[Solved] Please help with infection "Spyware Quake"
Byron172
Adelaide, South Australia Member
I think I have an infection called spyware quake. It is very similar to spyware strike. Has anyone heard of this or able to help by looking at my HJTL file:
Logfile of HijackThis v1.99.1
Scan saved at 6:02:20 PM, on 8/04/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\System32\pctspk.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iRiver\HSeries\iHPDetect.exe
C:\Program Files\OptusNet Dial-up Internet\DSC.exe
C:\Program Files\SpywareQuake\SpywareQuake.exe
C:\Program Files\SpywareQuake\SpywareQuake.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\Greetings Workshop\GWREMIND.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Spyware Removers\HijackThis.exe
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [CountrySelection] pctptt.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iHP-100] C:\Program Files\iRiver\HSeries\iHPDetect.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Desktop Service Centre] C:\Program Files\OptusNet Dial-up Internet\DSC.exe
O4 - HKLM\..\Run: [SpywareQuake] C:\Program Files\SpywareQuake\SpywareQuake.exe /h
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Greetings Workshop Reminders.lnk = C:\Program Files\Greetings Workshop\GWREMIND.EXE
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Kodak software updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{6F63436B-C626-466C-8A9F-A8F0B17121F9}: NameServer = 203.2.75.132 198.142.0.51
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: W2K PCtel speaker phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\System32\pctspk.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools - C:\Program Files\Spyware Doctor\sdhelp.exe
Any assistance or advice will be greatly appreciated.
Cheers.
Logfile of HijackThis v1.99.1
Scan saved at 6:02:20 PM, on 8/04/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\System32\pctspk.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iRiver\HSeries\iHPDetect.exe
C:\Program Files\OptusNet Dial-up Internet\DSC.exe
C:\Program Files\SpywareQuake\SpywareQuake.exe
C:\Program Files\SpywareQuake\SpywareQuake.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\Greetings Workshop\GWREMIND.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Spyware Removers\HijackThis.exe
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [CountrySelection] pctptt.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iHP-100] C:\Program Files\iRiver\HSeries\iHPDetect.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Desktop Service Centre] C:\Program Files\OptusNet Dial-up Internet\DSC.exe
O4 - HKLM\..\Run: [SpywareQuake] C:\Program Files\SpywareQuake\SpywareQuake.exe /h
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Greetings Workshop Reminders.lnk = C:\Program Files\Greetings Workshop\GWREMIND.EXE
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Kodak software updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{6F63436B-C626-466C-8A9F-A8F0B17121F9}: NameServer = 203.2.75.132 198.142.0.51
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: W2K PCtel speaker phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\System32\pctspk.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools - C:\Program Files\Spyware Doctor\sdhelp.exe
Any assistance or advice will be greatly appreciated.
Cheers.
0
This discussion has been closed.
Comments
Try the removal instructions.
Really appreciate your help with this one.
Did it work?
Thanks again - I'll keep you in the know.......
Just completed the Spyware Quake removal procedure and have posted below the HJTLF:
Logfile of HijackThis v1.99.1
Scan saved at 2:04:56 PM, on 18/04/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\brss01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\System32\pctspk.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iRiver\HSeries\iHPDetect.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Spyware Removers\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.swellnet.com.au/loc_report.php?region_id=19&state_id=4
O2 - BHO: Nothing - {8d83b16e-0de1-452b-ac52-96ec0b34aa4b} - C:\WINDOWS\system32\hpAB9B.tmp (file missing)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [CountrySelection] pctptt.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iHP-100] C:\Program Files\iRiver\HSeries\iHPDetect.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\RunOnce: [InstallShieldSetup] C:\PROGRA~1\INSTAL~1\{16D16~1\Setup.exe -rebootC:\PROGRA~1\INSTAL~1\{16D16~1\reboot.ini -l0x9
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{6F63436B-C626-466C-8A9F-A8F0B17121F9}: NameServer = 203.2.75.132 198.142.0.51
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: W2K PCtel speaker phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\System32\pctspk.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools - C:\Program Files\Spyware Doctor\sdhelp.exe
Also ran a panda scan but ubfortunately my internet connection dropped out as I aws just about to get the rsults so I would have to run the scan again if I wnated to get the log file (it took about 2 hours so I don't really want to if I don't have to). If you think it is absolutely necessary after reading the above log I will.
