Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Spyware Quake & Malware Wipe Infection


  • This topic is locked This topic is locked
10 replies to this topic

#1 HowardK

HowardK

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:02:47 AM

Posted 20 April 2006 - 01:17 AM

Hello,

My computer was infected by a virus last week and I found the programs Spy Ware Quake and Malware Wipe installed onto my computer. I took the necessary steps on your forum, plus a couple of others, to clean my computer as thoroughly as possible before posting my Hijack this log. The virus' seem to be gone, but I would like a second opinion. Also I notice that whenever I run trend micro's online scanner my mcafee security center alerts me that it has detected and deleted a virus called Exploit_ObscuredHtml. Any explanation as to why this happens, and like I said it only happens during a Trend Micro Housecall scan? Another question (sorry for all the questions I've gotten a little paranoid since my computer got infected) I found a folder "Totem shared" on my C drive, I did a search and found out that the folder should be deleted, which I did, but I just wanted to know if that is all I have to do? And lastly, I read that alg.exe should only be found in my system32 folder I did a search on my computer finding that it is also located in windows\servicepackfiles\i386 and I found something called ALG.EXE-275708CF.pf in my windows\prefetch, I would like to know if there is any reason to be alarmed? Will my Hijack this log show any other .exe files that do not belong in any other folders other than system32?



As for the extra steps I took to remove spyware quake this is one of them, just getting a second opinion again whether or not this is an effective method or not:


Spyware Quake/SpywareQuake is a new fake antispyware application. Once installed (usually the installation is carried out by Trojans or using Windows vulnerabilities) on a PC it generates fake messages informing the user that the PC is infected with fake malware in an attempt to get the user to buy a commercial application.

Spyware Quake

Spyware Quake message

There is also a Windows System Tray message generated:

Spyware Quake System Tray message

Your computer is infected!
Critical System Error!
System detected virus
activities. They may cause
critical system failure. Please
use antimalware software to
clean and protect your system
from parasite programs.
Click here to get all available
software.

To remove Spyware Quake you need to download two tools:

* smitRem.exe External Link
* FixSQ.reg External Link

Itís important to bear in mind that smitRem DOES NOT uninstall Spyware Quake Ė this is to uninstall portions of Smitfraud that is installed as part of Spyware Quake. Soon smitRem will be updated to include Spyware Quake and the uninstall will be far easier.

Spyware Quake Removal Instructions

1. Download smitRem.exe External Link and FixSQ.reg External Link. Save both to your Windows desktop
2. Double-click on smitRen to run it and extract the files to your desktop.
Spyware Quake smitRem extract
3. Double-click on FixSQ.reg. When asked if you want to merge the information into your Windows registry, click Yes and then OK.
4. Now reboot your PC and start it in Safe Mode. This is an important step! If you allow the system to boot into Windows normally you will have to go back to Step 1.
5. Once your PC has booted into Windows enter Control Panel and double-click on Add or Remove Programs.
6. Find the entry for SpywareQuake and double-click on it and uninstall the application. DO NOT reboot the PC is prompted to do so!
7. Delete the following files and folders (some may not be present on your system):
c\windows\system32\nvctrl.exe
c\windows\system32\dfrgsrv.exe
c\windows\system32\mssearchnet.exe
c\windows\system32\stickrep.dll
c:\program files\spywarequake\
8. Double-click on the smitRem folder on your desktop and run the file contained in the folder called RunThis.bat. This program will then guide you through the uninstall process for any remaining components that are installed on your system. It will also automatically run Disk Cleanup to remove any remaining traces of the spyware.
9. Reboot your system and start it up normally.
10. Install/update your antivirus/antispyware applications and run a full system scan. If you arenít running any, get some! Do not skip this step! At the very least run a free online scan at the Windows Live Safety Center External Link.
11. Click on Start > All Programs > Accessories > System Tools > Disk Cleanup. Run a Disk Cleanup operation on the drive you have Windows installed onto (usually C drive). Remove all the temporary files and temporary Internet files to make sure that Spyware Quake is gone.
12. At the end of all this you might find that a few things are different. Your homepage might be a blank (about:blank) and your cookies containing login details for some websites might be gone. You will have to reset these as you use the system.

