Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected With 'pestrap' And Maybe 'spysherrif'. Your Help Sought.


  • Please log in to reply
7 replies to this topic

#1 carljamespatton

carljamespatton

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Location:Wellington, New Zealand
  • Local time:02:17 AM

Posted 24 February 2006 - 06:36 PM

Hello

My computer is infected with Pestrap, and I would be very grateful if you could help me in trying to remove it and whatever else shouldnt be in my computer. I have a new background which informs me I am infected with spyware and invites me to buy the solution. This occured about 3 days ago. Before accepting the invitation I did a quick search and found this to be a scam. Thanks to bleepingcomputer and a number of other sites for pointing this out. I have since followed the instrctions on 'prep guide before posting a hijack this log'. A number of the steps indicated they had removed this or that infection. However, my computer's background remains the same, and indeed bleepingcomputer warned me that the infection may be in the part of the computer which returns every time I log on-I'm sorry I am not computer-literate, so the proper name escapes me. I am concerned that things like my passwords may be visible to 'should be shot in the knee caps' scum who pay for these spyware things. I note that Mcafee stinger didnt appear to do anything-it ran a scan, but then didnt give me any results of the scan or options as to what to do-it just returned to the screen where I could elect to run a scan. Perhaps the infection is effecting it?

Sorry, I should have included that my screen message says "Warning! spyware detected on your computer! Install an anti-virus or spyare remover to clean your computer. View the list of top spyware removers here."

Please see the Hijack this log below, I hope that I have done this correctly. I have also pasted the bitdefnder report below in case it is useful. My thanks in advance for any advice you can offer:

Logfile of HijackThis v1.99.1
Scan saved at 23:18:00, on 24/02/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Belkin\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
C:\Program Files\Common Files\PCSuite\DataLayer\DataLayer.exe
C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Picasa2\PicasaMediaDetector.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\PROGRA~1\COMMON~1\PCSuite\Services\SERVIC~1.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\PROGRA~1\COMMON~1\Nokia\MPAPI\MPAPI3s.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPZSTC10.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&t...ilion&pf=laptop
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&t...ilion&pf=laptop
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TYPE=3&t...ilion&pf=laptop
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Need2Find Bar BHO - {4D1C4E81-A32A-416b-BCDB-33B3EF3617D3} - C:\Program Files\Need2Find\bar\1.bin\ND2FNBAR.DLL (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: HP view - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\Program Files\HP\Digital Imaging\bin\HPDTLK02.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [DataLayer] C:\Program Files\Common Files\PCSuite\DataLayer\DataLayer.exe
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -onlytray
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [AnyDVD] C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [PcSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Search - http://kl.bar.need2find.com/KL/menusearch.html?p=KL
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\Belkin\Bluetooth Software\btsendto_ie_ctx.htm
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\Belkin\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\Belkin\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_GB&c=Q105&bd=pavilion&pf=laptop
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - https://www-secure.symantec.com/techsupp/as...rl/LSSupCtl.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1129545616171
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/as...rl/SymAData.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{9C778E8A-CBC2-4D56-A983-310271B108D8}: NameServer = 202.27.158.40 202.27.156.72
O18 - Protocol: widimg - {EE7C2AFF-5742-44FF-BD0E-E521B0D3C3BA} - C:\WINDOWS\system32\btxppanel.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation - C:\Program Files\Belkin\Bluetooth Software\bin\btwdins.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\SHARED\HPQWMI.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe


Below is the bitdefender report-in case it is useful:

BitDefender Online Scanner



Scan report generated at: Fri, Feb 24, 2006 - 07:41:59





Scan path: C:\;D:\;







Statistics

Time
01:51:41

Files
777871

Folders
4643

Boot Sectors
3

Archives
9921

Packed Files
109886




Results

Identified Viruses
3

Infected Files
10

Suspect Files
0

Warnings
0

Disinfected
0

Deleted Files
16




Engines Info

Virus Definitions
274548

Engine build
AVCORE v1.0 (build 2292) (i386) (Mar 3 2005 11:57:29)

Scan plugins
13

Archive plugins
39

Unpack plugins
4

E-mail plugins
6

System plugins
1




Scan Settings

First Action
Disinfect

Second Action
Delete

Heuristics
Yes

Enable Warnings
Yes

Scanned Extensions
*;

Exclude Extensions


Scan Emails
Yes

Scan Archives
Yes

Scan Packed
Yes

Scan Files
Yes

Scan Boot
Yes




Scanned File
Status

C:\Program Files\Norton AntiVirus\Quarantine\03647C63.exe=>(Quarantine-2)
Infected with: Trojan.LowZones.DM

C:\Program Files\Norton AntiVirus\Quarantine\03647C63.exe=>(Quarantine-2)
Deleted

C:\Program Files\Norton AntiVirus\Quarantine\26581F12.dll=>(Quarantine-2)
Infected with: Trojan.WininetHook.A

C:\Program Files\Norton AntiVirus\Quarantine\26581F12.dll=>(Quarantine-2)
Disinfection failed

C:\Program Files\Norton AntiVirus\Quarantine\26581F12.dll=>(Quarantine-2)
Deleted

C:\Program Files\Norton AntiVirus\Quarantine\352134CD.exe=>(Quarantine-2)
Infected with: Trojan.LowZones.DM

C:\Program Files\Norton AntiVirus\Quarantine\352134CD.exe=>(Quarantine-2)
Deleted

