Severe spyware found by NoAdware v5.0 after AVG v7.5 full to v8.0 full upgrade

[evilfantasy]

Download Unlocker 1.8.6 (scroll down the page a little)

Use Unlocker to try and delete the file. You will just right click it and choose Unlocker, then select delete.

If that doesn't work then try to delete it in safe mode.

[lectrocrew]

Unlocker 1.8.6 won't delete it. It ask if I wanted it to perform the delete operation at next start-up and I clicked yes. Should I re-start now to try?

[lectrocrew]

Oh, I'm sorry.  how do I delete it in safe mode?

[evilfantasy]

See if it is gone after restarting. If not then restart in safe mode and try to delete it.

Starting your computer in safe mode

• If the computer is running, shut down Windows, and then turn off the power.
• Wait 30 seconds, and then turn the computer on.
• Start tapping the F8 key. The Windows Advanced Options Menu appears. If you begin tapping the F8 key too soon, some computers display a "keyboard error" message. To resolve this, restart the computer and try again.
  
• Ensure that the Safe Mode option is selected.
  
• Press Enter. The computer then begins to start in Safe mode.
  
• Login on your usual account.

[lectrocrew]

See if it is gone after restarting.

It's gone. Yeah!!!

I'm going to have to leave for work in a few minutes. I'm sure your getting tired anyway. I have an appointment after work in the morning but will log back on afterward. When you get time, I'll need to get instructions on deleting the files in the latest NoAdware scan shown below.
Thanks again for all your help!!!

Noadware v5.0 --------------------------

Reference File = C:\Program Files\NoAdware5.0\noadware4_042108.na

---------------------------



Spyware Name = Kazaa

Location = HKEY_CURRENT_USER\software\kazaa

Type = RegKey

Spyware Name = Kazaa

Location = HKEY_CURRENT_USER\Software\Kazaa\LocalContent

Type = RegKey

Spyware Name = Backdoor.Bifrose

Location = HKEY_CURRENT_USER\Software\Wget

Type = RegKey

Spyware Name = Trojan.PWS.Tanspy

Location = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Control Panel\load

Type = RegKey

Spyware Name = Tracking Cookie

Location = 2o7

Type = Cookie

Spyware Name = Tracking Cookie

Location = ad.yieldmanager

Type = Cookie

Spyware Name = Tracking Cookie

Location = adinterax

Type = Cookie

Spyware Name = Tracking Cookie

Location = adopt.specificclick

Type = Cookie

Spyware Name = Tracking Cookie

Location = ads.pointroll

Type = Cookie

Spyware Name = Tracking Cookie

Location = advertising

Type = Cookie

Spyware Name = Tracking Cookie

Location = atdmt

Type = Cookie

Spyware Name = Tracking Cookie

Location = bluestreak

Type = Cookie

Spyware Name = Tracking Cookie

Location = DoubleClick

Type = Cookie

Spyware Name = Tracking Cookie

Location = media.adrevolver

Type = Cookie

Spyware Name = Tracking Cookie

Location = richmedia.yahoo

Type = Cookie

Spyware Name = Tracking Cookie

Location = specificclick

Type = Cookie

Spyware Name = Tracking Cookie

Location = ssl-hints.netflame

Type = Cookie

Spyware Name = Tracking Cookie

Location = xiti

Type = Cookie

Spyware Name = AntiVirusGold

Location = C:\Program Files\AVG

Type = Directory

[evilfantasy]

Try running Spybot and see if it gets rid of them. I am sort of wondering about Noadware now that I am positive it is seeing AVG as antivirusgold when it is clearly not that.

http://www.filehippo.com/download_spybot_search_destroy/

[lectrocrew]

Good morning evilfantasy.
I'm currently on another computer because mine has become so slow it took over 6 minutes to load this forum page after I clicked on the link in 'My Favorites'.
I tried installing spybot but it's so slow that I got an error box before the file could download. The box says:
"File Download
Error sending request the operation timed out".
 My internet speed has been getting progressively slower during the time we have been trying to delete this AntiVirusGold file. Should I try removing some of those programs we have been using that are still on my desktop? There are a couple that run when I start my computer like Secunia and Unlocker assistant. Several icons on my desktop include
OTMoveIt2
Smithfraud
mbam
sniper.exe
hjt
kscan
unlocker1.8.6

Also, my AVG8 does not show any threats in the scan it did overnight, but it does ask if I want to remove 135 potentially dangerous files. Should I let it delete those files yet?

[evilfantasy]

You can uninstall or delete
OTMoveIt2
Smithfraud
sniper.exe
hjt
kscan
unlocker1.8.6

I would keep MBAM as it doesn't run unless you want it to and is great for an occasional scan.

Try working through some of the steps HERE including Disk cleanup, disk defrag and Manage autostart items. See if that improves performance.

[lectrocrew]

Okay, I got most everything deleted and uninstalled and she's back running real well. Thanks so much for all your help!!!
 I'll go through the list of maintenance items listed in your link later this evening. We've had 2 other mechanics call in sick where I work the last 2 nights and I've been working my *censored* off keeping all the extra machinery running by myself.  And without much sleep the last few days, I won't be able to stay awake any longer enough to get all the maintenance steps done, not right anyway lol.
 Wow, we've spent a lot of time working on this AntiVirusGold thing which looks like nothing to worry about anyway. It has been a real good learning experience for me.
 Thank again!
BTW, is there a link to contribute a donation to this board? It's been very helpfull to me a few times and since it doesn't have a bunch of advertisements bothering everything, I figure I should help out with the operations. 
later,
Mike

[evilfantasy]

Glad everything is getting back to normal Sometimes the simple ones turn into real beasts when the layers begin to get un-peeled!

