Welcome guest. Before posting on our computer help forum, you must register. Click here it's easy and free.

« previous next »
Pages: [1] 2  All   Go Down

Author Topic: ??Fake Spyware  (Read 17434 times)

0 Members and 1 Guest are viewing this topic.

Jim705

    Topic Starter


    Rookie

    ??Fake Spyware
    « on: April 03, 2008, 07:55:07 PM »
    Hi, I am using MS Vista. My PC works well, except about a week ago, I started getting three "popups".
    1- TrojanDownloader.xs
    2- Abebot
    3- Sytem Integrity Scan Wizard and/or Security Sytem Warning

    There is also a 1/2 diamond yellow icon in the bottom left tray that when clicked, brings up an advertisment for PC-Antispyware and PC-Cleaner

    I am guessing that this is a "fake spyware purchase scam" and that there is a way to eliminate the problem without going through the "Hijack" process. If that is my only recourse, I will perform all of the pre routines that are recommended.

    Prior to the problem, I had CA Anti Virus and the normal VISTA security installed and up to date. As a result of the problem I have installed CA Antispyware, Ad-Aware 2007 and Spybot S&D.

    Thanks in advance for your help.   Jim     
    Logged

    Broni


      Mastermind
    • Kraków my love :)
      • Thanked: 614
      • Computer Help Forum
    • Computer: Specs
    • Experience: Experienced
    • OS: Windows 8
    Re: ??Fake Spyware
    « Reply #1 on: April 03, 2008, 09:42:22 PM »
    Print these instructions out.

    1. Download SUPERAntiSpyware Free for Home Users:
    http://www.superantispyware.com/

        * Double-click SUPERAntiSpyware.exe and use the default settings for installation.
        * An icon will be created on your desktop. Double-click that icon to launch the program.
        * If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download and unzip them from here: http://www.superantispyware.com/definitions.html.)
        * Close SUPERAntiSpyware.

    Restart computer in Safe Mode.
    To enter Safe Mode, restart computer, and keep tapping F8 key, until menu appears; select Safe Mode; you'll see "Safe Mode" in all four corners of your screen

        * Open SUPERAntiSpyware.
        * Under "Configuration and Preferences", click the Preferences button.
        * Click the Scanning Control tab.
        * Under Scanner Options make sure the following are checked (leave all others unchecked):
              o Close browsers before scanning.
              o Scan for tracking cookies.
              o Terminate memory threats before quarantining.
        * Click the "Close" button to leave the control center screen.
        * Back on the main screen, under "Scan for Harmful Software" click Scan your computer.
        * On the left, make sure you check C:\Fixed Drive.
        * On the right, under "Complete Scan", choose Perform Complete Scan.
        * Click "Next" to start the scan. Please be patient while it scans your computer.
        * After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
        * Make sure everything has a checkmark next to it and click "Next".
        * A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
        * If asked if you want to reboot, click "Yes".
        * To retrieve the removal information after reboot, launch SUPERAntispyware again.
              o Click Preferences, then click the Statistics/Logs tab.
              o Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
              o If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
              o Please copy and paste the Scan Log results in your next reply.
        * Click Close to exit the program.
    Post SUPERAntiSpyware log.

    RESTART COMPUTER!

    2. Download Malwarebytes' Anti-Malware: http://www.majorgeeks.com/Malwarebytes_Anti-Malware_d5756.html to your desktop.

        * Double-click mbam-setup.exe and follow the prompts to install the program.
        * At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
        * If an update is found, it will download and install the latest version.
        * Once the program has loaded, select Perform full scan, then click Scan.
        * When the scan is complete, click OK, then Show Results to view the results.
        * Be sure that everything is checked, and click Remove Selected.
        * When completed, a log will open in Notepad.
        * Post the log back here.

    The log can also be found here:
    C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt
    Or at C:\Program Files\Malwarebytes' Anti-Malware\Logs\log-date.txt

    RESTART COMPUTER!