C:\Program Files\Norton AntiVirus\Quarantine\37E57696.wmf
Infected with: Exploit.Win32.WMF-PFV.B

C:\Program Files\Norton AntiVirus\Quarantine\37E57696.wmf
Disinfection failed

C:\Program Files\Norton AntiVirus\Quarantine\37E57696.wmf
Deleted

C:\Program Files\Norton AntiVirus\Quarantine\39F9324C.wmf
Infected with: Exploit.Win32.WMF-PFV.B

C:\Program Files\Norton AntiVirus\Quarantine\39F9324C.wmf
Disinfection failed

C:\Program Files\Norton AntiVirus\Quarantine\39F9324C.wmf
Deleted

C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP95\A0025759.exe
Infected with: Trojan.LowZones.DM

C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP95\A0025759.exe
Disinfection failed

C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP95\A0025759.exe
Deleted

C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP95\A0025796.exe
Infected with: Trojan.LowZones.DM

C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP95\A0025796.exe
Disinfection failed

C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP95\A0025796.exe
Deleted

C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP96\A0025809.exe=>(Quarantine-2)
Infected with: Trojan.LowZones.DM

C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP96\A0025809.exe=>(Quarantine-2)
Deleted

C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP96\A0025810.dll=>(Quarantine-2)
Infected with: Trojan.WininetHook.A

C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP96\A0025810.dll=>(Quarantine-2)
Disinfection failed

C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP96\A0025810.dll=>(Quarantine-2)
Deleted

C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP96\A0025811.exe=>(Quarantine-2)
Infected with: Trojan.LowZones.DM

C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP96\A0025811.exe=>(Quarantine-2)
Deleted

Edited by carljamespatton, 24 February 2006 - 06:47 PM.


BC AdBot (Login to Remove)

 


#2 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:10:17 AM

Posted 26 February 2006 - 11:17 AM

Hello carljamespatton and welcome to theBC HijackThis forum. Let's s see what Ewido finds.

Download and install the trial version of the ewido security suite. Update the program and then close it. Do not run it yet.

Start in Safe Mode Using the F8 method:
  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until the boot menu appears.
  • Use the arrow keys to select the Safe Mode menu item.
  • Press the Enter key.
Start ewido and do the following:
  • Click on the Scanner button.
  • Click on the Complete System Scan.
  • If anything is found you will be prompted to clean the first infected file found. Choose Clean and put a checkmark in the checkbox for Perform action on all infections and click the Ok button to continue the scan.
  • When the scan is complete close ewido and reboot the computer normally.
Post the contents of the Ewido scan log back here and I will review the information when it comes in.

Cheers.

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#3 carljamespatton

carljamespatton
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Location:Wellington, New Zealand
  • Local time:02:17 AM

Posted 26 February 2006 - 06:32 PM

Hi Oldtimer

Thanks for your advice. I ran that ewido scan as you suggested, the results are attached below. I note that my screen saver which has been saying ""Warning! spyware detected on your computer! Install an anti-virus or spyare remover to clean your computer. View the list of top spyware removers here" still shows this, but now only covers half the screen, so I can see my own screen saver (a marmot on top of a Pass In Colorado looking very marmoty). Otherwise I have nothing to report.

Also, the firewall I have downloaded, Zone Alarm, says it has blocked 282 attempted intrusions, 34 of those have been high rated. I thought this info might be useful.

---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 22:04:13, 26/02/2006
+ Report-Checksum: D3F2AFB1

+ Scan result:

HKLM\SOFTWARE\Altnet -> Adware.Altnet : Error during cleaning
HKLM\SOFTWARE\Altnet\Dashboard -> Adware.Altnet : Error during cleaning
HKLM\SOFTWARE\Altnet\Dashboard\Settings -> Adware.Altnet : Error during cleaning
HKU\S-1-5-21-3288745728-1025953326-2001493773-1008\Software\Microsoft\MSN6\LogonManager\Connectors\{E3FF7209-58AA-4BF9-9354-01AF5FB1B898} -> Adware.CoolWebSearch : Cleaned with backup
C:\Documents and Settings\Carl\Cookies\carl@bs.serving-sys[2].txt -> TrackingCookie.Serving-sys : Cleaned with backup
C:\Documents and Settings\Carl\Cookies\carl@microsoftwga.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup
C:\Documents and Settings\Carl\Cookies\carl@serving-sys[1].txt -> TrackingCookie.Serving-sys : Cleaned with backup
C:\Documents and Settings\Carl\Cookies\carl@tribalfusion[1].txt -> TrackingCookie.Tribalfusion : Cleaned with backup
C:\Documents and Settings\Carl\Cookies\carl@z1.adserver[1].txt -> TrackingCookie.Adserver : Cleaned with backup
C:\Documents and Settings\Carl\Cookies\carl@zedo[1].txt -> TrackingCookie.Zedo : Cleaned with backup
C:\Documents and Settings\Mauzima\Cookies\mauzima@ad.yieldmanager[2].txt -> TrackingCookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\Mauzima\Cookies\mauzima@adopt.euroclick[1].txt -> TrackingCookie.Euroclick : Cleaned with backup
C:\Documents and Settings\Mauzima\Cookies\mauzima@adopt.specificclick[2].txt -> TrackingCookie.Specificclick : Cleaned with backup
C:\Documents and Settings\Mauzima\Cookies\mauzima@burstnet[1].txt -> TrackingCookie.Burstnet : Cleaned with backup
C:\Documents and Settings\Mauzima\Cookies\mauzima@e-2dj6wjmywpajsfq.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Mauzima\Cookies\mauzima@interchangecorporation.122.2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup
C:\Documents and Settings\Mauzima\Cookies\mauzima@microsofteup.112.2o7[2].txt -> TrackingCookie.2o7 : Cleaned with backup
C:\Documents and Settings\Mauzima\Cookies\mauzima@need2find[1].txt -> TrackingCookie.Need2find : Cleaned with backup
C:\Documents and Settings\Mauzima\Cookies\mauzima@sales.liveperson[1].txt -> TrackingCookie.Liveperson : Cleaned with backup
C:\Documents and Settings\Mauzima\Cookies\mauzima@service.liveperson[2].txt -> TrackingCookie.Liveperson : Cleaned with backup
C:\Documents and Settings\Mauzima\Cookies\mauzima@www.burstbeacon[1].txt -> TrackingCookie.Burstbeacon : Cleaned with backup
C:\Documents and Settings\Mauzima\Cookies\mauzima@www.burstnet[1].txt -> TrackingCookie.Burstnet : Cleaned with backup
C:\ncj.exe -> Not-A-Virus.Hoax.Win32.Renos.bb : Cleaned with backup
C:\Program Files\UTStarcom\now wireless broadband\dialer\Dialer.exe -> Heuristic.Win32.Dialer : Cleaned with backup
C:\WINDOWS\system32\intell321.exe -> Trojan.Small.ev : Cleaned with backup


