PDA

View Full Version : adware/spyware and downloader infections


kinos
2007-10-20, 19:29
(firstly excuse any spelling mistakes i had a double vision problem that made learing to spell correctly extremly hard,alought i have tried hard to get this right as i obviously am asking for freely given assastisance,witch is greatly appricated)

i was running spysweeer and spybot and destroy i dont have enough ram (98 ram) to run spysweepers program anymore and didnt renew my sub to the program.

looking for a replacement i came accross TC-Spy

witch is flagging 8 types off spyware/adware and downloader issiues 5 (fammiles)

witch are;
Adware.Ndware
Adware.Toolbar.Mirrar.060927
Adware.Mediamotor.060927
spyware.SXload.070122
Downloader.AXE.060720

(all reported to be reg entries with the location HKCU/Microsoft/Windows/Current Version/Internet Settings)

i can quarantie them and remove them but if i dissable that program they come back.also if i do remove them javas cool reports needware protection has been dissabled,if i enable the proctection TC-Spy reports a Adware.Ndware infection.same goes with the rest if i enable imunisation with spybot and destroy it reports that i have 19 unprotected items,if i immiunise again and and get no reports off non immiusation the other reported spywaye ect comes back acording to TC-Spyware.

the program does have a list off active x protected sites and it mabye a conflict but what about the reported spyware ect here i am stuck.

hj log;

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 17:25:36, on 20/10/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\a-squared Free\a2service.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\TC-Spy\TC-Spy.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Documents and Settings\Dad\Desktop\security\HijackThis.exe
C:\Program Files\Grisoft\AVG Free\avgcc.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,(Default) = Download Directory
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redir.dll?prd=iepver=6ar=msnhome
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.search.msn.com/{sub_rfc1766}/srchasst/srchasst.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redir.dll?prd=iepver=6ar=msnhome
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.search.msn.com/{sub_rfc1766}/srchasst/srchasst.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?prd=iepver=6ar=msnhome
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.search.msn.com/{sub_rfc1766}/srchasst/srchasst.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://ie.search.msn.com/{sub_rfc1766}/srchasst/srchcust.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [AVG7_CC] "C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe" /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [TC-Spy] "C:\Program Files\TC-Spy\TC-Spy.exe" -h
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'Default user')
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - C:\Program Files\a-squared Free\a2service.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 4834 bytes

(you will notice a2 squared in there witch i d/loaded to see if TC-Spy was being flagged itself,by all i can find there are no reports off it being a rouge program,i dont intened to keep this program,it takes a age to load guessing due to lack off ram and doesnt run at all it TC-Spy is running)

online scanner log;

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Saturday, October 20, 2007 5:14:16 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 20/10/2007
Kaspersky Anti-Virus database records: 441591
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\

Scan Statistics:
Total number of scanned objects: 26139
Number of viruses found: 0
Number of infected objects: 0
Number of suspicious objects: 0
Duration of the scan process: 01:36:55

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log.lck Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\Dad\Application Data\AVG7\Log\emc.log Object is locked skipped
C:\Documents and Settings\Dad\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Dad\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Dad\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Dad\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Dad\Local Settings\Temp\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Dad\Local Settings\Temp\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Dad\Local Settings\Temp\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Dad\Local Settings\Temp\~DF8338.tmp Object is locked skipped
C:\Documents and Settings\Dad\Local Settings\Temp\~DFF7CD.tmp Object is locked skipped
C:\Documents and Settings\Dad\Local Settings\Temp\~DFF9CD.tmp Object is locked skipped
C:\Documents and Settings\Dad\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Dad\ntuser.dat Object is locked skipped
C:\Documents and Settings\Dad\NTUSER.DAT.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temp\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temp\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temp\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\Internet Logs\DFC937QI-BMYKA4.ldb Object is locked skipped
C:\WINDOWS\Internet Logs\fwdbglog.txt Object is locked skipped
C:\WINDOWS\Internet Logs\fwpktlog.txt Object is locked skipped
C:\WINDOWS\Internet Logs\IAMDB.RDB Object is locked skipped
C:\WINDOWS\Internet Logs\tvDebug.log Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\drivers\fidbox.dat Object is locked skipped
C:\WINDOWS\system32\drivers\fidbox.idx Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\Temp\ZLT05194.TMP Object is locked skipped
C:\WINDOWS\Temp\ZLT0519a.TMP Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.


i was asked at one point to provide a log from pc pitstop so i include that for that reason.(that thread was closed as i didnt get back in time due to a death in the fammily and med issiues off my own and in a pm was told to repost any isiues i had as the thread was old;this time i will endevor to get back asap.as i know time is given freely and is vauauble to many.

link to pc pitstop;

http://www.pcpitstop.com/techexpress.asp?id=NHSVHWCHCDVSGLMV
pskelley
2007-10-23, 15:19
Welcome to Safer Networking, I wish to be sure you have viewed and understand this information.
"BEFORE you POST" (READ this Procedure before Requesting Assistance)
http://forums.spybot.info/showthread.php?t=288
All advice given is taken at your own risk.
Please make sure you have read this information so we are on the same page.