    3. Download HijackThis:
    http://www.snapfiles.com/get/hijackthis.html
    Post HijackThis log.
    Logged

    Jim705

      Topic Starter


      Rookie

      Re: ??Fake Spyware
      « Reply #2 on: April 04, 2008, 01:57:39 PM »
      Thank you very much. I will follow the process suggested and get back when I have completed the steps. Jim
      Logged

      Jim705

        Topic Starter


        Rookie

        Re: ??Fake Spyware-
        « Reply #3 on: April 04, 2008, 09:34:12 PM »
        SUPERAntiSpyware Scan Log
        http://www.superantispyware.com

        Generated 04/04/2008 at 10:35 PM

        Application Version : 4.0.1154

        Core Rules Database Version : 3432
        Trace Rules Database Version: 1424

        Scan type       : Complete Scan
        Total Scan Time : 00:31:33

        Memory items scanned      : 215
        Memory threats detected   : 0
        Registry items scanned    : 6519
        Registry threats detected : 2
        File items scanned        : 91165
        File threats detected     : 110

        Trojan.Unknown Origin
           [xzgqxxzw] C:\WINDOWS\SYSTEM32\XAFUVGPE.EXE
           C:\WINDOWS\SYSTEM32\XAFUVGPE.EXE
           [XG16xFyz1R] C:\PROGRAMDATA\LGNIXEDO\NABONGTS.EXE
           C:\PROGRAMDATA\LGNIXEDO\NABONGTS.EXE
           C:\USERS\ALL USERS\LGNIXEDO\NABONGTS.EXE
           C:\Windows\Prefetch\XAFUVGPE.EXE-9BB87CA1.pf

        Adware.Tracking Cookie
           C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Cookies\administrator@atdmt[2].txt
           C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][1].txt
           C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][2].txt
           C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][1].txt
           C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Cookies\administrator@valueclick[1].txt
           C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Cookies\administrator@clickbank[1].txt
           C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Cookies\administrator@bluestreak[2].txt
           C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][1].txt
           C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Cookies\administrator@clickaider[1].txt
           C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Cookies\administrator@adbrite[2].txt
           C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Cookies\administrator@specificclick[2].txt
           C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Cookies\administrator@revsci[2].txt
           C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][3].txt
           C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][7].txt
           C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Cookies\administrator@2o7[2].txt
           C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Cookies\administrator@tribalfusion[2].txt
           C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][2].txt
           C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][2].txt
           C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][1].txt
           C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Cookies\administrator@spylog[2].txt
           C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][1].txt
           C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][2].txt
           C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][1].txt
           C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][1].txt
           C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][1].txt
           C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Cookies\administrator@overture[1].txt
           C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][1].txt
           C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][1].txt
           C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][2].txt
           C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][2].txt
           C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][2].txt
           C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][1].txt
           C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Cookies\administrator@interclick[2].txt
           C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Cookies\administrator@kontera[2].txt
           C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][1].txt
           C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][1].txt
           C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][1].txt
           C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Cookies\administrator@doubleclick[1].txt
           C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][3].txt
           C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Cookies\administrator@indextools[2].txt
           C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Cookies\administrator@questionmarket[1].txt
           C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][1].txt
           C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Cookies\administrator@statcounter[1].txt
           C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][7].txt
           C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Cookies\administrator@burstnet[2].txt
           C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Cookies\administrator@partner2profit[2].txt
           C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][1].txt
           C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Cookies\administrator@adlegend[1].txt
           C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][2].txt
           C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][2].txt
           C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Cookies\administrator@advertising[1].txt
           C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Cookies\administrator@mediaplex[1].txt
           C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][4].txt
           C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Cookies\administrator@collective-media[1].txt
           C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Cookies\administrator@nextstat[1].txt
           C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][1].txt
           C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Cookies\administrator@physicallyelite[1].txt
           C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][1].txt
           C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][1].txt
           C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][1].txt
           C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][2].txt
           C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Cookies\administrator@bizrate[2].txt
           C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Cookies\administrator@247realmedia[2].txt
           C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Cookies\administrator@tacoda[1].txt
           C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][2].txt
           C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Cookies\administrator@hitbox[2].txt
           C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Cookies\administrator@insightexpressai[2].txt
           C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][1].txt
           C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][5].txt
           C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Cookies\administrator@casalemedia[2].txt
           C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Cookies\administrator@apmebf[2].txt
           C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Cookies\administrator@imrworldwide[3].txt
           C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][1].txt
           C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][3].txt
           C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][2].txt
           C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][3].txt
           C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Cookies\administrator@fastclick[2].txt
           C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Cookies\administrator@zedo[1].txt
           C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Cookies\administrator@adinterax[2].txt
           C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][1].txt
           C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][2].txt
           C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][1].txt
           C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][1].txt
           C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][1].txt
           C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][1].txt
           C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][1].txt
           C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Cookies\administrator@adult-youtube-8[1].txt
           C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Cookies\administrator@adult-youtube-8[2].txt
           C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][2].txt
           C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][1].txt
           C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Cookies\administrator@directtrack[1].txt
           C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Cookies\administrator@dmtracker[1].txt
           C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][2].txt
           C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][2].txt
           C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][2].txt
           C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Cookies\administrator@imrworldwide[2].txt
           C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][1].txt
           C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][1].txt
           C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][2].txt
           C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Cookies\administrator@townandcountryhospital[1].txt
           C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][1].txt
           C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][1].txt
           C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][5].txt
           C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][6].txt
           C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][2].txt

