies to this topic

#1 rfearo

rfearo

  • Members
  • 73 posts
  • OFFLINE
  •  
  • Local time:08:38 AM

Posted 05 January 2009 - 06:48 PM

Hello all,



Almost a week ago I was the victim of my first and very vicious attack. Since then, I have been using a battery of anti-spyware, malware, and anti-virus to clean my computer. As of yesterday I thought I was clean. Then I came to this site and someone suggested I use SAS which I did. I first used the quick scan and this was the result:

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 01/05/2009 at 05:58 PM

Application Version : 4.24.1004

Core Rules Database Version : 3695
Trace Rules Database Version: 1671

Scan type : Quick Scan
Total Scan Time : 00:12:21

Memory items scanned : 428
Memory threats detected : 0
Registry items scanned : 543
Registry threats detected : 9
File items scanned : 8277
File threats detected : 7

Adware.Tracking Cookie
C:\Documents and Settings\Owner\Cookies\owner@bestvirusremover2008[1].txt
C:\Documents and Settings\Owner\Cookies\owner@gomyhit[2].txt
C:\Documents and Settings\Owner\Cookies\owner@city-of-sex[2].txt
C:\Documents and Settings\Owner\Cookies\owner@wmvmedialease[1].txt
C:\Documents and Settings\Owner\Cookies\owner@gomyhit[3].txt
C:\Documents and Settings\Owner\Cookies\owner@adtrafficstats[2].txt
C:\Documents and Settings\Owner\Cookies\owner@en.personalantispy[2].txt

Rogue.SpywareStop
HKU\S-1-5-21-425041331-1777984735-4204730776-1006\Software\Microsoft\Windows\CurrentVersion\Run#SpywareStop [ C:\Program Files\SpywareStop\SpywareStop.exe -boot ]

Rogue.Component/Trace
HKLM\Software\Microsoft\AC72A13D
HKLM\Software\Microsoft\AC72A13D#ac72a13d
HKLM\Software\Microsoft\AC72A13D#Version
HKLM\Software\Microsoft\AC72A13D#ac720cbd
HKLM\Software\Microsoft\AC72A13D#ac726558
HKU\S-1-5-21-425041331-1777984735-4204730776-1006\Software\Microsoft\FIAS4018

Rogue.RapidAntivirus
HKU\.DEFAULT\Software\Rapid Antivirus
HKU\S-1-5-18\Software\Rapid Antivirus


Then I did the full scan and this is what I got:

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 01/05/2009 at 06:36 PM

Application Version : 4.24.1004

Core Rules Database Version : 3695
Trace Rules Database Version: 1671

Scan type : Complete Scan
Total Scan Time : 00:27:17

Memory items scanned : 425
Memory threats detected : 0
Registry items scanned : 6261
Registry threats detected : 0
File items scanned : 22931
File threats detected : 2

Trojan.Unknown Origin
C:\SYSTEM VOLUME INFORMATION\_RESTORE{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP445\A0052211.SYS
C:\SYSTEM VOLUME INFORMATION\_RESTORE{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP445\A0052230.SYS

Can someone please look at this and tell me what you think? I am not saavy enough to make heads or tales of this.


Many thanks.

p.s. This is the best site ever! You guys seem to know everything!

BC AdBot (Login to Remove)

 


#2 buddy215

buddy215

  • Moderator
  • 13,131 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:07:38 AM

Posted 05 January 2009 - 07:23 PM

Do a scan with MalwareBytes AntiMalware.
http://www.bleepingcomputer.com/forums/ind...st&p=944365

The two items in your last SAS scan are in system restore. If MBAM doesn't find any malware do the steps below.

Use Secunia online scanner to check for missing security updates. http://secunia.com/vulnerability_scanning/online/
After updating Java (if you haven't done so already) go to Add/ Remove and remove ALL old Java programs.
IE browser, Adobe Reader, Adobel Flash and Java have all been exploited recently. Important to get the latest updates to avoid malware exploiting those programs.

