RogueAntiSpyware.SpywareNo - Free Antivirus Forum

RogueAntiSpyware.SpywareNo

BullGuard Antivirus Forum > General Security > Spyware > RogueAntiSpyware.SpywareNo

Forum Quick Jump

[ << Previous Thread | Next Thread >> ]

inhotwater
New Member

Date Joined Feb 2008
Total Posts : 13

Posted 4-21-2008 2:58 (GMT +2)

Hello,

When running Spyware Doctor I found RogueAntiSpyware.SpywareNo infection showing.

Since then I have read and followed the preparation Before Posting a Log.

The logs of HijackThis, SUPERAntiSpyware and ComboFix follow.

Can you please help me to get rid of this spyware?

Thanking you.

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 10:35:46 PM, on 21/04/2008

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16640)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\SOUNDMAN.EXE

C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe

C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe

C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb05.exe

C:\WINDOWS\system32\hphmon04.exe

C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\Spyware Doctor\pctsTray.exe

C:\WINDOWS\system32\rundll32.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe

C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\Program Files\Messenger\msmsgs.exe

C:\Program Files\Spyware Doctor\pctsAuxs.exe

C:\Program Files\Spyware Doctor\pctsSvc.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe

C:\WINDOWS\system32\WgaTray.exe

C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\WINDOWS\System32\alg.exe

C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE

C:\Documents and Settings\Administrator\My Documents\Videos\HiJackThis.exe

C:\WINDOWS\system32\wbem\wmiprvse.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://au.yahoo.com

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.himarkcomputers.com/

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)

O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE

O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe

O4 - HKLM\..\Run: [cctray] "C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe"

O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe"

O4 - HKLM\..\Run: [SystemTraySD] C:\Program Files\SpywareDetector\SDSystemTray.exe -AUTO

O4 - HKLM\..\Run: [SDAutoLiveupdate] C:\Program Files\SpywareDetector\LiveUpdateSD.exe -AUTO

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb05.exe

O4 - HKLM\..\Run: [HPHmon04] C:\WINDOWS\system32\hphmon04.exe

O4 - HKLM\..\Run: [HPHUPD04] "C:\Program Files\HP Photosmart 11\hphinstall\UniPatch\hphupd04.exe"

O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"

O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\WINDOWS\system32\shdocvw.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll

O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: CaCCProvSP - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe

O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: Pml Driver HPH11 - HP - C:\WINDOWS\system32\HPHipm11.exe

O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe

O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe

O23 - Service: SDService - Unknown owner - C:\Program Files\SpywareDetector\SDService.exe (file missing)

O23 - Service: VET Message Service (VETMSGNT) - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe

End of file - 7329 bytes

SUPERAntiSpyware Scan Log

http://www.superantispyware.com

Generated 04/21/2008 at 10:12 PM

Application Version : 4.0.1154

Core Rules Database Version : 3442

Trace Rules Database Version: 1434

Scan type : Complete Scan

Total Scan Time : 00:25:34

Memory items scanned : 428

Memory threats detected : 0

Registry items scanned : 4579

Registry threats detected : 0

File items scanned : 13924

File threats detected : 0

ComboFix 08-04-20.2 - Administrator 2008-04-21 22:21:51.1 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.2.1252.61.1033.18.520 [GMT 10:00]

Running from: C:\Documents and Settings\Administrator\My Documents\Videos\ComboFix.exe

* Created a new restore point

[color=red][b]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !![/b][/color]

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

C:\WINDOWS\system32\kmd.exe

((((((((((((((((((((((((( Files Created from 2008-03-21 to 2008-04-21 )))))))))))))))))))))))))))))))

2008-04-21 10:23 . 2008-04-21 21:33 <DIR> d-------- C:\Program Files\Spyware Doctor

2008-04-21 10:23 . 2007-12-10 13:53 81,288 --a------ C:\WINDOWS\system32\drivers\iksyssec.sys

2008-04-21 10:23 . 2007-12-10 13:53 66,952 --a------ C:\WINDOWS\system32\drivers\iksysflt.sys

2008-04-21 10:23 . 2008-02-01 11:55 42,376 --a------ C:\WINDOWS\system32\drivers\ikfilesec.sys

