PDA

View Full Version : spyweb soldier keeps popin up :(



carterhamish
2006-10-31, 18:32
hi there,
it has been 2 days since I ve been seeing these syptoms:
1. The toolbar is poppin yellow balloons as if it was like a windows warning and keeps tellin me about:

my spyware protection level is critical
The level is %30 %94 or etc..
And directs me to click the baloon to resolve the problem.

2.Whenever I make some surfing or some search the "www.spyweb.net" webpage is opening.

3.The "www.spyweb.net" page is opening itself automaticly even I dont open IE.

After seeing those I followed the directions on the frorum:

http://forums.spybot.info/showthread.php?t=4015

and am posting the logs files from AVG, HJT and smitfraut on the following messages....

I will be thankful if somebody could help me in this...:sad:

carterhamish
2006-10-31, 18:34
Logfile of HijackThis v1.99.1
Scan saved at 18:16:59, on 31.10.2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe
C:\PROGRAM FILES\FAXTALK COMMUNICATOR\FTCtrl32.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRAM FILES\FAXTALK COMMUNICATOR\FAPIEXE.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Hewlett-Packard\Toolbox2.0\Javasoft\JRE\1.3.1\bin\javaw.exe
C:\Program Files\DC++\Downloads\HijackThis.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\NOTEPAD.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Bağlantılar
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: ASGP32.ASGP - {BB89F547-37EC-4920-880C-9D553B1C788C} - C:\WINDOWS\system32\asgp32.dll
O4 - HKLM\..\Run: [TomcatStartup] C:\Program Files\Hewlett-Packard\Toolbox2.0\hpbpsttp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [StatusClient] C:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe /auto
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [CallControl 4.5] C:\PROGRAM FILES\FAXTALK COMMUNICATOR\FTCtrl32.exe /autoload
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Araştır - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1162206816018
O17 - HKLM\System\CCS\Services\Tcpip\..\{CFAEF2AE-FA44-4E89-9854-1849B1CAAE1C}: NameServer = 10.0.0.2
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

carterhamish
2006-10-31, 18:35
---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 17:50:41 31.10.2006

+ Scan result:



HKU\S-1-5-21-1343024091-1677128483-1202660629-1004\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{7070A8F9-08A4-CA47-0AB0-1EB9E4EE1F3B} -> Adware.CoolWebSearch : Cleaned with backup (quarantined).
HKU\S-1-5-21-1343024091-1677128483-1202660629-1004\Software\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} -> Adware.Generic : Cleaned with backup (quarantined).
HKU\S-1-5-21-1343024091-1677128483-1202660629-1004\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{00110011-4B0B-44D5-9718-90C88817369B} -> Adware.Generic : Cleaned with backup (quarantined).
HKU\S-1-5-21-1343024091-1677128483-1202660629-1004\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{086AE192-23A6-48D6-96EC-715F53797E85} -> Adware.Generic : Cleaned with backup (quarantined).
HKU\S-1-5-21-1343024091-1677128483-1202660629-1004\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{11904CE8-632A-4856-A7CC-00B33FE71BD8} -> Adware.Generic : Cleaned with backup (quarantined).
HKU\S-1-5-21-1343024091-1677128483-1202660629-1004\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{150FA160-130D-451F-B863-B655061432BA} -> Adware.Generic : Cleaned with backup (quarantined).
HKU\S-1-5-21-1343024091-1677128483-1202660629-1004\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{15ACE85C-0BB1-42D1-9E32-07EB0506675A} -> Adware.Generic : Cleaned with backup (quarantined).
HKU\S-1-5-21-1343024091-1677128483-1202660629-1004\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{17DA0C9E-4A27-4AC5-BB75-5D24B8CDB972} -> Adware.Generic : Cleaned with backup (quarantined).
HKU\S-1-5-21-1343024091-1677128483-1202660629-1004\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{1B68470C-2DEF-493B-8A4A-8E2D81BE4EA5} -> Adware.Generic : Cleaned with backup (quarantined).
HKU\S-1-5-21-1343024091-1677128483-1202660629-1004\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{1C4DA27D-4D52-4465-A089-98E01BB725CA} -> Adware.Generic : Cleaned with backup (quarantined).
HKU\S-1-5-21-1343024091-1677128483-1202660629-1004\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{1F48AA48-C53A-4E21-85E7-AC7CC6B5FFB1} -> Adware.Generic : Cleaned with backup (quarantined).
HKU\S-1-5-21-1343024091-1677128483-1202660629-1004\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{1F48AA48-C53A-4E21-85E7-AC7CC6B5FFB2} -> Adware.Generic : Cleaned with backup (quarantined).
HKU\S-1-5-21-1343024091-1677128483-1202660629-1004\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{202A961F-23AE-42B1-9505-FFE3C818D717} -> Adware.Generic : Cleaned with backup (quarantined).
HKU\S-1-5-21-1343024091-1677128483-1202660629-1004\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2D38A51A-23C9-48A1-A33C-48675AA2B494} -> Adware.Generic : Cleaned with backup (quarantined).
HKU\S-1-5-21-1343024091-1677128483-1202660629-1004\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2E246FAE-8420-11D9-870D-000C2917DE7F} -> Adware.Generic : Cleaned with backup (quarantined).
HKU\S-1-5-21-1343024091-1677128483-1202660629-1004\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2E9CAFF6-30C7-4208-8807-E79D4EC6F806} -> Adware.Generic : Cleaned with backup (quarantined).
HKU\S-1-5-21-1343024091-1677128483-1202660629-1004\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{479FD0CF-5BE9-4C63-8CDA-B6D371C67BD5} -> Adware.Generic : Cleaned with backup (quarantined).
HKU\S-1-5-21-1343024091-1677128483-1202660629-1004\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{5753791B-F607-48CA-814E-91C14D081F9E} -> Adware.Generic : Cleaned with backup (quarantined).
HKU\S-1-5-21-1343024091-1677128483-1202660629-1004\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{746455FE-D059-47E7-AF0E-140E03F5A447} -> Adware.Generic : Cleaned with backup (quarantined).
HKU\S-1-5-21-1343024091-1677128483-1202660629-1004\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{860C2F6B-CA82-4282-9187-BECCBB66F0AF} -> Adware.Generic : Cleaned with backup (quarantined).
HKU\S-1-5-21-1343024091-1677128483-1202660629-1004\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{87185E78-A61B-4DB3-965A-3235BBD7A622} -> Adware.Generic : Cleaned with backup (quarantined).
HKU\S-1-5-21-1343024091-1677128483-1202660629-1004\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{8DC8F96D-34F7-1501-A2A4-631341AA3AC1} -> Adware.Generic : Cleaned with backup (quarantined).
HKU\S-1-5-21-1343024091-1677128483-1202660629-1004\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{9C5875B8-93F3-429D-FF34-660B206D897A} -> Adware.Generic : Cleaned with backup (quarantined).
HKU\S-1-5-21-1343024091-1677128483-1202660629-1004\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{A2595F37-48D0-46A1-9B51-478591A97764} -> Adware.Generic : Cleaned with backup (quarantined).
HKU\S-1-5-21-1343024091-1677128483-1202660629-1004\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{A6F42CAD-2559-48DF-AF30-89E480AF5DFA} -> Adware.Generic : Cleaned with backup (quarantined).
HKU\S-1-5-21-1343024091-1677128483-1202660629-1004\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{B212D577-05B7-4963-911E-4A8588160DFA} -> Adware.Generic : Cleaned with backup (quarantined).
HKU\S-1-5-21-1343024091-1677128483-1202660629-1004\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{CA0E28FA-1AFD-4C21-A8DC-70EB5BE2F076} -> Adware.Generic : Cleaned with backup (quarantined).
HKU\S-1-5-21-1343024091-1677128483-1202660629-1004\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{CF021F40-3E14-23A5-CBA2-717765721306} -> Adware.Generic : Cleaned with backup (quarantined).
HKU\S-1-5-21-1343024091-1677128483-1202660629-1004\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{D1AC752E-883F-4ED8-8828-B618C3A72152} -> Adware.Generic : Cleaned with backup (quarantined).
HKU\S-1-5-21-1343024091-1677128483-1202660629-1004\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{E2B2B5A1-B48C-4886-A318-723916A01024} -> Adware.Generic : Cleaned with backup (quarantined).
HKU\S-1-5-21-1343024091-1677128483-1202660629-1004\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{E2DDF680-9905-4DEE-8C64-0A5DE7FE133C} -> Adware.Generic : Cleaned with backup (quarantined).
HKU\S-1-5-21-1343024091-1677128483-1202660629-1004\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{E3EEBBE8-9CAB-4C76-B26A-747E25EBB4C6} -> Adware.Generic : Cleaned with backup (quarantined).
HKU\S-1-5-21-1343024091-1677128483-1202660629-1004\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{E6D5237D-A6C7-4C83-A67F-F9F15586FA62} -> Adware.Generic : Cleaned with backup (quarantined).
HKU\S-1-5-21-1343024091-1677128483-1202660629-1004\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{E7AFFF2A-1B57-49C7-BF6B-E5123394C970} -> Adware.Generic : Cleaned with backup (quarantined).
HKU\S-1-5-21-1343024091-1677128483-1202660629-1004\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{FCADDC14-BD46-408A-9842-CDBE1C6D37EB} -> Adware.Generic : Cleaned with backup (quarantined).
HKU\S-1-5-21-1343024091-1677128483-1202660629-1004\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{FD9BC004-8331-4457-B830-4759FF704C22} -> Adware.Generic : Cleaned with backup (quarantined).
HKU\S-1-5-21-1343024091-1677128483-1202660629-1004\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{FE2D25C1-C1DB-4B5E-9390-AF1CB5302F32} -> Adware.Generic : Cleaned with backup (quarantined).
HKU\S-1-5-21-1343024091-1677128483-1202660629-1004\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{FF1BF4C7-4E08-4A28-A43F-9D60A9F7A880} -> Adware.Generic : Cleaned with backup (quarantined).
HKU\S-1-5-21-1343024091-1677128483-1202660629-1004\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{7A7E6D97-B492-4884-9ABB-C31281DCC4F2} -> Adware.VipSearcher : Cleaned with backup (quarantined).
C:\WINDOWS\system32\shqbjlib.yua -> Hijacker.Small.js : Cleaned with backup (quarantined).
C:\Documents and Settings\Onur\Local Settings\Temp\Cookies\onur@e-2dj6wjmycjc5sco.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned.
C:\Documents and Settings\Onur\Local Settings\Temp\Cookies\onur@server3.web-stat[2].txt -> TrackingCookie.Web-stat : Cleaned.
C:\Documents and Settings\Onur\Local Settings\Temp\Cookies\onur@ad.yieldmanager[2].txt -> TrackingCookie.Yieldmanager : Cleaned.
C:\Program Files\Internet Explorer\IEXPL0RE.EXE -> Trojan.QQShou.er : Cleaned with backup (quarantined).
C:\WINDOWS\system32\ravsuteibie.exe -> Trojan.QQShou.er : Cleaned with backup (quarantined).
C:\system.hta -> Trojan.Zapchast.i : Cleaned with backup (quarantined).