::Report End


Thanks again for any advice you can offer.

Also, I don't have a paypal account but would like to donate something. Do you know if I can do so over the phone?

Kind regards

Carl

#4 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:10:17 AM

Posted 27 February 2006 - 04:31 PM

Hi carljamespatton. Have you tried resetting the desktop? Right-click on the desktop and then click on Properties. Verify that the background is the correct one that you want and then cleick on the Web tab. If Show Web Content on my Active Desktop is checked, then click on any pages in the selection box below it and click the Delete button to remove them. When they are all gone uncheck the Show Web Content on my Active Desktop checkbox. Click the Apply button and then the Ok button to save the settings.

Let me know what you find.

Cheers.

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#5 carljamespatton

carljamespatton
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Location:Wellington, New Zealand
  • Local time:02:17 AM

Posted 27 February 2006 - 05:10 PM

Hi Oldtimer

Unfortunately my screen saver is back to being 100% "warning infection etc". When I right click anf go to properties I get a 'general' tab only, with no option to do the things you suggested. It says it is an HTML document, for what that is worth. Ive tried dragging the screen down at the top and sneaking in underneath to my picture, but I cant right click on the picture in time. If you can picture that!

Did the ewido scan show anything that could be done re hijack this?

thanks

Carl

#6 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:10:17 AM

Posted 27 February 2006 - 05:29 PM

Hi carljamespatton. Ok, then let's do this. Please print these directions and then proceed with the following steps in order.

Step #1

Download smitRem.exe and save the file to your desktop.
Double click on the file to extract it to it's own folder on the desktop.

Step #2

Place a shortcut to Panda ActiveScan on your desktop.

Step #3

Update the Ewido program and then close it. Do not run it yet.

Step #4

If you do not already have Ad-Aware SE 1.06 installed, follow these download and setup instructions, otherwise, check for updates:
Ad-Aware SE Setup
Do not run it yet.

Step #5

Next, please reboot your computer in SafeMode by doing the following:
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
  • Instead of Windows loading as normal, a menu should appear
  • Select the first option, to run Windows in Safe Mode.
Step #6

Close any open windows and then open the c:\smitRem folder. Double-click the RunThis.bat file to start the tool. Follow the prompts on screen.
Wait for the tool to complete and disk cleanup to finish. When the tool is finished, it will will create a log named smitfiles.txt in the root of your drive, eg; Local Disk C: or the partition where your operating system is installed. Examining that log should show that the infection was cleaned.

Step #7

Open Ad-aware and do a full scan. Remove all it finds.

Step #8

Start ewido and do the following:
  • Click on the Scanner button.
  • Click on the Complete System Scan.
  • If anything is found you will be prompted to clean the first infected file found. Choose Clean and put a checkmark in the checkbox for Perform action on all infections and click the Ok button to continue the scan.
  • When the scan is complete close ewido and reboot the computer normally.
Step #9

Next go to Control Panel click Display > Desktop > Customize Desktop > Web > Uncheck "Security Info" if present.

Step #10

Reboot normally and click the Panda ActiveScan shortcut. Make sure the autoclean box is checked and perform a full system scan.

Post the smitfiles.txt file, the Ewido log and the Pand ActiveScan log back here and I will review the information when it comes in.

Cheers.