Click start, All programs, Accessories, System tools, Disk Cleanup, Put a check next to all items except "compress old files". Then click on the more options tab. Click on the button in the remove all but last system restore point. Click OK and allow the cleanup to run.
“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss
A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”

#3 rfearo

rfearo
  • Topic Starter

  • Members
  • 73 posts
  • OFFLINE
  •  
  • Local time:08:38 AM

Posted 05 January 2009 - 08:54 PM

Thanks Buddy. Dumb question, but will I need those deleted Java programs? Also, ran SpywareStop after SAS and found three Adrotator viruses in my temp. internet files and had them quarantined if that adds anything to this.


Thanks again

#4 buddy215

buddy215

  • Moderator
  • 13,131 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:07:38 AM

Posted 05 January 2009 - 09:06 PM

SpywareStop is a corrupt anti-spyware parasite that is actively distributed using Google adds and various shareware/crack websites in order to get into users' systems. This program claims to be a legitimate spyware remover, when it is in fact a scamming application that displays exaggerated threat reports in order to mislead users into buying its counterfeit "full" version. Additionally, it refuses to be uninstalled from user system.

If you need help removing Spyware Stop, post back. It is possible that MBAM will remove Spyware Stop.

You only need the latest Java. Starting with the next update of Java, Java will automatically remove the version you have now during the update install. So, unless you have a program that you know of that needs an older version, delete all of them.

Edited by buddy215, 05 January 2009 - 09:16 PM.

“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss
A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”

#5 rfearo

rfearo
  • Topic Starter

  • Members
  • 73 posts
  • OFFLINE
  •  
  • Local time:08:38 AM

Posted 06 January 2009 - 07:36 AM

Buddy,


Had no idea SpywareStop was a bogus tool. Actually bought full version of it. LOL! So you think I shoild get rid of it? Can you tell me how? And what should I replace it with?



Thanks

#6 buddy215

buddy215

  • Moderator
  • 13,131 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:07:38 AM

Posted 06 January 2009 - 08:57 AM

In your PM you said that MBAM did not remove SpywareStop.
You also asked what to replace it with.

Some freeware that I would recommend are Spyware Blaster and WinPatrol. SB uses no resources and you only need to update it twice monthly or pay a small fee for automatic updates. WinPatrol will alert you to changes in browser, startups, etc. and has many useful tools.
Other than those two, you should keep either or both MBAM and SAS and update them occassionally. If you want one of their realtime protections you will have to pay for it.

Have you tried uninstalling SpywareStop by using the Add/Remove program? It might work since you have paid for it. Though the last I looked there was a lot of users trying to find a way to completely remove it.

No need to PM me as I monitor the posts that I respond to and you will have others helping you, too.

http://www.javacoolsoftware.com/spywareblaster.html
http://www.winpatrol.com/
“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss
A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”

#7 rfearo

rfearo
  • Topic Starter

  • Members
  • 73 posts
  • OFFLINE
  •  
  • Local time:08:38 AM

Posted 06 January 2009 - 10:00 AM

Sorry for the PM's. I appreciate your input. In case I cannot remove SpywareStop using the add/remove function, do you know of a safe and relatively uncomplicated way to accomplish this? The research I did pointed to some solutions that I wouldn't feel comfortable doing myself, as I am not the most tech-saavy guy in the world.

On another note, while trying to find ways to remove this, I found quite a few sources that still tout SpywareStop as a legitimate product.

Thanks again for the help.