Thatís it! Your system should now be free of this annoying malware.




Now here's my HijackThis log:


Logfile of HijackThis v1.99.1
Scan saved at 1:04:16 AM, on 4/20/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINDOWS\BCMSMMSG.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Optimum Online\Netsurf.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\MXOALDR.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Winamp\winampa.exe
C:\progra~1\mcafee\MCAFEE~1\masalert.exe
C:\Program Files\McAfee.com\VSO\mcvsshld.exe
C:\Program Files\McAfee.com\VSO\oasclnt.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Maxtor\OneTouch\utils\Onetouch.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
C:\WINDOWS\system32\spm\spmd.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\System32\CTsvcCDA.exe
c:\progra~1\mcafee\mcafee antispyware\massrv.exe
c:\program files\mcafee.com\agent\mcdetect.exe
C:\Program Files\WinZip\WZQKPICK.EXE
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\Softimage\XSI_4.2\Application\bin\raysatxsi4_2server.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\Userinit.exe
O1 - Hosts: 69.299.33.21 bin.mcafee.com
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: (no name) - {7a932ed2-1737-4ab8-b84d-c71779958551} - (no file)
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\ycomp5_5_7_0.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [diagent] "C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" startup
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe files\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [Optimum Online] C:\Program Files\Optimum Online\Netsurf.exe -tray
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [MXOBG] C:\WINDOWS\MXOALDR.EXE
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [_AntiSpyware] c:\progra~1\mcafee\MCAFEE~1\masalert.exe
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [MaxtorOneTouch] C:\Program Files\Maxtor\OneTouch\utils\Onetouch.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\googletoolbar.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\googletoolbar.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\googletoolbar.dll/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\googletoolbar.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\googletoolbar.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: FHM - {76028735-BBF1-4044-8DE2-5B90F0C7A77C} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/m...01/mcinsctl.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://scan.safety.live.com/resource/downl...lscbase7617.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1145317369156
O16 - DPF: {78AEEDE8-7345-4FB5-A8FE-4BFF16EF25FC} (McAfee Virtual Technician Control Class) - http://us-download.mcafee.com/products/protected/mvt/mvt.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B1826A9F-4AA0-4510-BA77-9013E74E4B9B} - http://www.trendmicro.com/spyware-scan/as4web.cab
O16 - DPF: {B49C4597-8721-4789-9250-315DFBD9F525} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/radio/ampx/ampx2.6.1.11_en_dl.cab
O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/_media/dalaillama/ampx.cab
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee AntiSpyware Service - McAfee, Inc. - c:\progra~1\mcafee\mcafee antispyware\massrv.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: RaySatxsi4_2 Server (RaySatxsi4_2Server) - Unknown owner - C:\Softimage\XSI_4.2\Application\bin\raysatxsi4_2server.exe
O23 - Service: SPM License Server (spmd) - mental images GmbH & Co. KG - C:\WINDOWS\system32\spm\spmd.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe



I would just like to thank anyone who decides to help me in advance. I really appreciate it.


HowardK

BC AdBot (Login to Remove)

 


#2 HowardK

HowardK
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:02:47 AM

Posted 24 April 2006 - 02:09 AM

I'm sorry if I am going about the wrong way in addressing my problem again ( I am a new member), but is there anyone that can check my log to see if I am still infected? :thumbsup:

Thanks,
Howard

#3 pskelley

pskelley

  • Members
  • 1,487 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:47 AM

Posted 26 April 2006 - 03:04 PM

Hello Howard and welcome to the forum. I apologize for the delay, the forums are extremely busy amd the logs far outnumber the volunteers.
Looks like the Smitfraud issues is resolved, there is just one line left. You do have a nasty program that is not part of Smitfraud, see this:
C:\Program Files\Optimum Online\Netsurf.exe <<< http://castlecops.com/startuplist-2624.html What I would like to do is clean a little, and remove whatI see. Then you can tell me how you are running. Let's do this:

Oops...it occured to me this Optimum Online program might have to do with your Internet Service Provider. If that is the case, do not remove it and you would have to take up the spyware issues with them.