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#7 carljamespatton

carljamespatton
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Location:Wellington, New Zealand
  • Local time:02:17 AM

Posted 28 February 2006 - 09:18 PM

Hi Oldtimer

Thanks for your advice. I followed your advice and have attached the logs. I note that after adwrae cleaned a number of bad things from my computer, i scanned again and found 1 still there. It appears it couldnt remove it. Also, I scanned with Panda, but I could not see an option to remove as well, indeed the site says that the free version of panda scan removes only viruses, not spyware etc. I hope the logs are of some help. Good luck and thanks again for keeping on with this.

regards

Carl

------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 00:34:53, 01/03/2006
+ Report-Checksum: 234915F0

+ Scan result:

HKLM\SOFTWARE\Altnet -> Adware.Altnet : Error during cleaning
HKLM\SOFTWARE\Altnet\Dashboard -> Adware.Altnet : Error during cleaning
HKLM\SOFTWARE\Altnet\Dashboard\Settings -> Adware.Altnet : Error during cleaning


::Report End


Adaware report


Ad-Aware SE Build 1.06r1
Logfile Created on:28 February 2006 22:52:00
Created with Ad-Aware SE Personal, free for private use.
Using definitions file:SE1R94 28.02.2006
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

References detected during the scan:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
AltnetBDE(TAC index:4):1 total references
MRU List(TAC index:0):35 total references
SpywareNo(TAC index:7):14 total references
Tracking Cookie(TAC index:3):7 total references
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Ad-Aware SE Settings
===========================
Set : Search for negligible risk entries
Set : Search for low-risk threats
Set : Safe mode (always request confirmation)
Set : Scan active processes
Set : Scan registry
Set : Deep-scan registry
Set : Scan my IE Favorites for banned URLs
Set : Scan my Hosts file

Extended Ad-Aware SE Settings
===========================
Set : Unload recognized processes & modules during scan
Set : Scan registry for all users instead of current user only
Set : Always try to unload modules before deletion
Set : During removal, unload Explorer and IE if necessary
Set : Let Windows remove files in use at next reboot
Set : Delete quarantined objects after restoring
Set : Include basic Ad-Aware settings in log file
Set : Include additional Ad-Aware settings in log file
Set : Include reference summary in log file
Set : Include alternate data stream details in log file
Set : Play sound at scan completion if scan locates critical objects


28-02-2006 22:52:00 - Scan started. (Full System Scan)

MRU List Object Recognized!
Location: : C:\Documents and Settings\Carl\Application Data\microsoft\office\recent
Description :


MRU List Object Recognized!
Location: : C:\Documents and Settings\Carl\recent
Description :


MRU List Object Recognized!
Location: : S-1-5-21-3288745728-1025953326-2001493773-1008\software\adobe\acrobat reader\6.0\avgeneral\crecentfiles
Description :


MRU List Object Recognized!
Location: : software\microsoft\direct3d\mostrecentapplication
Description :


MRU List Object Recognized!
Location: : software\microsoft\direct3d\mostrecentapplication
Description :


MRU List Object Recognized!
Location: : software\microsoft\directdraw\mostrecentapplication
Description :


MRU List Object Recognized!
Location: : S-1-5-21-3288745728-1025953326-2001493773-1008\software\microsoft\internet explorer
Description :


MRU List Object Recognized!
Location: : S-1-5-21-3288745728-1025953326-2001493773-1008\software\microsoft\internet explorer\main
Description :


MRU List Object Recognized!
Location: : S-1-5-21-3288745728-1025953326-2001493773-1008\software\microsoft\internet explorer\typedurls
Description :


MRU List Object Recognized!
Location: : S-1-5-21-3288745728-1025953326-2001493773-1008\software\microsoft\mediaplayer\medialibraryui
Description :


MRU List Object Recognized!
Location: : S-1-5-21-3288745728-1025953326-2001493773-1008\software\microsoft\mediaplayer\player\settings
Description :


MRU List Object Recognized!
Location: : S-1-5-21-3288745728-1025953326-2001493773-1008\software\microsoft\mediaplayer\preferences
Description :


MRU List Object Recognized!
Location: : S-1-5-21-3288745728-1025953326-2001493773-1008\software\microsoft\mediaplayer\preferences
Description :


MRU List Object Recognized!
Location: : S-1-5-21-3288745728-1025953326-2001493773-1008\software\microsoft\mediaplayer\preferences
Description :


MRU List Object Recognized!
Location: : S-1-5-21-3288745728-1025953326-2001493773-1008\software\microsoft\microsoft management console\recent file list
Description :



MRU List Object Recognized!
Location: : S-1-5-21-3288745728-1025953326-2001493773-1008\software\microsoft\office\11.0\access\settings
Description :


MRU List Object Recognized!
Location: : S-1-5-21-3288745728-1025953326-2001493773-1008\software\microsoft\office\11.0\common\general
Description :


MRU List Object Recognized!
Location: : S-1-5-21-3288745728-1025953326-2001493773-1008\software\microsoft\office\11.0\common\open find\microsoft office word\settings\open\file name mru
Description :


MRU List Object Recognized!
Location: : S-1-5-21-3288745728-1025953326-2001493773-1008\software\microsoft\office\11.0\common\open find\microsoft office word\settings\save as\file name mru
Description :


MRU List Object Recognized!
Location: : S-1-5-21-3288745728-1025953326-2001493773-1008\software\microsoft\office\11.0\powerpoint\recent file list
Description :


MRU List Object Recognized!
Location: : S-1-5-21-3288745728-1025953326-2001493773-1008\software\microsoft\office\11.0\publisher\recent file list
Description :


MRU List Object Recognized!
Location: : S-1-5-21-3288745728-1025953326-2001493773-1008\software\microsoft\search assistant\acmru
Description :