My sympathies for your loss, here is the link from the last time you posted:
http://forums.spybot.info/showthread.php?t=16805

None of the information I gave you has changed. I see you have completed the diagnostic at PCPitStop and I am sure you clicked on the link by now. While there are minor problems indicated that you should look at by clicking the links at:
Customized Tune-up Tips to view the infomation, the major issue is your lack of memory and nothing will change that except adding more, and I would add lots when doing it.

http://www.pcpitstop.com/pcpitstop/Memory.asp <<< see this
http://www.pcpitstop.com/pcpitstop/MemAdd.asp

While the computer might run on that much RAM, that is about all it will do effectively. Issues you think are related to malware (as you can see the Kaspersky scan, which is one of the best, is clean) may be caused by performance problems due to lack of RAM.
http://8help.osu.edu/33987.html
http://www.google.com/search?hl=en&q=what+is+RAM&btnG=Search

Now let's discuss this program: C:\Program Files\TC-Spy\TC-Spy.exe
See what Prevx says about that executable: http://www.prevx.com/filenames/X1414738845471666770-0/TC-SPY.EXE.html

I suggest you do this:

Remove these items from your computer.
C:\Program Files\TC-Spy\TC-Spy.exe
C:\Program Files\a-squared Free\a2service.exe
(a-squared is a good program, but unless you own it, it is using resources you do not have)

You have good programs in Zone Alarm, AVG Anti-Virus SpywareGuard and Spybot. Keep these programs updated.

I suggest this free program but I can not say how it will run with no more RAM that you have. Removing the two programs above should create room and resources for it. The program is free from Microsoft:
http://www.microsoft.com/athome/security/spyware/software/default.mspx

That will give you:
Anti-Virus: AVG
Firewall: ZA
Realtime Spyware program: Windows Defender
SpywareGuard
Spybot S&D
Understand once again, the computer will run with the RAM you have installed, but it will not run well.

http://www.google.com/search?hl=en&q=how+to+install+RAM&btnG=Search

Hope this helps

Thanks
kinos
2007-10-24, 02:16
thanks for your time,esp the links and advise.

reading what prex says seems to fit the picture;i did get two entries delted in reg with i didnt ask it to do.
also thee contact page says e.mail us for advise(somthing i wouldnt do) but i couldnt find any e.mail addy.

(btw i did read the sticky)

i did add avgs free scanner witch negates spygards man
(well for 30 days anyway,its free time protecion then ends)alought i am not keen on multiple programs i wasnt happy with tc-spys deffintion about the reported spyware and also wanted to see if it flagged tc-spy.

i will remove it and the others,one question if i may do you think useing the add/remove function for tc-spy is ok or would it be possible that the program will destroy files if i try to do reomve it? (then run cc to remove any entries it leaves)

sorry to ask more from you.
again thank you.
pskelley
2007-10-24, 02:36
To respond...I post the sticky for everyone, then they may not read it but they can never say it was not provided to them.

AVG Anti-Spyware 7.5 from Grisoft (if that is what you are talking about) is a fair program but once the trial is over you need to turn it totally off (you should not see it running in the HJT log at all) uses a lot of resouces and provides no protection beyond the trial period.

SpywareGuard is probably the best free program you have on your computer. I would keep it updated and on there all of the time:
http://www.bleepingcomputer.com/forums/tutorial50.html

You should always uninstall programs from Add Remove programs. If a program does not install in Add Remove programs, and some rouge junk does not to make it hard to remove it, then you have to delete the folder, but that is surely not the preferable method. Best thing to do is avoid rouge junk like the plague: http://spywarewarrior.com/

would it be possible that the program will destroy files if i try to do reomve it
NO

CCleaner, if that is what you refer to is a good cleaning tool, it will also clean your registry but be sure you allow it to make a backup when it ask to.

Thanks
kinos
2007-10-26, 18:25
thanks for resovling my concerns and educating me at the same time.

words alone dont say how much the freely given time out off your life is appriacted.

good karma to you and yours.
pskelley
2007-11-06, 14:38
Here is some great information from experts in this field that will help you stay clean and safe online.
http://users.telenet.be/bluepatchy/miekiemoes/prevention.html
http://forums.spybot.info/showthread.php?t=279
http://russelltexas.com/malware/allclear.htm
http://forum.malwareremoval.com/viewtopic.php?t=14
http://www.bleepingcomputer.com/forums/topict2520.html
http://cybercoyote.org/security/not-admin.shtml

Thanks...pskelley
Safer Networking Forums
http://www.spybot.info/en/donate/index.html
If you are reading this information...thank a teacher,
If you are reading it in English...thank a soldier.