#8 buddy215

buddy215

  • Moderator
  • 13,131 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:07:38 AM

Posted 06 January 2009 - 10:23 AM

Just like TV infocommercials, you can't rely on "testimonials". You can find rave reviews for every rogue there is and there are many more rogue programs than legit ones. One good source to check out security programs is Spyware Warrior or you can ask here.
http://www.spywarewarrior.com/rogue_anti-spyware.htm
Spyware-Stop spyware-stop.com false positives work as goad to purchase; inadequate scan reporting; same app as Brave Sentry, DIARemover, MalwareAlarm, Mr.AntiSpy, PestCapture, PestTrap, PestWiper, SpyDemolisher, SpyMarshal, SpySheriff, SpyTrooper, & SpywareNo [A: 1-16-06 / U: 1-16-06]

Try the uninstaller in Add/Remove first. I understand your reluctance to do manual uninstalls. Better safe than sorry.
Let us know if the uninstaller works or not.
“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss
A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”

#9 rfearo

rfearo
  • Topic Starter

  • Members
  • 73 posts
  • OFFLINE
  •  
  • Local time:08:38 AM

Posted 06 January 2009 - 10:33 AM

Will do. At work now but will jump on it when I get home and let you know the results.


Thanks again!

#10 rfearo

rfearo
  • Topic Starter

  • Members
  • 73 posts
  • OFFLINE
  •  
  • Local time:08:38 AM

Posted 06 January 2009 - 06:48 PM

Good news! Was able to remove through add/remove programs option. SAS and Malwarebytes scans came up clean. However, I thought I read SpywareStop was extremely hard to get rid of. Could it still be hidden in my system somewhere? Any advice would be appreciated.



Thanks!

#11 buddy215

buddy215

  • Moderator
  • 13,131 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:07:38 AM

Posted 06 January 2009 - 08:19 PM

Good. Glad the uninstaller worked. The reason you saw a lot of users having trouble uninstalling it is because it is usually installed without the user's permission by a very serious piece of malware called Vundo.

After you have installed WinPatrol, one of the tabs you can click on is "Startup Programs". Would be a good idea to see if Spyware Stop is in the startup. If by chance it is, you can remove it from startup using WinPatrol.

Wouldn't hurt to look around a bit and see if there are any leftovers. One way is to do a file/word search for Spyware Stop.
The link below lists a number a files you could look for manually.
http://www.xp-vista.com/spyware-removal/sp...al-instructions

Looks like your original problem is solved.

Edited by buddy215, 06 January 2009 - 08:23 PM.

“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss
A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”

#12 rfearo

rfearo
  • Topic Starter

  • Members
  • 73 posts
  • OFFLINE
  •  
  • Local time:08:38 AM

Posted 06 January 2009 - 08:44 PM

Found a couple random files. Installed WinPatrol but not sure how to use it. Any pointers?

#13 buddy215

buddy215

  • Moderator
  • 13,131 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:07:38 AM

Posted 06 January 2009 - 09:20 PM

Best to go back to the site and read up on it.
It generally is inactive until you install a program or other change. It will then alert you to the changes and ask whether to allow or not. So if you suddenly get an alert from WinPatrol and you are not installing anything it could be malware.

Open WinPatrol and explore the tabs. Look to the bottom of the windows and see the options.

Click on the "options" tab and select the options you want. Here is a link to how I have mine. Click on the image to enlarge.
http://i77.photobucket.com/albums/j71/budd...trolOptions.jpg
“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss
A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”

#14 rfearo

rfearo
  • Topic Starter

  • Members
  • 73 posts
  • OFFLINE
  •  
  • Local time:08:38 AM

Posted 06 January 2009 - 09:25 PM

Will do. Just want to say thanks again for all your help. You've been very patient.

Any other suggestions on how I can check to make sure I'm clean? Last two scans came up good, but should I be using something else besides SAS, Malwarebytes, and AVG 8.0 Free?

#15 buddy215

buddy215

  • Moderator
  • 13,131 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:07:38 AM

Posted 06 January 2009 - 09:42 PM

Bit Defender is a good online scanner. It will remove whatever malware it finds.
http://www.bitdefender.com/scan8/ie.html

Other than that you should run a scan after updating one or both SAS and MBAM a couple of times in the next week.
“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss
A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users