MRU List Object Recognized!
Location: : S-1-5-21-3288745728-1025953326-2001493773-1008\software\microsoft\windows\currentversion\applets\paint\recent file list
Description :


MRU List Object Recognized!
Location: : S-1-5-21-3288745728-1025953326-2001493773-1008\software\microsoft\windows\currentversion\applets\wordpad\recent file list
Description :


MRU List Object Recognized!
Location: : S-1-5-21-3288745728-1025953326-2001493773-1008\software\microsoft\windows\currentversion\explorer\comdlg32\lastvisitedmru
Description :


MRU List Object Recognized!
Location: : S-1-5-21-3288745728-1025953326-2001493773-1008\software\microsoft\windows\currentversion\explorer\comdlg32\opensavemru
Description :


MRU List Object Recognized!
Location: : S-1-5-21-3288745728-1025953326-2001493773-1008\software\microsoft\windows\currentversion\explorer\recentdocs
Description :


MRU List Object Recognized!
Location: : S-1-5-21-3288745728-1025953326-2001493773-1008\software\microsoft\windows\currentversion\explorer\runmru
Description :


MRU List Object Recognized!
Location: : S-1-5-21-3288745728-1025953326-2001493773-1008\software\realnetworks\realplayer\6.0\preferences
Description :


MRU List Object Recognized!
Location: : S-1-5-21-3288745728-1025953326-2001493773-1008\software\realnetworks\realplayer\6.0\preferences
Description :


MRU List Object Recognized!
Location: : S-1-5-21-3288745728-1025953326-2001493773-1008\software\realnetworks\realplayer\6.0\preferences
Description :


MRU List Object Recognized!
Location: : S-1-5-21-3288745728-1025953326-2001493773-1008\software\realnetworks\realplayer\6.0\preferences
Description :


MRU List Object Recognized!
Location: : .DEFAULT\software\microsoft\windows media\wmsdk\general
Description :


MRU List Object Recognized!
Location: : S-1-5-18\software\microsoft\windows media\wmsdk\general
Description :


MRU List Object Recognized!
Location: : S-1-5-21-3288745728-1025953326-2001493773-1008\software\microsoft\windows media\wmsdk\general
Description :


Listing running processes
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

#:1 [smss.exe]
FilePath : \SystemRoot\System32\
ProcessID : 128
ThreadCreationTime : 28-02-2006 22:37:14
BasePriority : Normal


#:2 [csrss.exe]
FilePath : \??\C:\WINDOWS\system32\
ProcessID : 180
ThreadCreationTime : 28-02-2006 22:37:24
BasePriority : Normal


#:3 [winlogon.exe]
FilePath : \??\C:\WINDOWS\system32\
ProcessID : 204
ThreadCreationTime : 28-02-2006 22:37:26
BasePriority : High


#:4 [services.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 248
ThreadCreationTime : 28-02-2006 22:37:33
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Services and Controller app
InternalName : services.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : services.exe

#:5 [lsass.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 260
ThreadCreationTime : 28-02-2006 22:37:33
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : LSA Shell (Export Version)
InternalName : lsass.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : lsass.exe

#:6 [svchost.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 408
ThreadCreationTime : 28-02-2006 22:37:36
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:7 [svchost.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 468
ThreadCreationTime : 28-02-2006 22:37:38
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:8 [svchost.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 512
ThreadCreationTime : 28-02-2006 22:37:39
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:9 [explorer.exe]
FilePath : C:\WINDOWS\
ProcessID : 1944
ThreadCreationTime : 28-02-2006 22:42:09
BasePriority : Normal
FileVersion : 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 6.00.2900.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Windows Explorer
InternalName : explorer
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : EXPLORER.EXE

#:10 [ad-aware.exe]
FilePath : C:\Program Files\Lavasoft\Ad-Aware SE Personal\
ProcessID : 156
ThreadCreationTime : 28-02-2006 22:51:35
BasePriority : Normal
FileVersion : 6.2.0.236
ProductVersion : SE 106
ProductName : Lavasoft Ad-Aware SE
CompanyName : Lavasoft Sweden
FileDescription : Ad-Aware SE Core application
InternalName : Ad-Aware.exe
LegalCopyright : Copyright © Lavasoft AB Sweden
OriginalFilename : Ad-Aware.exe
Comments : All Rights Reserved

Memory scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 35


Started registry scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

AltnetBDE Object Recognized!
Type : Regkey
Data :
TAC Rating : 4
Category : Data Miner
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\altnet

Registry Scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 1
Objects found so far: 36


Started deep registry scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Deep registry scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 36


Started Tracking Cookie scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»


Tracking Cookie Object Recognized!
Type : IECache Entry
Data : carl@creview.adbureau[2].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:2
Value : Cookie:carl@creview.adbureau.net/
Expires : 01-03-2007
LastSync : Hits:2
UseCount : 0
Hits : 2

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : carl@z1.adserver[1].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:3
Value : Cookie:carl@z1.adserver.com/
Expires : 26-02-2007 02:04:48
LastSync : Hits:3
UseCount : 0
Hits : 3

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : carl@cgi-bin[1].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:13
Value : Cookie:carl@imrworldwide.com/cgi-bin
Expires : 25-02-2016 23:26:44
LastSync : Hits:13
UseCount : 0
Hits : 13

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : carl@bluestreak[1].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:3
Value : Cookie:carl@bluestreak.com/
Expires : 25-02-2016 19:16:54
LastSync : Hits:3
UseCount : 0
Hits : 3