2008-04-21 10:23 . 2007-12-10 13:53 29,576 --a------ C:\WINDOWS\system32\drivers\kcom.sys

2008-04-06 10:55 . 2008-04-06 10:55 <DIR> d-------- C:\Program Files\Safari

2008-04-06 10:53 . 2008-04-06 10:53 <DIR> d-------- C:\Program Files\iPod

2008-03-28 23:37 . 2008-03-28 23:37 90,112 --a------ C:\WINDOWS\system32\QuickTimeVR.qtx

2008-03-28 23:37 . 2008-03-28 23:37 57,344 --a------ C:\WINDOWS\system32\QuickTime.qts

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2008-04-21 12:04 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP

2008-04-21 11:41 --------- d-----w C:\Documents and Settings\Administrator\Application Data\nView_Wallpaper

2008-04-21 05:24 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy

2008-04-21 02:31 --------- d-----w C:\Program Files\Hitman Pro

2008-04-21 00:25 --------- d-----w C:\Program Files\SpywareBlaster

2008-04-21 00:00 --------- d-----w C:\Program Files\Java

2008-04-20 23:55 --------- d-----w C:\Program Files\Yahoo!

2008-04-18 03:27 32,264 ----a-w C:\WINDOWS\system32\drivers\vetmonnt.sys

2008-04-18 03:27 26,376 ----a-w C:\WINDOWS\system32\drivers\vet-filt.sys

2008-04-18 03:27 21,512 ----a-w C:\WINDOWS\system32\drivers\vetfddnt.sys

2008-04-18 03:27 21,128 ----a-w C:\WINDOWS\system32\drivers\vet-rec.sys

2008-04-12 06:44 --------- d-----w C:\Program Files\Hewlett-Packard

2008-04-12 03:37 --------- d-----w C:\Program Files\Google

2008-04-06 00:54 --------- d-----w C:\Program Files\iTunes

2008-04-06 00:50 --------- d-----w C:\Program Files\QuickTime

2008-03-18 12:56 --------- d-----w C:\Program Files\Common Files\Adobe

2008-03-18 12:44 --------- d--h--w C:\Program Files\InstallShield Installation Information

2008-03-18 12:44 --------- d-----w C:\Program Files\ArcSoft

2008-03-18 12:43 --------- d-----w C:\Program Files\Readiris Pro 8

2008-03-18 12:37 --------- d-----w C:\Program Files\Common Files\Hewlett-Packard

2008-03-13 05:17 --------- d-----w C:\Program Files\SUPERAntiSpyware

2008-03-08 10:24 --------- d-----w C:\Program Files\BitLord

2008-03-08 10:24 --------- d-----w C:\Program Files\Azureus

2008-03-08 10:23 --------- d-----w C:\Program Files\[u]0[/u]1-mp3search

2008-02-06 04:46 4,508,407 ----a-w C:\hdd32.exe

2008-02-06 03:42 1,305,991 ----a-w C:\SDFix.exe

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"NBJ"="C:\Program Files\Ahead\Nero BackItUp\NBJ.exe" [2005-04-14 15:56 1957888]

"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56 15360]

"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-03-04 15:30 1481968]

"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-14 02:24 1694208]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SoundMan"="SOUNDMAN.EXE" [2005-05-17 20:48 77824 C:\WINDOWS\SOUNDMAN.EXE]

"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 10:50 155648]

"cctray"="C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe" [2008-04-18 13:27 181512]

"CAVRID"="C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe" [2008-04-18 13:27 234760]

"SystemTraySD"="C:\Program Files\SpywareDetector\SDSystemTray.exe" [ ]

"SDAutoLiveupdate"="C:\Program Files\SpywareDetector\LiveUpdateSD.exe" [ ]

"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2005-11-04 17:03 7307264]

"nwiz"="nwiz.exe" [2005-11-04 17:03 1519616 C:\WINDOWS\system32\nwiz.exe]

"HPDJ Taskbar Utility"="C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb05.exe" [2002-04-05 06:03 188416]

"HPHmon04"="C:\WINDOWS\system32\hphmon04.exe" [2002-04-05 06:01 335872]

"HPHUPD04"="C:\Program Files\HP Photosmart 11\hphinstall\UniPatch\hphupd04.exe" [2002-04-05 06:04 49152]