        Trojan.Net-FKD/NMC
           C:\WINDOWS\FKDNRWSV.DLL
        Logged

        Jim705

          Topic Starter


          Rookie

          Re: ??Fake Spyware - Malwarebytes
          « Reply #4 on: April 04, 2008, 09:36:04 PM »
          Malwarebytes' Anti-Malware 1.10
          Database version: 592

          Scan type: Full Scan (A:\|C:\|G:\|H:\|I:\|J:\|K:\|L:\|M:\|)
          Objects scanned: 127233
          Time elapsed: 23 minute(s), 51 second(s)

          Memory Processes Infected: 1
          Memory Modules Infected: 0
          Registry Keys Infected: 12
          Registry Values Infected: 1
          Registry Data Items Infected: 0
          Folders Infected: 3
          Files Infected: 17

          Memory Processes Infected:
          C:\Windows\System32\cjyhgjwz.exe (Trojan.FakeAlert) -> Unloaded process successfully.

          Memory Modules Infected:
          (No malicious items detected)

          Registry Keys Infected:
          HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{000000da-0786-4633-87c6-1aa7a4429ef1} (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
          HKEY_CLASSES_ROOT\CLSID\{9dd4258a-7138-49c4-8d34-587879a5c7a4} (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
          HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9dd4258a-7138-49c4-8d34-587879a5c7a4} (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
          HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{b8c0220d-763d-49a4-95f4-61dfdec66ee6} (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
          HKEY_CLASSES_ROOT\CLSID\{c3bcc488-1ae7-11d4-ab82-0010a4ec2338} (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
          HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{c3bcc488-1ae7-11d4-ab82-0010a4ec2338} (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
          HKEY_CURRENT_USER\HOL5_VXIEWER.FULL.1 (Trojan.FakeAlert) -> Quarantined and deleted successfully.
          HKEY_CURRENT_USER\Software\Classes\applications\accessdiver.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
          HKEY_CURRENT_USER\Software\fwbd (Trojan.FakeAlert) -> Quarantined and deleted successfully.
          HKEY_CURRENT_USER\Software\HolLol (Trojan.FakeAlert) -> Quarantined and deleted successfully.
          HKEY_CURRENT_USER\Software\Microsoft\Internet Explorertoolbar (Trojan.FakeAlert) -> Quarantined and deleted successfully.
          HKEY_CURRENT_USER\Software\mwc (Trojan.FakeAlert) -> Quarantined and deleted successfully.

          Registry Values Infected:
          HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{0656a137-b161-cadd-9777-e37a75727e78} (Fake.Dropped.Malware) -> Quarantined and deleted successfully.

          Registry Data Items Infected:
          (No malicious items detected)

          Folders Infected:
          C:\Windows\system32smp (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
          C:\Users\Administrator\Desktopvirii (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
          C:\Users\james\Desktopvirii (Fake.Dropped.Malware) -> Quarantined and deleted successfully.