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : carl@bs.serving-sys[1].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:1
Value : Cookie:carl@bs.serving-sys.com/
Expires : 31-12-2037 22:00:00
LastSync : Hits:1
UseCount : 0
Hits : 1

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : carl@zedo[1].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:7
Value : Cookie:carl@zedo.com/
Expires : 24-02-2016 10:21:24
LastSync : Hits:7
UseCount : 0
Hits : 7

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : carl@serving-sys[2].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:4
Value : Cookie:carl@serving-sys.com/
Expires : 31-12-2037 22:00:00
LastSync : Hits:4
UseCount : 0
Hits : 4

Tracking cookie scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 7
Objects found so far: 43



Deep scanning and examining files (C:)
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

SpywareNo Object Recognized!
Type : File
Data : A0024554.exe
TAC Rating : 7
Category : Misc
Comment :
Object : C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP91\



SpywareNo Object Recognized!
Type : File
Data : A0024555.exe
TAC Rating : 7
Category : Misc
Comment :
Object : C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP91\



SpywareNo Object Recognized!
Type : File
Data : A0024635.exe
TAC Rating : 7
Category : Misc
Comment :
Object : C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP93\



SpywareNo Object Recognized!
Type : File
Data : A0024706.exe
TAC Rating : 7
Category : Misc
Comment :
Object : C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP94\



SpywareNo Object Recognized!
Type : File
Data : A0024742.exe
TAC Rating : 7
Category : Misc
Comment :
Object : C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP94\



Disk Scan Result for C:\
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 48


Scanning Hosts file......
Hosts file location:"C:\WINDOWS\system32\drivers\etc\hosts".
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Hosts file scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
1 entries scanned.
New critical objects:0
Objects found so far: 48




Performing conditional scans...
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

SpywareNo Object Recognized!
Type : RegData
Data : 2
TAC Rating : 7
Category : Misc
Comment :
Rootkey : HKEY_CURRENT_USER
Object : software\microsoft\internet explorer\desktop\general
Value : WallpaperStyle
Data : 2

SpywareNo Object Recognized!
Type : RegData
Data : 0
TAC Rating : 7
Category : Misc
Comment :
Rootkey : HKEY_CURRENT_USER
Object : software\microsoft\windows\currentversion\policies\explorer
Value : ClassicShell
Data : 0

SpywareNo Object Recognized!
Type : RegData
Data : 0
TAC Rating : 7
Category : Misc
Comment :
Rootkey : HKEY_CURRENT_USER
Object : software\microsoft\windows\currentversion\policies\explorer
Value : NoActiveDesktop
Data : 0

SpywareNo Object Recognized!
Type : RegData
Data : 0
TAC Rating : 7
Category : Misc
Comment :
Rootkey : HKEY_CURRENT_USER
Object : software\microsoft\windows\currentversion\policies\activedesktop
Value : NoAddingComponents
Data : 0

SpywareNo Object Recognized!
Type : RegData
Data : 0
TAC Rating : 7
Category : Misc
Comment :
Rootkey : HKEY_CURRENT_USER
Object : software\microsoft\windows\currentversion\policies\activedesktop
Value : NoChangingWallpaper
Data : 0

SpywareNo Object Recognized!
Type : RegData
Data : 0
TAC Rating : 7
Category : Misc
Comment :
Rootkey : HKEY_CURRENT_USER
Object : software\microsoft\windows\currentversion\policies\activedesktop
Value : NoComponents
Data : 0

SpywareNo Object Recognized!
Type : RegData
Data : 0
TAC Rating : 7
Category : Misc
Comment :
Rootkey : HKEY_CURRENT_USER
Object : software\microsoft\windows\currentversion\policies\activedesktop
Value : NoEditingComponents
Data : 0

SpywareNo Object Recognized!
Type : RegData
Data : 0
TAC Rating : 7
Category : Misc
Comment :
Rootkey : HKEY_CURRENT_USER
Object : software\microsoft\windows\currentversion\policies\activedesktop
Value : NoHTMLWallPaper
Data : 0

SpywareNo Object Recognized!
Type : RegData
Data : 0
TAC Rating : 7
Category : Misc
Comment :
Rootkey : HKEY_CURRENT_USER
Object : software\microsoft\internet explorer\desktop\components
Value : GeneralFlags
Data : 0

Conditional scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 9
Objects found so far: 57

23:03:09 Scan Complete

Summary Of This Scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Total scanning time:00:11:09.328
Objects scanned:157597
Objects identified:22
Objects ignored:0
New critical objects:22




2nd Aware scan after it tried to remove all the spware etc


Ad-Aware SE Build 1.06r1
Logfile Created on:28 February 2006 23:24:32
Created with Ad-Aware SE Personal, free for private use.
Using definitions file:SE1R94 28.02.2006
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

References detected during the scan:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
AltnetBDE(TAC index:4):1 total references
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Ad-Aware SE Settings
===========================
Set : Safe mode (always request confirmation)
Set : Scan active processes
Set : Scan registry
Set : Deep-scan registry
Set : Scan my IE Favorites for banned URLs
Set : Scan my Hosts file