Smit rem came up as clean, but here is the detail of the scan in case it is useful:
smitRem © log file
version 2.8
by noahdfear
Microsoft Windows XP [Version 5.1.2600]
The current date is: Tue 18/04/2006
The current time is: 11:04:48.76
Running from
C:\Program Files\smitRem
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Pre-run SharedTask Export
(GetSTS.exe) SharedTaskScheduler exporter by Lawrence Abrams (Grinler)
Copyright(C) 2006 BleepingComputer.com
Registry Pseudo-Format Mode (Not a valid reg file):
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{438755C2-A8BA-11D1-B96B-00A0C90312E1}\InProcServer32]
@="%SystemRoot%\System32\browseui.dll"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8C7461EF-2B13-11d2-BE35-3078302C2030}\InProcServer32]
@="%SystemRoot%\System32\browseui.dll"
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
checking for ShudderLTD key
ShudderLTD key not present!
checking for PSGuard.com key
PSGuard.com key not present!
checking for WinHound.com key
WinHound.com key not present!
spyaxe uninstaller NOT present
Winhound uninstaller NOT present
SpywareStrike uninstaller NOT present
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Existing Pre-run Files
~~~ Program Files ~~~
Security Toolbar
~~~ Shortcuts ~~~
Online Security Guide.url
Online Security Guide.url
Security Troubleshooting.url
Security Troubleshooting.url
~~~ Favorites ~~~
~~~ system32 folder ~~~
ncompat.tlb
nvctrl.exe
hp***.tmp
~~~ Icons in System32 ~~~
ts.ico
ot.ico
~~~ Windows directory ~~~
~~~ Drive root ~~~
~~~ Miscellaneous Files/folders ~~~
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 756 'explorer.exe'
Starting registry repairs
Registry repairs complete
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
SharedTask Export after registry fix
(GetSTS.exe) SharedTaskScheduler exporter by Lawrence Abrams (Grinler)
Copyright(C) 2006 BleepingComputer.com
Registry Pseudo-Format Mode (Not a valid reg file):
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{438755C2-A8BA-11D1-B96B-00A0C90312E1}\InProcServer32]
@="%SystemRoot%\System32\browseui.dll"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8C7461EF-2B13-11d2-BE35-3078302C2030}\InProcServer32]
@="%SystemRoot%\System32\browseui.dll"
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Deleting files
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Remaining Post-run Files
~~~ Program Files ~~~
~~~ Shortcuts ~~~
~~~ Favorites ~~~
~~~ system32 folder ~~~
~~~ Icons in System32 ~~~
~~~ Windows directory ~~~
~~~ Drive root ~~~
~~~ Miscellaneous Files/folders ~~~
~~~ Wininet.dll ~~~
CLEAN!
Do you think the computer is clean based on this info?
Thanks again for all your help.......
O2 - BHO: Nothing - {8d83b16e-0de1-452b-ac52-96ec0b34aa4b} - C:\WINDOWS\system32\hpAB9B.tmp (file missing)
Apart from that your log is clean.
It would be nice to see a Panda report, but if you don't want to scan again, thats fine.
Two questions:
1. How is the computer?
2. Do you have a Firewall?
Is it possible that he could be getting targetted by spyware creators because of traces left behind from from previous infections or is he just practicing unsafe surfing? I would be interested to hear your opinion on this.
Thanks again for all your help,
B
I don't think your friend is being targeted by spyware creators. I would say it's unsafe surfing!
Get your friend to do the following!
Secure your Internet Explorer by going here and following the instructions there.
Better yet, use an alternative browser! Download FireFox and give it a run. It is far more secure than Internet Explorer. Or, you can get Opera which in my opinion, is better still.
Use a firewall to help prevent your PC(s) from being usurped by undesireables. If you don't have a Firewall, then choose one from the list here
Install an Anti-Virus. There are some good, free AV's available today. Make sure that it is updated regularly and have it scan your system often. If you don't have an Anti-Virus program, choose one from the list here
Install and keep updated, Ad-Aware SE and Spybot Search & Destroy.
Run them both on a regular basis, following the manufacturer's recommendations.
Install and keep updated, SpywareBlaster and SpywareGuard
Check for Windows Updates. Microsoft regularly post updates for your systems safe running. Make sure to take advantage of this. Reboot when installed and return to make sure there are no others.
Clear your Temp folders.
Go to Start > Control Panel > Internet Options.
Under the General tab click the Delete Files... button; check the Delete all offline content box and press OK. Next, click the Delete Cookies... button and press OK
Go to "Start" -> "Run" and type in the box: "cleanmgr" press OK. Select the drive where your Operating System is installed (Default is C:) and press OK. Let Disk Cleanup scan your system for files to remove (it takes a few minutes!). On the next screen make sure these 3 options are checked and then press "OK" to remove:
- Temporary Files
- Temporary Internet Files
- Recycle Bin
Also, go to Start > Find/Search > Files or folders > in the named box, type: *.tmp and choose Edit > select all -> File > delete.Empty/delete the entire contents from the following folders:
C:\Windows\temp
C:\temp <-- if you have one.
Note: Empty contents but don't delete the folder(s) itself.
Clear out temp files from the following location. Change "username" to whatever you have on your computer.
C:\Documents and Settings\username\Local Settings\Temp\
In order to view these files you may have to select 'show hidden files/folders.' Instructions on how to here.
Empty the Recycle Bin!