          Files Infected:
          C:\Windows\System32\cjyhgjwz.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
          C:\ProgramData\ftqupvuo\cvmxgtml.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
          C:\Windows\Web\def.htm (Trojan.FakeAlert) -> Quarantined and deleted successfully.
          C:\Windows\system32smp\msrc.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
          C:\Users\Administrator\Desktopvirii\Trojan-Downloader.Win32.Agent.bl.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
          C:\Users\Administrator\Desktopvirii\Trojan-Downloader.Win32.Agent.p.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
          C:\Users\Administrator\Desktopvirii\Trojan-Downloader.Win32.Agent.r.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
          C:\Users\Administrator\Desktopvirii\Trojan-Downloader.Win32.Agent.t.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
          C:\Users\Administrator\Desktopvirii\Trojan-Downloader.Win32.Agent.v.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
          C:\Users\james\Desktopvirii\Trojan-Downloader.Win32.Agent.bl.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
          C:\Users\james\Desktopvirii\Trojan-Downloader.Win32.Agent.p.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
          C:\Users\james\Desktopvirii\Trojan-Downloader.Win32.Agent.r.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
          C:\Users\james\Desktopvirii\Trojan-Downloader.Win32.Agent.t.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
          C:\Users\james\Desktopvirii\Trojan-Downloader.Win32.Agent.v.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
          C:\Windows\bdn.com (Trojan.Agent) -> Quarantined and deleted successfully.
          C:\Windows\iTunesMusic.exe (Trojan.Agent) -> Quarantined and deleted successfully.
          C:\Windows\mssecu.exe (Trojan.Agent) -> Quarantined and deleted successfully.
          Logged

          Jim705

            Topic Starter


            Rookie

            Re: ??Fake Spyware - HiJack
            « Reply #5 on: April 04, 2008, 09:37:26 PM »
            Logfile of Trend Micro HijackThis v2.0.2
            Scan saved at 11:27:48 PM, on 4/4/2008
            Platform: Windows Vista  (WinNT 6.00.1904)
            MSIE: Internet Explorer v7.00 (7.00.6000.16609)
            Boot mode: Normal

            Running processes:
            C:\Windows\system32\Dwm.exe
            C:\Windows\Explorer.EXE
            C:\Program Files\Windows Defender\MSASCui.exe
            C:\Windows\System32\rundll32.exe
            C:\Windows\system32\taskeng.exe
            C:\Windows\System32\rundll32.exe
            C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe
            C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\cavrid.exe
            C:\Program Files\Common Files\microsoft shared\Works Shared\WkUFind.exe
            C:\Windows\System32\rundll32.exe
            C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
            C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
            C:\Program Files\Hp\HP Software Update\hpwuSchd2.exe
            C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
            C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\CAPPActiveProtection.exe
            K:\iTunes\iTunesHelper.exe
            C:\Program Files\Windows Sidebar\sidebar.exe
            C:\Program Files\Windows Media Player\wmpnscfg.exe
            C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
            C:\Program Files\Hp\Digital Imaging\bin\hpqtra08.exe
            C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
            C:\Program Files\SEC\Natural Color Pro\NCProTray.exe
            C:\Windows\System32\mobsync.exe
            C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
            C:\Program Files\Internet Explorer\iexplore.exe
            C:\Windows\system32\SearchFilterHost.exe
            C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