Extended Ad-Aware SE Settings
===========================
Set : Unload recognized processes & modules during scan
Set : Scan registry for all users instead of current user only
Set : Always try to unload modules before deletion
Set : During removal, unload Explorer and IE if necessary
Set : Let Windows remove files in use at next reboot
Set : Delete quarantined objects after restoring
Set : Include basic Ad-Aware settings in log file
Set : Include additional Ad-Aware settings in log file
Set : Include reference summary in log file
Set : Include alternate data stream details in log file
Set : Play sound at scan completion if scan locates critical objects


28-02-2006 23:24:32 - Scan started. (Full System Scan)

Listing running processes
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

#:1 [smss.exe]
FilePath : \SystemRoot\System32\
ProcessID : 128
ThreadCreationTime : 28-02-2006 22:37:14
BasePriority : Normal


#:2 [csrss.exe]
FilePath : \??\C:\WINDOWS\system32\
ProcessID : 180
ThreadCreationTime : 28-02-2006 22:37:24
BasePriority : Normal


#:3 [winlogon.exe]
FilePath : \??\C:\WINDOWS\system32\
ProcessID : 204
ThreadCreationTime : 28-02-2006 22:37:26
BasePriority : High


#:4 [services.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 248
ThreadCreationTime : 28-02-2006 22:37:33
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Services and Controller app
InternalName : services.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : services.exe

#:5 [lsass.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 260
ThreadCreationTime : 28-02-2006 22:37:33
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : LSA Shell (Export Version)
InternalName : lsass.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : lsass.exe

#:6 [svchost.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 408
ThreadCreationTime : 28-02-2006 22:37:36
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:7 [svchost.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 468
ThreadCreationTime : 28-02-2006 22:37:38
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:8 [svchost.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 512
ThreadCreationTime : 28-02-2006 22:37:39
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:9 [explorer.exe]
FilePath : C:\WINDOWS\
ProcessID : 1944
ThreadCreationTime : 28-02-2006 22:42:09
BasePriority : Normal
FileVersion : 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 6.00.2900.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Windows Explorer
InternalName : explorer
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : EXPLORER.EXE

#:10 [ad-aware.exe]
FilePath : C:\Program Files\Lavasoft\Ad-Aware SE Personal\
ProcessID : 156
ThreadCreationTime : 28-02-2006 22:51:35
BasePriority : Normal
FileVersion : 6.2.0.236
ProductVersion : SE 106
ProductName : Lavasoft Ad-Aware SE
CompanyName : Lavasoft Sweden
FileDescription : Ad-Aware SE Core application
InternalName : Ad-Aware.exe
LegalCopyright : Copyright © Lavasoft AB Sweden
OriginalFilename : Ad-Aware.exe
Comments : All Rights Reserved

Memory scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 0


Started registry scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

AltnetBDE Object Recognized!
Type : Regkey
Data :
TAC Rating : 4
Category : Data Miner
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\altnet

Registry Scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 1
Objects found so far: 1


Started deep registry scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Deep registry scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 1


Started Tracking Cookie scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»


Tracking cookie scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 1


Disk Scan Result for C:\
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 1


Scanning Hosts file......
Hosts file location:"C:\WINDOWS\system32\drivers\etc\hosts".
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Hosts file scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
1 entries scanned.
New critical objects:0
Objects found so far: 1




Performing conditional scans...
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Conditional scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 1

23:33:59 Scan Complete

Summary Of This Scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Total scanning time:00:09:26.875
Objects scanned:157585
Objects identified:1
Objects ignored:0
New critical objects:1





Incident Status Location

Adware:adware/alfacleaner Not disinfected C:\WINDOWS\uninstDsk.exe
Adware:adware/cydoor Not disinfected C:\WINDOWS\cdmxtras
Adware:adware/p2pnetworking Not disinfected Windows Registry
Potentially unwanted tool:application/need2find Not disinfected HKEY_CLASSES_ROOT\CLSID\{630D6140-04C5-4DB0-B27A-020D766FF09B}
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Carl\Desktop\smitRem\Process.exe
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Carl\My Documents\Miscellaneous\anti spy\smitRem.exe[Process.exe]
Spyware:Cookie/Ask Not disinfected C:\Documents and Settings\Mauzima\Cookies\mauzima@ask[1].txt
Spyware:Cookie/Banner Not disinfected C:\Documents and Settings\Mauzima\Cookies\mauzima@banner[1].txt
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Mauzima\Cookies\mauzima@belnk[1].txt
Spyware:Cookie/Kazaa Networks Not disinfected C:\Documents and Settings\Mauzima\Cookies\mauzima@desktop.kazaa[2].txt
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Mauzima\Cookies\mauzima@dist.belnk[2].txt
Spyware:Cookie/go Not disinfected C:\Documents and Settings\Mauzima\Cookies\mauzima@go[1].txt
Spyware:Cookie/Mysearch Not disinfected C:\Documents and Settings\Mauzima\Cookies\mauzima@mysearch[1].txt
Spyware:Cookie/Rn11 Not disinfected C:\Documents and Settings\Mauzima\Cookies\mauzima@rn11[2].txt
Spyware:Cookie/Searchportal Not disinfected C:\Documents and Settings\Mauzima\Cookies\mauzima@searchportal.information[1].txt
Spyware:Cookie/Xmts Not disinfected C:\Documents and Settings\Mauzima\Cookies\mauzima@xmts[1].txt
Adware:Adware/P2PNetworking Not disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\24A8FD7D-9B94-4571-8F59-B0CA35\3219921D-4037-44C1-B856-33C79C
Adware:Adware/P2PNetworking Not disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\24A8FD7D-9B94-4571-8F59-B0CA35\B0A6E810-04E9-4AD7-86B5-66C4BD
Adware:Adware/P2PNetworking Not disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\328F6B2F-46AD-43F3-BD9E-E8433F\4E77435A-654B-40A4-AA51-838B08