1) ewido scan:
Please download Ewido Security Suite it is a trial version of the program.
  • Install ewido security suite
  • Launch ewido, there should be an icon on your desktop double-click it.
  • The program will now go to the main screen
You will need to update ewido to the latest definition files.
  • On the left hand side of the main screen click update
  • Then click on Start Update
The update will start and a progress bar will show the updates being installed.
If you are having problems with the updater, you can use this link to manually update Ewido.
Ewido manual updates

Once the updates are installed do the following:
  • Click on scanner
  • Click on Complete System Scan and the scan will begin.
  • NOTE: During some scans with ewido it is finding cases of false positives.**
    • You will need to step through the process of cleaning files one-by-one.
    • If ewido detects a file you KNOW to be legitimate, select none as the action.
    • DO NOT select "Perform action on all infections"
    • If you are unsure of any entry found select none for now.
  • Once the scan has completed, there will be a button located on the bottom of the screen named Save report
  • Click Save report.
  • Save the report .txt file to your desktop.
Now close ewido security suite.
**(Ewido for example has been flagging parts of AVG Anti-Virus, pcAnywhere and the game "Risk")

Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
(next item, if you know what it is fine, if not check and remove it)
O1 - Hosts: 69.299.33.21 bin.mcafee.com
O2 - BHO: (no name) - {7a932ed2-1737-4ab8-b84d-c71779958551} - (no file)
O4 - HKLM\..\Run: [Optimum Online] C:\Program Files\Optimum Online\Netsurf.exe -tray

Close all programs but HJT and all browser windows, then click on "Fix Checked"

Enable hidden files&folders..reverse the process when finished.
http://www.xtra.co.nz/help/0,,4155-1916458,00.html

RIGHT Click on Start then click on Explore. Locate and delete these items:

C:\Program Files\Optimum Online\ >>> folder

C:\Windows\Prefetch\ >>> delete the contents (NOT THE FOLDER)
Prefetch info: http://www.windowsnetworking.com/articles_...refetch-XP.html

Download CCleaner from this link: http://www.ccleaner.com/ Review the instructions http://www.ccleaner.com/help/tour1.asp
Run CCleaner, Windows & Applications when you run the registry cleaner (Issues) you will be prompted to backup before you can remove stuff, make sure you do.

Restart the computer and post the ewido scan results, a new HJT log and your comments. How is the computer running now.

Thanks...pskelley
BleepingComputer

Edited by pskelley, 26 April 2006 - 03:08 PM.

MS-MVP Windows Security 2007-08
Proud Member ASAP
UNITE Member 2006

#4 HowardK

HowardK
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:02:47 AM

Posted 26 April 2006 - 05:59 PM

hello pskelley,

Thank you so much for replying! Well I'm glad I was able to remove Smitfraud, but this netsurf.exe thing. Hmmmm....well I've been reading up on netsurf. One of my sources, www.auditmypc.com ( by the way is this website a legitimate source? If you've heard of it I'd just like to know)...well, this source states that netsurf is adware, but removing it may cause some negative side effects.

this is what it says on www.auditmypc.com:

"Optimum NetSurf is likely adware and as such, presents an unnecessary risk which should be eliminated! Removing netsurf.exe may cause a number of problems, such as slow performance, loss of data or leaking private information.

Removing Optimum NetSurf may be difficult.

The Spy Bot database currently registers netsurf.exe to Optimum.