Hide system files
It is very important that system files and folders are hidden again, so that they DO NOT get deleted by mistake. To hide system files and folders, do the following for your operating system...
Windows XP
* Click Start.
* Open My Computer.
* Select the Tools menu and click Folder Options.
* Select the View Tab.
* Under the Hidden files and folders heading, uncheck Do not show hidden files and folders
* Check the Hide protected operating system files (recommended) option.
* Click Yes to confirm.
* Click OK.
For XP users.
After something like this it is a good idea to Flush the Restore Points and start fresh.
To flush the XP system Restore Points.
Go to Start | Run | type msconfig | Press Enter.
When msconfig opens, click the Launch System Restore Button.
On the next page, click the System Restore Settings link on the left.
Check the box labelled 'Turn off System restore'.
Reboot! Go back in and Turn System Restore Back on. A new Restore Point will be created automatically.
Note that all previous restore points will be lost.
I will being going back round to his house over the weekend and will put a few more things into place as you have suggested..........also if we get time I willl run another PandaScan and post the results here.
BTW, I downloaded a copy of a program called "KillBox" a couple of months back when my mate had "Spyware Strike". Is this good for anything specific?
Thanks again for all your help,
B
I managed to do a Panda Scan today on my mates computer. Here arethe results:
Incident Status Location
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\Mark & Tammy\Cookies\mark & [email]tammy@ad.yieldmanager[1].txt[/email]
Spyware:Cookie/Hbmediapro Not disinfected C:\Documents and Settings\Mark & Tammy\Cookies\mark & [email]tammy@adopt.hbmediapro[2].txt[/email]
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Mark & Tammy\Cookies\mark & [email]tammy@atdmt[2].txt[/email]
Spyware:Cookie/bravenetA Not disinfected C:\Documents and Settings\Mark & Tammy\Cookies\mark & [email]tammy@bravenet[1].txt[/email]
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Mark & Tammy\Cookies\mark & [email]tammy@doubleclick[1].txt[/email]
Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\Mark & Tammy\Cookies\mark & [email]tammy@mediaplex[1].txt[/email]
Spyware:Cookie/Statcounter Not disinfected C:\Documents and Settings\Mark & Tammy\Cookies\mark & [email]tammy@statcounter[1].txt[/email]
Spyware:Cookie/myaffiliateprogram Not disinfected C:\Documents and Settings\Mark & Tammy\Cookies\mark & [email]tammy@www.myaffiliateprogram[2].txt[/email]
Adware:adware/securityerror Not disinfected C:\Documents and Settings\Mark & Tammy\Favorites\Antivirus Test Online.url
Potentially unwanted tool:Application/SpywareQuake Not disinfected C:\Documents and Settings\Mark & Tammy\Local Settings\Temp\sa1.exe
Potentially unwanted tool:Application/Processor Not disinfected C:\Program Files\smitRem\Process.exe
Potentially unwanted tool:Application/Processor Not disinfected C:\Spyware Removers\smitRem\Process.exe
Potentially unwanted tool:Application/Processor Not disinfected C:\Spyware Removers\smitRem.exe[Process.exe]
Adware:adware/emediacodec Not disinfected C:\WINDOWS\system32\interf.tlb
What should I do from here......
Please download SmitfraudFix by S!Ri
Extract the content (a folder named SmitfraudFix) to your Desktop.
Open the SmitfraudFix folder and double-click smitfraudfix.cmd
Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply.
Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
http://www.beyondlogic.org/consulting/proc...processutil.htm
I will run the Smitfraud detection tool from S!Ri as directed. I appreciate your time with this one. What makes it even more time consuming is that I really only get a chance to work on his computer on the weekends. So thanks again for bearing with us.
Cheers,
B
Sorry this has taken so long but I've finally got the scan results you requested. They are as follows:
SmitFraudFix v2.48
Scan done at 18:27:52.08, Sat 27/05/2006
Run from
C:\Documents and Settings\Mark & Tammy\Desktop\SmitfraudFix\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600]
Fix ran in normal mode
»»»»»»»»»»»»»»»»»»»»»»»» C:\
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32
»»»»»»»»»»»»»»»»»»»»»»»» Start Menu
»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\MARK
»»»»»»»»»»»»»»»»»»»»»»»» Desktop
»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files
»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys
»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!
SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll
»»»»»»»»»»»»»»»»»»»»»»»» Scanning wininet.dll infection
»»»»»»»»»»»»»»»»»»»»»»»» End
Can you delete these please, if they exist:
C:\Documents and Settings\Mark & Tammy\Favorites\Antivirus Test Online.url << this file
C:\Documents and Settings\Mark & Tammy\Local Settings\Temp\sa1.exe << this file
C:\WINDOWS\system32\interf.tlb << this file
Let me know if you have any trouble with deleting those.
Thanks again for all your help.
Anymore problems or...?
Thanks again.
Byron.
Can I mark this resovled or do you want to keep it open?