            R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
            R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.tampabay.rr.com/aroundtampabay/?event=default
            R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
            R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
            R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
            R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
            R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
            R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
            R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
            R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
            R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
            O1 - Hosts: ::1 localhost
            O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
            O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
            O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
            O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
            O4 - HKLM\..\Run: [C6501Sound] RunDll32 c6501.cpl,CMICtrlWnd
            O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
            O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
            O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
            O4 - HKLM\..\Run: [cctray] "C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe"
            O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe"
            O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
            O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
            O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
            O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
            O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
            O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
            O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
            O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
            O4 - HKLM\..\Run: [iTunesHelper] "K:\iTunes\iTunesHelper.exe"
            O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
            O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
            O4 - HKCU\..\Run: [fkmoksop] C:\Windows\system32\cjyhgjwz.exe
            O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
            O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
            O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
            O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
            O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
            O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\Hp\Digital Imaging\bin\hpqtra08.exe
            O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
            O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
            O4 - Global Startup: NCProTray.lnk = C:\Program Files\SEC\Natural Color Pro\NCProTray.exe
            O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
            O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
            O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
            O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
            O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
            O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
            O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
            O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
            O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
            O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
            O13 - Gopher Prefix:
            O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} (HP Download Manager) - https://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab
            O16 - DPF: {80AEEC0E-A2BE-4B8D-985F-350FE869DC40} (HPDDClientExec Class) - http://h20264.www2.hp.com/ediags/dd/install/HPDriverDiagnosticsVista.cab
            O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
            O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
            O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
            O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
            O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
            O23 - Service: CaCCProvSP - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
            O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
            O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
            O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
            O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
            O23 - Service: CA Pest Patrol Realtime Protection Service (ITMRTSVC) - CA, Inc. - C:\Program Files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exe
            O23 - Service: PPCtlPriv - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\PPCtlPriv.exe
            O23 - Service: VET Message Service (VETMSGNT) - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe

            --
            End of file - 9138 bytes
            Logged

            Broni


              Mastermind
            • Kraków my love :)
              • Thanked: 614
              • Computer Help Forum
            • Computer: Specs
            • Experience: Experienced
            • OS: Windows 8
            Re: ??Fake Spyware
            « Reply #6 on: April 04, 2008, 09:57:42 PM »
            *** Please, check your Java version: http://www.java.com/en/download/installed.jsp

            *** Disable Windows Defender, as it'll interfere with cleaning process:
               * Open Windows Defender
                * Click Tools
                * Click General Settings
                * Scroll down to Real Time Protection Options
                * Uncheck Turn on Real Time Protection
                * After you uncheck this, click on the Save button
                * Close Windows Defender

            1. Print this post out, since you won't have an access to it, at some point.

            2. Close all windows, except for HijackThis.

            3. Put a checkmark next to the following HijackThis entries (some entries will be checkmarked to disable unnecessary startups; in those cases (marked with *), no actual program will be removed):

            - R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
            - *O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
            - *O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
            - *O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
            - *O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
            - *O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
            - *O4 - HKLM\..\Run: [iTunesHelper] "K:\iTunes\iTunesHelper.exe"
            - *O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
            - O4 - HKCU\..\Run: [fkmoksop] C:\Windows\system32\cjyhgjwz.exe
            - *O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
            - *O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
            - *O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\Hp\Digital Imaging\bin\hpqtra08.exe
            - *O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
            - O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?


            4. Click on "Fix checked" button.

            5. Restart your computer in Safe Mode (keep tapping F8 key, when your computer starts, until meny appears)

            6. Open Windows Explorer. Go Tools>Folder Options>View tab, put a checkmark next to "Show hidden files, and folders".

            7. Delete following files/folders (if present):

            - cjyhgjwz.exe file from C:\Windows\system32

            8. Restart in Normal Mode.

            9. Post new HijackThis log.
            Logged

            Jim705

              Topic Starter


              Rookie

              Re: ??Fake Spyware
              « Reply #7 on: April 05, 2008, 07:27:42 AM »
              Logfile of Trend Micro HijackThis v2.0.2
              Scan saved at 9:23:41 AM, on 4/5/2008
              Platform: Windows Vista  (WinNT 6.00.1904)
              MSIE: Internet Explorer v7.00 (7.00.6000.16609)
              Boot mode: Normal

              Running processes:
              C:\Windows\system32\Dwm.exe
              C:\Windows\Explorer.EXE
              C:\Windows\system32\taskeng.exe
              C:\Program Files\Windows Defender\MSASCui.exe
              C:\Windows\System32\rundll32.exe
              C:\Windows\System32\rundll32.exe
              C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe
              C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\cavrid.exe
              C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
              C:\Windows\System32\rundll32.exe
              C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
              C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
              C:\Program Files\Windows Sidebar\sidebar.exe
              C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\CAPPActiveProtection.exe
              C:\Program Files\SEC\Natural Color Pro\NCProTray.exe
              C:\Program Files\Windows Media Player\wmpnscfg.exe
              C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

