Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Searchnet Infection


  • Please log in to reply
6 replies to this topic

#1 hardball

hardball

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Location:South Carolina
  • Local time:03:04 PM

Posted 18 April 2007 - 06:18 PM

[font=Lucida Console]My BellSouth Internet Security-Anti Spyware keeps popping up stating that it has failed to delete SearchNet. I don't get any pop ups. Computer seems to be fine except for the Anti Spyware warning. Any advice would be appreciated.
I aint ignot, jest countrified.

BC AdBot (Login to Remove)

 


#2 TMacK

TMacK

  • Members
  • 4,672 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:B.C. Canada
  • Local time:12:04 PM

Posted 18 April 2007 - 07:12 PM

Lets see if we can rid of this spyware.
Install SUPERAntiSpyware. Run it in safe mode and allow it to quarantine whatever it finds.

Also run the online scan for BitDefender and allow it to quarantine whatever it finds also.
Chaos reigns within.
Reflect, repent, and reboot.
Order shall return.

aaaaaaaa a~Suzie Wagner

#3 hardball

hardball
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Location:South Carolina
  • Local time:03:04 PM

Posted 18 April 2007 - 09:18 PM

Result of SUPERAntispyware scan:

SUPERAntiSpyware Scan Log
Generated 04/18/2007 at 09:48 PM

Application Version : 3.6.1000

Core Rules Database Version : 3221
Trace Rules Database Version: 1230

Scan type : Complete Scan
Total Scan Time : 00:53:13

Memory items scanned : 171
Memory threats detected : 0
Registry items scanned : 6796
Registry threats detected : 1
File items scanned : 31092
File threats detected : 7

Trojan.Media-Codec
C:\Program Files\Video Access ActiveX Object
HKLM\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad#eitheror [ {2016a466-91a2-43c6-97d8-2fd380f065ef} ]

Adware.Tracking Cookie
C:\Documents and Settings\Egnot\Cookies\egnot@ad1.m5-systems[2].txt
C:\Documents and Settings\Egnot\Cookies\egnot@ad2.m5-systems[2].txt
C:\Documents and Settings\Guest\Cookies\guest@ad.m5prod[1].txt
C:\Documents and Settings\Guest\Cookies\guest@tracking.vcab[1].txt
C:\Documents and Settings\Scrooge\Cookies\scrooge@ad.m5prod[2].txt
C:\Documents and Settings\Scrooge\Cookies\scrooge@iqcounter[1].txt

BitDefender online scanner froze up at the ULA screen. When I clicked on I Agree, Nothing happens. :thumbsup:
I aint ignot, jest countrified.

#4 buddy215

buddy215

  • Moderator
  • 13,323 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:02:04 PM

Posted 18 April 2007 - 09:35 PM

The log doesn't show if you deleted or quarantined the malware. You may have copied the log before you deleted. Bit Defender has to run in Internet Explorer. Give it another try and then post a Hijack This Log.

Post a Hijack This log in the Hijack This Forum by following the directions in the link below if the programs above have not removed ALL malware. DO NOT post the log in this forum.
http://www.bleepingcomputer.com/forums/t/34773/preparation-guide-for-use-before-using-malware-removal-tools-and-requesting-help/
“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss
A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”

#5 hardball

hardball
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Location:South Carolina
  • Local time:03:04 PM

Posted 21 April 2007 - 03:47 PM

I am pretty sure I have solved the problem. I downloaded eTrust PestPatrol and scanned computer. It found SearchNet very quickly and quarantined it. BellSouth Ant Spyware warning has not popped up in three hrs. Thanks for everyones time and trouble. Below is PestPatrol log.

eTrust PestPatrol Quarantined Pests Report
This report was generated on: 4/21/2007-1:29:36 PM

=== Begin Session 4/21/2007 1:26:53 PM <<20070421202653>> (ID 1) ===
(1) SearchNet
c:\windows\system32\drivers\fad.sys
hkey_local_machine \system\currentcontrolset\enum\root\legacy_fad

=== End Session 4/21/2007 1:26:53 PM <<20070421202653>> (ID 1) ===
***End Report***
I aint ignot, jest countrified.

#6 TMacK

TMacK

  • Members
  • 4,672 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:B.C. Canada
  • Local time:12:04 PM

Posted 21 April 2007 - 04:43 PM

Glad to hear that you aren't getting any more pop-ups hardball.

When the Hijack Team answers your post, you'll have to let them know what changes you've made and run a new Hijack Log...just to be on the safe side.
Chaos reigns within.
Reflect, repent, and reboot.
Order shall return.

aaaaaaaa a~Suzie Wagner

#7 jimbo8500

jimbo8500

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:03:04 PM

Posted 29 April 2007 - 08:33 PM

I had "legacy_fad" in my registry, tried all the suggested procedures and couldn't get rid of it!

Somehow, I figured out that it was the permissions for the key in the registry that prevented me from deleting it!

Log in as an Administrator and just search the registry for "legacy_fad" and when you find it, right click on the key and choose "permissions". Click the "Advanced" button, then click the "Add" button, then "Advanced" and "Find Now". Choose "Administrators" and click "OK" and "OK" and then check "Full Control" under "Allow", and 3 more "OK"'s to get out.

I had to do that for 3 Keys to delete them all. A forth gave me a couldn't find error! I closed regedit and rebooted and searched for "legacy_fad again. It was finally gone. I think the "anti-ware" programs fail because of the way the the permissions were reset!

If you have a Dell, you can reinstall the Dell driver that contains the "fad.sys" file. Then search your disk for "fad.sys" and make sure the file dates and sizes match the Dell driver folder. If not, just cut and paste the correct file into the offending folder. On my machine, the "fad.sys" file was in my Broadcom Control Suite (R62745.EXE). I have a Dell Inspiron 8500 running Win XP Professional.

I hope this information helps with this or some future problem.

:thumbsup:




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users