We don't accept donations and I did ask this question once to the owner Nathan. Here is his response.

Please refer users who're wanting to donate to the below link:

http://www.computerhope.com/issues/ch000586.htm

Although I've accepted donations in the past I originally created Computer Hope to help users and not make millions. The money I make from Google is enough to support me and Computer Hope and keep the site free without the need of donations.

Let me know if there is anything else. I am sort of wondering about Noadware now. I don't think it is bad, but they shouldn't be flagging AVG as malicious. Spybot should get anything that is left over though.

Cheers.

[lectrocrew]

My computer was running fine at the time I last posted, but over the last few days has become really slow again. Web surfing speed is intermittant. One minute it loads the page very quickly, then on the next click it times out and give me a message below:
 Internet Explorer cannot display the webpage
   
   Most likely causes:
You are not connected to the Internet.
The website is encountering problems.
There might be a typing error in the address.
 
   What you can try:
     Diagnose Connection Problems 
 
     More information
 
-------------------
My wireless connection is "Very Good / 54 Mbps
There are 2 other computers in the house on this DSL connection, {1 wired / 1 wireless} They have normal consistant browsing speed.
Since I installed various new hardware devices back around early March, {250 Gb internal drive, 320 Gb external drive, 1Gb x 2 SDRAM, NVidia graphics card, CD-RW drive, DVD-RW drive, ect.}, my browsing speed has been fast and consistant. It wasn't until I found this AntiVirusGold ect. that I started having slow performance problems. I'm not saying the AntiVirusGold is the culprit, nor any other virus / spyware ect., but possibly something I did during the process of investigating this.

 Since I last posted I have
 preformed maintenance task listed in your guide,
 purchased the MBAM software paid version,
 re-installed Spybot,
 un-installed AVG8 then re-installed AVG 7.5 with no improvement, then un-installed AVG 7.5 / installed AVG8, {AVG had broken / partial fonts in the scan log results. After re-installing AVG8 this is still happening.} I don't see how to 'copy paste'  or 'save as' a scan log for AVG?
 un-installed NoAdware,
 installed Windows Defender,
 
 
 
  I've noticed on my computer is: the image I'm suppose to see on the Java test page does not show up as it is suppose to, but on the 'verify installation page it says,
Verified Java Version

"Congratulations!
 
You have the recommended Java installed (1.6.0_06)."
-----------------------
ALSO,
Somewhere along the way while investigating that AntiVirusGold I came up with an Ebay icon on my desktop. I did not click on it because I was suspicious and When I scanned with MBAM scan on 4-22-08 it found:
"Files Infected:
C:\Documents and Settings\Owner\Application Data\Desktopicon\eBayShortcuts.exe (Trojan.Agent)"
But even after MBAM was supposed to have removed this Ebay threat, I still had an Ebay shortcut in my quick launch taskbar. I right clicked on it and tried to delete it, but it did not give me a drop-down menu with delete option. Then I dragged it to my desktop and tried to delete it there with the same result. It is still there. How do I get rid of this safely?

MBAM scan log for 4-22-08 below followed by most recent scan log:
=======================
Malwarebytes' Anti-Malware 1.11
Database version: 670

Scan type: Full Scan (C:\|F:\|L:\|)
Objects scanned: 130316
Time elapsed: 48 minute(s), 56 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\Owner\Application Data\Desktopicon\eBayShortcuts.exe (Trojan.Agent) -> Quarantined and deleted successfully.


========================
SUPERAntiSpyware and MBAM log for today attached:











   

[recovering space - attachment deleted by admin]

[lectrocrew]

SUPERAntiSpyware log attached

[recovering space - attachment deleted by admin]

[evilfantasy]

A few questions.

Is there an entry in add/remove programs that is related to the new eBay icon?
Have you tried to delete it in safe mode?
Are the other computers are running AVG as well.

Download Panda Anti-Rootkit.zip
Unzip it and run the PAVARK.exe file.
Tick the box that says In depth scan and follow the on screen instructions.
Let me know the results in your reply and also post a new Hijackthis log.

[lectrocrew]

A few questions.

Is there an entry in add/remove programs that is related to the new eBay icon?

No, FYI, I did find another program that I missed earlier that I don't remember installing, "WebEx", so I un-installed it.

Have you tried to delete it in safe mode?

I had not tried deleting in safe mode yet but did try this morning and the Ebay icon did delete.

Are the other computers are running AVG as well.

The wired desktop computer is running AVG, the wired / wireless notebook is running Trend Micro.

Download Panda Anti-Rootkit.zip
Unzip it and run the PAVARK.exe file.
Tick the box that says In depth scan and follow the on screen instructions.
Let me know the results in your reply and also post a new Hijackthis log.

The first HJT log is from last night before deleting the ebay icon, 2nd HJT log is from today after deleting the Ebay icon. PAVARK is also after deleting Ebay icon.
I have not deleted anything yet with HJT.
-----------------
Panda results = scanned 4785 items / rootkits detected  0
-----------------
BTW, I've surfed several sites after re-starting and performance seems to be doing extremely well so far.


[recovering space - attachment deleted by admin]

[lectrocrew]

]Is there an entry in add/remove programs that is related to the new eBay icon?

No, FYI, I did find another program that I missed earlier that I don't remember installing, "WebEx", so I un-installed it.

Never mind. I googled it and it is software provided by Cisco, which is the parent company of Linksys, the manufacturer of my wireless router, adapter and print server. I evidentally installed it when installing software for one of these devices.