              R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
              R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.tampabay.rr.com/aroundtampabay/?event=default
              R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
              R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
              R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
              R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
              R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
              R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
              R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
              R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
              O1 - Hosts: ::1 localhost
              O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
              O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
              O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
              O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
              O4 - HKLM\..\Run: [C6501Sound] RunDll32 c6501.cpl,CMICtrlWnd
              O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
              O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
              O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
              O4 - HKLM\..\Run: [cctray] "C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe"
              O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe"
              O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
              O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
              O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
              O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
              O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
              O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
              O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
              O4 - Global Startup: NCProTray.lnk = C:\Program Files\SEC\Natural Color Pro\NCProTray.exe
              O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
              O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
              O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
              O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
              O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
              O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
              O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
              O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
              O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
              O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
              O13 - Gopher Prefix:
              O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} (HP Download Manager) - https://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab
              O16 - DPF: {80AEEC0E-A2BE-4B8D-985F-350FE869DC40} (HPDDClientExec Class) - http://h20264.www2.hp.com/ediags/dd/install/HPDriverDiagnosticsVista.cab
              O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
              O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
              O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
              O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
              O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
              O23 - Service: CaCCProvSP - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
              O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
              O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
              O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
              O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
              O23 - Service: CA Pest Patrol Realtime Protection Service (ITMRTSVC) - CA, Inc. - C:\Program Files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exe
              O23 - Service: PPCtlPriv - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\PPCtlPriv.exe
              O23 - Service: VET Message Service (VETMSGNT) - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe

              --
              End of file - 7376 bytes
              Logged

              sweeteyes



                Newbie

                Fake Spyware
                « Reply #8 on: April 05, 2008, 09:16:54 AM »
                hiya jim,hope you dont mind me contacting you,i only found this site late last night,i dont have alot of know how about computers,anyway when i found this site i couldnt believe when i read your post that you have had the exact same 3 pop ups as myself....mine started about 4/5 days ago....i couldnt understand how they got in when i have norton360  thats suposed to stop that kind of thing....i mean whats the point of buying the software if pop ups still get in!how  have you got on....have you manage to follow what the lady said to do....Jim  can you let me know if it works...thanks dawn. :)
                Logged

                Broni


                  Mastermind
                • Kraków my love :)
                  • Thanked: 614
                  • Computer Help Forum
                • Computer: Specs
                • Experience: Experienced
                • OS: Windows 8
                Re: ??Fake Spyware
                « Reply #9 on: April 05, 2008, 09:34:07 AM »
                sweeteyes
                You rather start your own topic, and we'll check your computer, as well.

                Jim705
                Good job :)

                HJT log is clean.

                1. Turn off System Restore:

                - Windows XP:
                   1. Click Start.
                   2. Right-click the My Computer icon, and then click Properties.
                   3. Click the System Restore tab.
                   4. Check "Turn off System Restore".
                   5. Click Apply.   
                   6.  When turning off System Restore, the existing restore points will be deleted. Click Yes to do this.
                   7. Click OK.
                - Windows Vista:
                   1. Click Start.
                   2. Right-click the Computer icon, and then click Properties.
                   3. Click on System Protection under the Tasks column on the left side
                   4. Click on Continue on the "User Account Control" window that pops up
                   5. Under the System Protection tab, find Available Disks
                   6. Uncheck the box for any drive you wish to disable system restore on (in most cases, drive "C:")
                   7. When turning off System Restore, the existing restore points will be deleted. Click "Turn System Restore Off" on the popup window to do this.
                   8. Click OK

                2. Restart computer.

                3. Turn System Restore on. Create new Restore Point.

                4. Download, and install CCleaner: http://www.ccleaner.com/download/builds. Get "Slim" version.
                Read CCleaner instruction here: http://www.jahewi.nl/ccleaner/ccleaner.html, and run CCleaner

                6. Download, and install free ThreatFire: http://www.threatfire.com/, which will give you real-time protection against malwares.
                It won't interfere with your antivirus, nor firewall.