This is part of Optimum Isp Installation. "




So should I contact my internet service provider before following your instructions? Because I currently have my firewall (ZoneAlarm, free) blocking all of it's traffic right now. I guess what I'm wondering is that since I have it blocked is it better to just leave it alone or is it safer to just get rid of it. I'm just afraid that I'm going to mess up my internet connection.

Thanks again for responding,

Howard

#5 pskelley

pskelley

  • Members
  • 1,487 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:47 AM

Posted 26 April 2006 - 06:59 PM

If you are looking to validate an item, these are better references:
http://www.bleepingcomputer.com/startups/
http://www.answersthatwork.com/Tasklist_pages/tasklist.htm
http://www.pacs-portal.co.uk/startup_index.htm
http://computercops.biz/StartupList.html
http://www.sysinfo.org/startuplist.php
I have not used them all in a while but I believe they are all valid.

Now if you want to validate a spyware program, this is the place: http://www.spywarewarrior.com/rogue_anti-spyware.htm

The CastleCops link above calls it like it is, what you wish to do about the ISP is up to you. If that is part of the connection sofware, I would say you can't remove it without checking with them first.

You can however complete the balance of the instructions and post the information for me to review if you wish. There is not a whole lot showing in the log. I am undecided about the McAfee item you have in the 01 - Hosts file, but you should know what it is.

I'm just afraid that I'm going to mess up my internet connection

That is why I am giving you the information and suggesting you take it up with the ISP so you can listen to them lie to you. http://www.google.com/search?sourceid=navc...q=Netsurf%2Eexe

Thanks...Phil
MS-MVP Windows Security 2007-08
Proud Member ASAP
UNITE Member 2006

#6 HowardK

HowardK
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:02:47 AM

Posted 26 April 2006 - 08:34 PM

hi phil,

wow, thanks for responding so quickly! I will scan with ewido and hijackthis and post log tomorrow. Thanks for the links!


Howard

#7 HowardK

HowardK
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:02:47 AM

Posted 27 April 2006 - 09:12 AM

hey phil,

I'm sorry but I need to ask just a couple of newbie questions before I start with your instructions. This is just so I understand, technically, what I'm doing (still trying to figure out all the computer lingo you experts use :thumbsup:). Well, my questions lie in these steps:


"Enable hidden files&folders..reverse the process when finished.
http://www.xtra.co.nz/help/0,,4155-1916458,00.html

RIGHT Click on Start then click on Explore. Locate and delete these items:

C:\Program Files\Optimum Online\ >>> folder

C:\Windows\Prefetch\ >>> delete the contents (NOT THE FOLDER)
Prefetch info: http://www.windowsnetworking.com/articles_...refetch-XP.html

Download CCleaner from this link: http://www.ccleaner.com/ Review the instructions http://www.ccleaner.com/help/tour1.asp
Run CCleaner, Windows & Applications when you run the registry cleaner (Issues) you will be prompted to backup before you can remove stuff, make sure you do. "



So I'm guessing that when you say enable hidden files&folders you want me to unhide them. Is that so I can find the items you are telling me to delete. And if so do I have a question about deleting the optimum online folder, being that they are my internet service provider will it effect my internet connection? Secondly, when you say to back up before I remove stuff with ccleaner do you mean to make a system restore point? Because I just turned it on right now just incase. I had it off previously,because while I was cleaning up my computer, before I posted my hijackthis log, I read somewhere (I think from one of bleepingcomputer's suggested scanners) that virus' and malware can hide in your system restore points. Anyway, that's besides the point, I was just wondering if that is what you meant by backing up?


Thanks for you help Phil, I hope you can be patient with such a paranoid newbie like me. :flowers:


Howard

#8 pskelley

pskelley

  • Members
  • 1,487 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:47 AM

Posted 27 April 2006 - 09:49 AM

To be as brief as possible:

The bad guys know Windows hides critical system files and folders so that's where they often put their stuff. Many people do not know this, as a result it is near to impossible to remove the malware, usually requiring paid professional help:
Click Start.
Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders.
Uncheck: Hide file extensions for known file types
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm.
Click OK.

