Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Am I Infected?


  • Please log in to reply
2 replies to this topic

#1 clydesuncle

clydesuncle

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:08:51 AM

Posted 17 February 2007 - 04:41 PM

Hi all,

I’m very sure I was infected with spydawn.
Installed on pc ad aware se, spybot sd (resident & tea), ccleaner, avg free. I also have spywaregaurd, spyware blaster, ZA, and win defender. All were already on my pc before this issue.

Spydawn was found in the control panel and uninstalled. I did not follow your removal procedures for this as I wasn’t aware of them at the time. But I’m here now!

Avg found and deleted Trojan horse “Generic3.APS” in sys32 folder and found bad sector in boot disk. A second scan from avg was clean.

Spybot found and removed “Win32.Agent.Acs” HKEY_LOCAL_MACHINE\SOFTWARE\ztestkey.

ad aware se found and removed;

SPYWAREQUAKE
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
obj[5]=Regkey : interface\{189518df-7eba-4d31-a7e1-73b5bb60e8d5}
obj[6]=Regkey : interface\{23d627fe-3f02-44cf-9ee1-7b9e44bd9e13}
obj[7]=Regkey : interface\{43cfefbe-8ae4-400e-bbe4-a2b61bb140fb}
obj[8]=Regkey : interface\{5790b963-23c5-43c1-bcf5-01c9b5a3e44e}
obj[9]=Regkey : interface\{5d42ddf4-81eb-4668-9951-819a1d5befc8}
obj[10]=Regkey : interface\{76d06077-d5d3-40ca-b32d-6a67a7ff3f06}
obj[11]=Regkey : interface\{86c7e6c3-ec47-44e5-aa08-ee0d0a25895f}
obj[12]=Regkey : interface\{9283dac1-43f5-4580-bf86-841f22af2335}
obj[13]=Regkey : interface\{ae90cafc-09d4-47f0-9e11-ce621c424f08}
obj[14]=Regkey : interface\{ba397e39-f67f-423f-bc6e-65939450093a}
obj[15]=Regkey : interface\{bec8a83d-01d4-4f15-b8a9-4b4ab24253a7}
obj[16]=Regkey : interface\{c4eedc19-992d-409a-b323-ed57d511afa5}
obj[17]=Regkey : interface\{dd90f677-d205-4f70-9014-659614aabcb2}
obj[18]=Regkey : interface\{e3df91f3-f24f-441e-9001-d61f36024322}
obj[19]=Regkey : interface\{f459eadb-5903-48d5-864c-2b7b46ab1424}
obj[20]=Regkey : interface\{fc4edf66-0547-4f1a-ae96-7cfcad711c90}
obj[21]=Regkey : typelib\{661173ee-fa31-4769-97d4-b556b5d09bda}

WIN32.TROJANDOWNLOADER.ZLOB
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
obj[22]=Regkey : clsid\{84938242-5c5b-4a55-b6b9-a1507543b418}
obj[23]=Regkey : vaxobject.chl
obj[24]=Regkey : software\internet security
obj[25]=RegValue : software\internet security "Path"
obj[26]=RegValue : software\internet security "Removable"
obj[27]=RegValue : software\internet security "65003"
obj[28]=RegValue : software\internet security "65005"
obj[29]=Regkey : software\microsoft\windows\currentversion\uninstall\video activex object
obj[30]=RegValue : software\microsoft\windows\currentversion\uninstall\video activex object "DisplayName"
obj[31]=RegValue : software\microsoft\windows\currentversion\uninstall\video activex object "UninstallString"
obj[32]=RegValue : software\microsoft\windows\currentversion\uninstall\video activex object "DisplayIcon"
obj[33]=RegValue : software\microsoft\windows\currentversion\uninstall\video activex object "DisplayVersion"
obj[34]=RegValue : software\microsoft\windows\currentversion\uninstall\video activex object "URLInfoAbout"
obj[35]=RegValue : software\microsoft\windows\currentversion\uninstall\video activex object "Publisher"
obj[36]=Regkey : software\microsoft\windows\currentversion\uninstall\internet security add-on
obj[37]=RegValue : software\microsoft\windows\currentversion\uninstall\internet security add-on "UninstallString"
obj[38]=Regkey : software\microsoft\windows\currentversion\uninstall\internet explorer security plugin 2006
obj[39]=RegValue : software\microsoft\windows\currentversion\uninstall\internet explorer security plugin 2006 "UninstallString"
obj[40]=Folder : C:\Program Files\Video ActiveX Object
obj[41]=File : c:\documents and settings\all users\start menu\Security Troubleshooting.url
obj[42]=File : c:\documents and settings\all users\start menu\Online Security Guide.url
obj[43]=File : c:\documents and settings\all users\desktop\Security Troubleshooting.url
obj[44]=File : c:\documents and settings\all users\desktop\Online Security Guide.url

HJT shows;
O15 - Trusted Zone: http://*.trymedia.com (HKLM)

Not sure what is a good default search page and all either.
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop

All scans were also done in safe mode as well. Found nothing. Then I found BC and I can’t locate any of the files in sys32 folder as outlined in removal guides for spydawn, troj32, or AntiVermins.

Thank you for any assistance in advance.

BC AdBot (Login to Remove)

 


m

#2 buddy215

buddy215

  • BC Advisor
  • 12,611 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:07:51 AM

Posted 17 February 2007 - 07:42 PM

Suggest you follow the removal instructions for SpyDawn. Running the Smitfraud fix will also remove remnants of your other infections.
http://www.bleepingcomputer.com/forums/t/81275/how-to-remove-spydawn-removal-instructions/

If you still have reason to believe you are still infected you should post a Hijack This log in the appropriate forum by following the instructions in the link below.
http://www.bleepingcomputer.com/forums/t/34773/preparation-guide-for-use-before-using-malware-removal-tools-and-requesting-help/

“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss

A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”


#3 clydesuncle

clydesuncle
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:08:51 AM

Posted 18 February 2007 - 10:12 PM

ty sir,
will do.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users