                7. Let me know, how your computer is doing.
                Logged

                Jim705

                  Topic Starter


                  Rookie

                  Re: ??Fake Spyware
                  « Reply #10 on: April 05, 2008, 02:44:26 PM »
                  Dear Broni, My PC seems to be fine. Thank you vey much for guiding me through a complex process.

                  I do have on additional posssible problem. My guess is it is separate from the above resolved isssue.

                  1- Several weeks ag, I noticed "desktop.ini" icon on my deaktop. I tried to delete it. I is now "semi-transparent" i.e., not as bright as other icons. When I right click and open it, the following text is listed:
                   
                  [.ShellClassInfo]
                  LocalizedResourceName=@%SystemRoot%\system32\shell32.dll,-21769
                  IconResource=%SystemRoot%\system32\imageres.dll,-183
                  [LocalizedFileNames]
                  Windows Mail.lnk=@%ProgramFiles%\Windows Mail\WinMail.exe,-225
                  Windows Contacts.lnk=@%SystemRoot%\system32\shell32.dll,-22017
                  Backup and Restore Center.lnk=@%systemroot%\system32\brcpl.dll,-1


                  2- I also still have this file on my system: C:\Administrator\DeskTop.Trojan.win32.BlackBird.exe. I have the same file in C:\James\Desktop...etc.

                  Again, I doesn't seem that these two items are activily causing a problem.    Jim 
                  Logged

                  Broni


                    Mastermind
                  • Kraków my love :)
                    • Thanked: 614
                    • Computer Help Forum
                  • Computer: Specs
                  • Experience: Experienced
                  • OS: Windows 8
                  Re: ??Fake Spyware
                  « Reply #11 on: April 05, 2008, 03:51:15 PM »
                  1. There is a whole bunch of desktop.ini files, all over your computer. They're created when you change your folders settings. They're hidden system files. In Windows Explorer go Tools>Folder Options>View tab, and put checkmark next to "Hide protected system operating files", They should disappear from your view.
                  2. I don't like it, but for now delete both files. Run full scan with ThreatFire. How did you find them?
                  Logged

                  Jim705

                    Topic Starter


                    Rookie

                    Re: ??Fake Spyware
                    « Reply #12 on: April 05, 2008, 05:00:59 PM »
                    The desktop.ini (the icon that is semi-transparent) that I was refering to is on my Windows Vists decktop. I found it by doing a search for "desktop". The C:\User\Administration\DeskTop.Trojan.BlackBird.exe was found. I weht into My Computer/Windows Explorer  and it was there. I had "view hidded file" checked. 

                    I will delete all of the Desktop.w32.BlackBirs.exe files manually and run Threat Fire again.

                    Thanks.  Jim
                    Logged

                    Broni


                      Mastermind
                    • Kraków my love :)
                      • Thanked: 614
                      • Computer Help Forum
                    • Computer: Specs
                    • Experience: Experienced
                    • OS: Windows 8
                    Re: ??Fake Spyware
                    « Reply #13 on: April 05, 2008, 05:55:40 PM »
                    Keep me updated.
                    Logged

                    sweeteyes



                      Newbie

                      Re: ??Fake Spyware
                      « Reply #14 on: April 06, 2008, 06:47:21 AM »

                      Hi, I am using windows Vista. My PC works well, except about 4/5 das ago, I started getting three "popups".the same ones as jim
                      1- TrojanDownloader.xs
                      2- Abebot
                      3- Sytem Integrity Scan Wizard and/or Security Sytem Warning

                      There is also a 1/2 diamond yellow icon in the bottom left tray that when clicked, brings up an advertisment for PC-Antispyware and PC-Cleaner i have norton 360 running on my pc.
                      i followed the steps that broni gave jim and the first part went fine,then i tried step 2 which was to download malwarebytes anti-malware:http:11www.majorgeeks.com/malwarebytes_anti-malware_d5756.html

                      i clicked on the download and it went through the motions then at the end i got a box pop up which read,c:\program files\uniblue\registrybooster2\registrybooster.exe create process failed,code 740 the reques operation failed elevation.

                      im not very well up on computers,please can anyone help! thanks dawn
                      Logged
                      Pages: [1] 2  All   Go Up
                      « previous next »