Smitfiles


smitRem © log file
version 2.8

by noahdfear


Microsoft Windows XP [Version 5.1.2600]
The current date is: 28/02/2006
The current time is: 22:38:59.90

Running from
C:\Documents and Settings\Carl\Desktop\smitRem

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Pre-run SharedTask Export

(GetSTS.exe) SharedTaskScheduler exporter by Lawrence Abrams (Grinler)
Copyright© 2006 BleepingComputer.com

Registry Pseudo-Format Mode (Not a valid reg file):

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{438755C2-A8BA-11D1-B96B-00A0C90312E1}\InProcServer32]
@="%SystemRoot%\system32\browseui.dll"


[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8C7461EF-2B13-11d2-BE35-3078302C2030}\InProcServer32]
@="%SystemRoot%\system32\browseui.dll"


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

checking for ShudderLTD key

ShudderLTD key not present!

checking for PSGuard.com key


PSGuard.com key not present!


checking for WinHound.com key


WinHound.com key not present!

spyaxe uninstaller NOT present
Winhound uninstaller NOT present
SpywareStrike uninstaller NOT present

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Existing Pre-run Files


~~~ Program Files ~~~



~~~ Shortcuts ~~~

Install.dat


~~~ Favorites ~~~



~~~ system32 folder ~~~

oleext.dll


~~~ Icons in System32 ~~~



~~~ Windows directory ~~~

warnhp.html


~~~ Drive root ~~~


~~~ Miscellaneous Files/folders ~~~




~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 724 'explorer.exe'

Starting registry repairs

Registry repairs complete

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

SharedTask Export after registry fix

(GetSTS.exe) SharedTaskScheduler exporter by Lawrence Abrams (Grinler)
Copyright© 2006 BleepingComputer.com

Registry Pseudo-Format Mode (Not a valid reg file):

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{438755C2-A8BA-11D1-B96B-00A0C90312E1}\InProcServer32]
@="%SystemRoot%\system32\browseui.dll"


[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8C7461EF-2B13-11d2-BE35-3078302C2030}\InProcServer32]
@="%SystemRoot%\system32\browseui.dll"


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Deleting files

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Remaining Post-run Files


~~~ Program Files ~~~



~~~ Shortcuts ~~~



~~~ Favorites ~~~



~~~ system32 folder ~~~



~~~ Icons in System32 ~~~



~~~ Windows directory ~~~



~~~ Drive root ~~~


~~~ Miscellaneous Files/folders ~~~


~~~ Wininet.dll ~~~

CLEAN! :thumbsup:

#8 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:10:17 AM

Posted 01 March 2006 - 05:08 PM

Hi carljamespatton. That all looks pretty normal. Let's reset the Display Properties dialog.

Launch Notepad, and copy/paste the text in the quotebox below into the new document. Save it to your desktop as regfix.reg :

Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"NoActiveDesktopChanges"=hex:00,00,00,00
"NoActiveDesktop"=dword:00000000
"NoSaveSettings"=dword:00000000
"ClassicShell"=dword:00000000
"NoThemesTab"=dword:00000000

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"NoDispAppearancePage"=dword:00000000
"NoColorChoice"=dword:00000000
"NoSizeChoice"=dword:00000000
"NoDispBackgroundPage"=dword:00000000
"NoDispScrSavPage"=dword:00000000
"NoDispCPL"=dword:00000000
"NoVisualStyleChoice"=dword:00000000
"NoDispSettingsPage"=dword:00000000
"NoDispScrSavPage"=dword:00000000
"NoVisualStyleChoice"=dword:00000000
"NoSizeChoice"=dword:00000000
"SetVisualStyle"=-

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop]
"NoChangingWallPaper"=dword:00000000

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\ThemeManager]
"ThemeActive"="1"
"DllName"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,\
74,00,25,00,5c,00,72,00,65,00,73,00,6f,00,75,00,72,00,63,00,65,00,73,00,5c,\
00,54,00,68,00,65,00,6d,00,65,00,73,00,5c,00,6c,00,75,00,6e,00,61,00,5c,00,\
6c,00,75,00,6e,00,61,00,2e,00,6d,00,73,00,73,00,74,00,79,00,6c,00,65,00,73,\
00,00,00


Locate regfix.reg on your Desktop and double-click on it. You will receive a prompt similar to: "Do you wish to merge the information into the registry?". Answer Yes and wait for a message to appear similar to Merged Successfully.

Restart your computer. Now right-click on the desktop and then click on Properties. Verify that the background is the correct one that you want and then cleick on the Web tab. If Show Web Content on my Active Desktop is checked, then click on any pages in the selection box below it and click the Delete button to remove them. When they are all gone uncheck the Show Web Content on my Active Desktop checkbox. Click the Apply button and then the Ok button to save the settings.

OK. Reboot your computer normally, start HijackThis and perform a new scan. Use the Add Reply button to post your new log file back here along with details of any problems you encountered performing the above steps and I will review it when it comes in.

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users