"Share-to-Web Namespace Daemon"="C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe" [2002-04-17 09:42 69632]

"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-03-28 23:37 413696]

"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-03-30 10:36 267048]

"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 21:16 39792]

"ISTray"="C:\Program Files\Spyware Doctor\pctsTray.exe" [2008-02-01 11:55 1103240]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 00:56 15360]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]

"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 12:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]

C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 12:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ComputerAssociatesAntiVirus]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"C:\\Program Files\\iTunes\\iTunes.exe"=

R1 ATMhelpr;ATMhelpr;C:\WINDOWS\system32\drivers\ATMhelpr.sys [1997-06-17 03:00]

S0 epstwnt;epstwnt;C:\WINDOWS\system32\Drivers\epstwnt.mpd []

S2 SHARSHTL;Shuttle Sharer;C:\WINDOWS\system32\Drivers\sharshtl.sys []

Contents of the 'Scheduled Tasks' folder

"2008-04-21 00:02:21 C:\WINDOWS\Tasks\µTorrent.job"

- C:\PROGRA~1\uTorrent\uTorrent.exe

**************************************************************************

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\epstwnt]

"ImagePath"="System32\Drivers\epstwnt.mpd"

Completion time: 2008-04-21 22:31:37

ComboFix-quarantined-files.txt 2008-04-21 12:31:13

ComboFix2.txt 2008-02-05 05:44:07

Pre-Run: 107,100,323,840 bytes free

Post-Run: 107,091,447,808 bytes free

111 --- E O F --- 2008-04-21 06:22:45

Touch
Forum Moderator

Date Joined Jun 2004
Total Posts : 13069

Posted 4-21-2008 3:40 (GMT +2)

Hello

I don´t trust Spyware Doctor if it is the free version, as it is known it put false positives in that version, and there no signs at all in the other log´s of - SpywareNo.

Do NOT post your problem in someone elses thread.

Member of - Alliance of Security Analysis Professionals

inhotwater
New Member

Date Joined Feb 2008
Total Posts : 13

Posted 4-22-2008 3:49 (GMT +2)

Hi,

Thanks for that.

I have run Spyware Doctor (free version) again and it has picked up the RogueAntiSpyware.SpywareNo as well as a new threat called Trojan.Generic.

Do I just ignore them or is there something I should do?

Cheers

Touch
Forum Moderator

Date Joined Jun 2004
Total Posts : 13069

Posted 4-22-2008 6:56 (GMT +2)

No, I think we should run a test

Please download siri.urz.free.fr/Fix/SmitfraudFix.exe (by S!Ri)

If the tool fails to launch from the Desktop, please move SmitfraudFix.exe directly to the root of the system drive (normally C:), and launch from there.

Please print out or copy this page to Notepad as you will be in Safe Mode and unable to refer to this page.

Reboot your computer in Safe Mode (before the Windows icon appears, tap the F8 key continually)
Double-click on SmitfraudFix.exe
Select option #2 - Clean by typing 2 and press "Enter" to delete infected files.

You will be prompted : "Registry cleaning - Do you want to clean the registry ?"; answer "Yes" by typing Y and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection.

The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing Y and press "Enter".

The tool may need to restart your computer to finish the cleaning process; if it doesn't, please restart it into Normal Windows.
A text file will appear onscreen, with results from the cleaning process; please copy/paste the content of that report into your next reply.
The report can also be found at the root of the system drive, normally C:\rapport.txt

Post rapport txt, and tell if Spyware Doctor still find them ?

+++++++++++++++++++++++++++++++++++++++++++++++++++++++
process.exe is detected by some antivirus programs as a "RiskTool". It is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.

Do NOT post your problem in someone elses thread.

Member of - Alliance of Security Analysis Professionals

inhotwater
New Member

Date Joined Feb 2008
Total Posts : 13

Posted 4-23-2008 3:34 (GMT +2)

Hi,

I have downloaded and run SmitFraudFix as you explained. The report follows.
I ran Spyware Doctor (free) and it is still showing Trojan.Generic (1 infection – Low risk) and RogueAntiSpyware.SpywareNo (7 infections – Medium Risk) just as before running SmitFraudFix .

Cheers.

