Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Am I Infected?


  • Please log in to reply
2 replies to this topic

#1 clydesuncle

clydesuncle

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:07:05 PM

Posted 17 February 2007 - 04:41 PM

Hi all,

Im very sure I was infected with spydawn.
Installed on pc ad aware se, spybot sd (resident & tea), ccleaner, avg free. I also have spywaregaurd, spyware blaster, ZA, and win defender. All were already on my pc before this issue.

Spydawn was found in the control panel and uninstalled. I did not follow your removal procedures for this as I wasnt aware of them at the time. But Im here now!

Avg found and deleted Trojan horse Generic3.APS in sys32 folder and found bad sector in boot disk. A second scan from avg was clean.

Spybot found and removed Win32.Agent.Acs HKEY_LOCAL_MACHINE\SOFTWARE\ztestkey.

ad aware se found and removed;

SPYWAREQUAKE

obj[5]=Regkey : interface\{189518df-7eba-4d31-a7e1-73b5bb60e8d5}
obj[6]=Regkey : interface\{23d627fe-3f02-44cf-9ee1-7b9e44bd9e13}
obj[7]=Regkey : interface\{43cfefbe-8ae4-400e-bbe4-a2b61bb140fb}
obj[8]=Regkey : interface\{5790b963-23c5-43c1-bcf5-01c9b5a3e44e}
obj[9]=Regkey : interface\{5d42ddf4-81eb-4668-9951-819a1d5befc8}
obj[10]=Regkey : interface\{76d06077-d5d3-40ca-b32d-6a67a7ff3f06}
obj[11]=Regkey : interface\{86c7e6c3-ec47-44e5-aa08-ee0d0a25895f}
obj[12]=Regkey : interface\{9283dac1-43f5-4580-bf86-841f22af2335}
obj[13]=Regkey : interface\{ae90cafc-09d4-47f0-9e11-ce621c424f08}
obj[14]=Regkey : interface\{ba397e39-f67f-423f-bc6e-65939450093a}
obj[15]=Regkey : interface\{bec8a83d-01d4-4f15-b8a9-4b4ab24253a7}
obj[16]=Regkey : interface\{c4eedc19-992d-409a-b323-ed57d511afa5}
obj[17]=Regkey : interface\{dd90f677-d205-4f70-9014-659614aabcb2}
obj[18]=Regkey : interface\{e3df91f3-f24f-441e-9001-d61f36024322}
obj[19]=Regkey : interface\{f459eadb-5903-48d5-864c-2b7b46ab1424}
obj[20]=Regkey : interface\{fc4edf66-0547-4f1a-ae96-7cfcad711c90}
obj[21]=Regkey : typelib\{661173ee-fa31-4769-97d4-b556b5d09bda}

WIN32.TROJANDOWNLOADER.ZLOB

obj[22]=Regkey : clsid\{84938242-5c5b-4a55-b6b9-a1507543b418}
obj[23]=Regkey : vaxobject.chl
obj[24]=Regkey : software\internet security
obj[25]=RegValue : software\internet security "Path"
obj[26]=RegValue : software\internet security "Removable"
obj[27]=RegValue : software\internet security "65003"
obj[28]=RegValue : software\internet security "65005"
obj[29]=Regkey : software\microsoft\windows\currentversion\uninstall\video activex object
obj[30]=RegValue : software\microsoft\windows\currentversion\uninstall\video activex object "DisplayName"
obj[31]=RegValue : software\microsoft\windows\currentversion\uninstall\video activex object "UninstallString"
obj[32]=RegValue : software\microsoft\windows\currentversion\uninstall\video activex object "DisplayIcon"
obj[33]=RegValue : software\microsoft\windows\currentversion\uninstall\video activex object "DisplayVersion"
obj[34]=RegValue : software\microsoft\windows\currentversion\uninstall\video activex object "URLInfoAbout"
obj[35]=RegValue : software\microsoft\windows\currentversion\uninstall\video activex object "Publisher"
obj[36]=Regkey : software\microsoft\windows\currentversion\uninstall\internet security add-on
obj[37]=RegValue : software\microsoft\windows\currentversion\uninstall\internet security add-on "UninstallString"
obj[38]=Regkey : software\microsoft\windows\currentversion\uninstall\internet explorer security plugin 2006
obj[39]=RegValue : software\microsoft\windows\currentversion\uninstall\internet explorer security plugin 2006 "UninstallString"
obj[40]=Folder : C:\Program Files\Video ActiveX Object
obj[41]=File : c:\documents and settings\all users\start menu\Security Troubleshooting.url
obj[42]=File : c:\documents and settings\all users\start menu\Online Security Guide.url
obj[43]=File : c:\documents and settings\all users\desktop\Security Troubleshooting.url
obj[44]=File : c:\documents and settings\all users\desktop\Online Security Guide.url

HJT shows;
O15 - Trusted Zone: http://*.trymedia.com (HKLM)

Not sure what is a good default search page and all either.
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop

All scans were also done in safe mode as well. Found nothing. Then I found BC and I cant locate any of the files in sys32 folder as outlined in removal guides for spydawn, troj32, or AntiVermins.

Thank you for any assistance in advance.

BC AdBot (Login to Remove)

 


#2 buddy215

buddy215

  • BC Advisor
  • 12,990 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:07:05 PM

Posted 17 February 2007 - 07:42 PM

Suggest you follow the removal instructions for SpyDawn. Running the Smitfraud fix will also remove remnants of your other infections.
http://www.bleepingcomputer.com/forums/t/81275/how-to-remove-spydawn-removal-instructions/

If you still have reason to believe you are still infected you should post a Hijack This log in the appropriate forum by following the instructions in the link below.
http://www.bleepingcomputer.com/forums/t/34773/preparation-guide-for-use-before-using-malware-removal-tools-and-requesting-help/

“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss

A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”


#3 clydesuncle

clydesuncle
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:07:05 PM

Posted 18 February 2007 - 10:12 PM

ty sir,
will do.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users