And if so do I have a question about deleting the optimum online folder, being that they are my internet service provider will it effect my internet connection?

I believe I covered this enough. I bolded the information for you, and once again I would do nothing with that program without discussing it with your Internet Service Provider.

Secondly, when you say to back up before I remove stuff with ccleaner do you mean to make a system restore point?

NO...please review the tutorial I posted. When you choose Issues (registry cleaner) and ask that stuff not needed be removed, the program will search and locate this stuff. When you tell CCleaner to remove this stuff, it will popup a warning windows asking if you wish to backup the registry. You should NEVER work in your registry without a backup, so tell CCleaner to back up. It will ask where you want the backup so tell it to place it on your Desktop. I have never in hundreds of time asking folks to remove stuff with the cleaner, had to restore. If you should be the first, we want to be prepared. After a week or so, right click that backup and delete it. DO NOT click or doubleclick as that may return what was removed to your registry.

(links are for your information only and would not be needed during backup with CCleaner as it does this for you)
http://support.microsoft.com/default.aspx?...kb;en-us;322756
http://www.theeldergeek.com/windows_xp_registry.htm

Because I just turned it on right now just incase. I had it off previously,because while I was cleaning up my computer

I would never turn of the System Restore utility unless I was doing so to purge all old restore points to clean infection that might be in them. I do this at the end of each repair. If you turn it off when working and you have a problem there is no System Restore to rely on. Even a bad System Restore is better than no System Restore in a crisis.

I have no objections to your questions, that is how I learned :thumbsup:

I hope this helps...Phil
MS-MVP Windows Security 2007-08
Proud Member ASAP
UNITE Member 2006

#9 HowardK

HowardK
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:02:47 AM

Posted 27 April 2006 - 03:00 PM

hey phil,

Nothing found by ewido, here's the log anyway:

---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 1:14:08 PM, 4/27/2006
+ Report-Checksum: 24749A1B

+ Scan result:

No infected objects found.


::Report End



And here's the new Hijacktgis log:


Logfile of HijackThis v1.99.1
Scan saved at 3:22:30 PM, on 4/27/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Optimum Online\Netsurf.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\MXOALDR.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Winamp\winampa.exe
C:\progra~1\mcafee\MCAFEE~1\masalert.exe
C:\Program Files\McAfee.com\VSO\mcvsshld.exe
C:\Program Files\McAfee.com\VSO\oasclnt.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Maxtor\OneTouch\utils\Onetouch.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\spm\spmd.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
c:\progra~1\mcafee\mcafee antispyware\massrv.exe
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\Softimage\XSI_4.2\Application\bin\raysatxsi4_2server.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\HijackThis\HijackThis.exe

F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\Userinit.exe
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\ycomp5_5_7_0.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [diagent] "C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" startup
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe files\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [Optimum Online] C:\Program Files\Optimum Online\Netsurf.exe -tray
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [MXOBG] C:\WINDOWS\MXOALDR.EXE
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [_AntiSpyware] c:\progra~1\mcafee\MCAFEE~1\masalert.exe
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [MaxtorOneTouch] C:\Program Files\Maxtor\OneTouch\utils\Onetouch.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\googletoolbar.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\googletoolbar.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\googletoolbar.dll/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\googletoolbar.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\googletoolbar.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: FHM - {76028735-BBF1-4044-8DE2-5B90F0C7A77C} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/m...01/mcinsctl.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://scan.safety.live.com/resource/downl...lscbase7617.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1145317369156
O16 - DPF: {78AEEDE8-7345-4FB5-A8FE-4BFF16EF25FC} (McAfee Virtual Technician Control Class) - http://us-download.mcafee.com/products/protected/mvt/mvt.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B1826A9F-4AA0-4510-BA77-9013E74E4B9B} - http://www.trendmicro.com/spyware-scan/as4web.cab
O16 - DPF: {B49C4597-8721-4789-9250-315DFBD9F525} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/radio/ampx/ampx2.6.1.11_en_dl.cab
O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/_media/dalaillama/ampx.cab
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee AntiSpyware Service - McAfee, Inc. - c:\progra~1\mcafee\mcafee antispyware\massrv.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: RaySatxsi4_2 Server (RaySatxsi4_2Server) - Unknown owner - C:\Softimage\XSI_4.2\Application\bin\raysatxsi4_2server.exe
O23 - Service: SPM License Server (spmd) - mental images GmbH & Co. KG - C:\WINDOWS\system32\spm\spmd.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe



I decided not to do doing anything about netsurf.exe (even though I really want to). I guess I'll take it up with Optimum and see what kind of stuff they have to say, but I will continue blocking it with Zonealarm. I'm wondering if you could tell me how I can find out what other optimum online users did with this ridiculous adware installation. In other words are there discussions on bleepingcomputer on this issue? Because it seems very odd that an online service provider would do such a thing. Ugh! What a headache!! One thing I'm curious about ewido, though. Is it an anti-virus program? If so will it conflict with my current anti-virus and anti-spyware programs?



Thanks for your help again!

Howard

#10 pskelley

pskelley

  • Members
  • 1,487 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:47 AM

Posted 27 April 2006 - 06:20 PM

Hello Howard, Let me answer your questions first. I thought I was done dealing with your ISP, once and for all here is what the Google is on the Netsurf.exe: http://www.google.com/search?sourceid=navc...q=Netsurf%2Eexe
You had already located some of this information yourself. There are 27,400 websites with comments.

ewido is a security suite, it does not do the job of an antivirus program and generally conflicts with none of those I am aware of. The program was just purchased by: http://www.grisoft.com/doc/29396/lng/us/tpl/tpl01 and I can't comment on changes that might occur as a result of the new ownership. The most recent infomation I have concerning compatibility with other programs is this: http://www.ewido.net/en/compatibility/
I personally suggest all freeware programs, which will be in the links I leave with you from the experts in this field. Here is my suggestion for dealing with ewido once the trial is over unless YOU decide to purchase the product.
ewido is a great program but it does use some resources. Once the trial is over you can update and use the scanner for as long as you wish, but unless you purchase it you should turn it off completely so it does not run unless you start it manually.

Since you ewido scan is clean and your HJT log is free of malware, Here is some great information from Tony Klein, Texruss, ChrisRLG and Grinler to help you stay clean and safe online:
http://boards.cexx.org/viewtopic.php?t=957
http://russelltexas.com/malware/allclear.htm
http://forum.malwareremoval.com/viewtopic.php?t=14
http://www.bleepingcomputer.com/forums/topict2520.html
http://cybercoyote.org/security/not-admin.shtml

System Restore does not know the good files from the bad. In case bad stuff has gotten into your System Restore files, follow the instructions in this link to get clean System Restore files. Turn it off, reboot then turn it back on:
http://service1.symantec.com/SUPPORT/tsgen...src=sec_doc_nam

Safe surfing...Phil :thumbsup:

Thanks...pskelley
BleepingComputer
If you are reading this information...thank a teacher,
If you are reading it in English...thank a soldier.

Edited by pskelley, 27 April 2006 - 06:22 PM.

MS-MVP Windows Security 2007-08
Proud Member ASAP
UNITE Member 2006

#11 HowardK

HowardK
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:02:47 AM

Posted 27 April 2006 - 09:15 PM

Phil,

There are no words to express my gratitude. You're the best man! Sorry for the multiple/duplicate questions I've been asking. By the way what should I do about netsurf? j/k :thumbsup:


I've recomended you guys to several people already and will continue to do so.. And once I can get some money in the bank I will definitely make a donation. You guys are the best!


One proud newbie member

Howard

Edited by HowardK, 27 April 2006 - 09:15 PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users