SmitFraudFix v2.317

Scan done at 11:05:19.20, Wed 23/04/2008
Run from C:\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in safe mode

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» Killing process

»»»»»»»»»»»»»»»»»»»»»»»» hosts

127.0.0.1 localhost

»»»»»»»»»»»»»»»»»»»»»»»» VACFix

VACFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri

»»»»»»»»»»»»»»»»»»»»»»»» Winsock2 Fix

S!Ri's WS2Fix: LSP not Found.

»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

GenericRenosFix by S!Ri

»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files

»»»»»»»»»»»»»»»»»»»»»»»» IEDFix

IEDFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri

»»»»»»»»»»»»»»»»»»»»»»»» 404Fix

404Fix
Credits: Malware Analysis & Diagnostic
Code: S!Ri

»»»»»»»»»»»»»»»»»»»»»»»» DNS

HKLM\SYSTEM\CCS\Services\Tcpip\..\{13402C90-B70C-4ECE-940C-F0F502FBA0E8}: DhcpNameServer=203.2.75.132 198.142.0.51
HKLM\SYSTEM\CCS\Services\Tcpip\..\{32DA0902-E806-48BD-9FE9-984DDFCDEDA7}: DhcpNameServer=208.67.220.220,208.67.222.222
HKLM\SYSTEM\CCS\Services\Tcpip\..\{F51E32E2-8DC6-463F-80D5-BAD136A34854}: DhcpNameServer=208.67.220.220,208.67.222.222
HKLM\SYSTEM\CS1\Services\Tcpip\..\{13402C90-B70C-4ECE-940C-F0F502FBA0E8}: DhcpNameServer=203.2.75.132 198.142.0.51
HKLM\SYSTEM\CS2\Services\Tcpip\..\{13402C90-B70C-4ECE-940C-F0F502FBA0E8}: DhcpNameServer=203.2.75.132 198.142.0.51
HKLM\SYSTEM\CS2\Services\Tcpip\..\{32DA0902-E806-48BD-9FE9-984DDFCDEDA7}: DhcpNameServer=208.67.220.220,208.67.222.222
HKLM\SYSTEM\CS2\Services\Tcpip\..\{F51E32E2-8DC6-463F-80D5-BAD136A34854}: DhcpNameServer=208.67.220.220,208.67.222.222
HKLM\SYSTEM\CS3\Services\Tcpip\..\{13402C90-B70C-4ECE-940C-F0F502FBA0E8}: DhcpNameServer=203.2.75.132 198.142.0.51
HKLM\SYSTEM\CS3\Services\Tcpip\..\{32DA0902-E806-48BD-9FE9-984DDFCDEDA7}: DhcpNameServer=208.67.220.220,208.67.222.222
HKLM\SYSTEM\CS3\Services\Tcpip\..\{F51E32E2-8DC6-463F-80D5-BAD136A34854}: DhcpNameServer=208.67.220.220,208.67.222.222
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=203.2.75.132 198.142.0.51
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=203.2.75.132 198.142.0.51
HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=203.2.75.132 198.142.0.51
HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: DhcpNameServer=203.2.75.132 198.142.0.51

»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files

»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""

»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

Registry Cleaning done.

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» End

inhotwater
New Member

Date Joined Feb 2008
Total Posts : 13

Posted 4-25-2008 8:23 (GMT +2)

Hi Touch,

What should I do next?

Cheers.

Touch
Forum Moderator

Date Joined Jun 2004
Total Posts : 13069

Posted 4-25-2008 9:08 (GMT +2)

I´ll suggest You remove Spyware Doctor, as it seems it is the only scanner there "find" them. All the other log´s are clean

Do NOT post your problem in someone elses thread.

Member of - Alliance of Security Analysis Professionals

inhotwater
New Member

Date Joined Feb 2008
Total Posts : 13

Posted 4-28-2008 5:48 (GMT +2)

Hi Touch,

I have now deleted Spyware Doctor.

Basically if I am understanding you correctly; it was picking up something that doesn't exist!

And that means I don't have anything to concern me?

Cheers.

Forum Information

Currently it is Monday, October 06, 2008 5:15 PM (GMT +2)
There are a total of 62.544 posts in 15.603 threads.
In the last 3 days there were 20 new threads and 43 reply posts. View Active Threads