::Report end

carterhamish
2006-10-31, 18:37
SmitFraudFix v2.117

Scan done at 16:13:37,91, 31.10.2006
Run from C:\Documents and Settings\Onur\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Srm 5.1.2600] - Windows_NT
Fix run in safe mode

Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

Killing process


Generic Renos Fix

GenericRenosFix by S!Ri


Deleting infected files

C:\WINDOWS\accesss.exe Deleted
C:\WINDOWS\astctl32.ocx Deleted
C:\WINDOWS\avpcc.dll Deleted
C:\WINDOWS\clrssn.exe Deleted
C:\WINDOWS\cpan.dll Deleted
C:\WINDOWS\dialup.exe Deleted
C:\WINDOWS\inetdctr.dll Deleted
C:\WINDOWS\mtwirl32.dll Deleted
C:\WINDOWS\notepad32.exe Deleted
C:\WINDOWS\olehelp.exe Deleted
C:\WINDOWS\runwin32.exe Deleted
C:\WINDOWS\spp3.dll Deleted
C:\WINDOWS\systeem.exe Deleted
C:\WINDOWS\systemcritical.exe Deleted
C:\WINDOWS\time.exe Deleted
C:\WINDOWS\users32.exe Deleted
C:\WINDOWS\waol.exe Deleted
C:\WINDOWS\win32e.exe Deleted
C:\WINDOWS\win64.exe Deleted
C:\WINDOWS\winajbm.dll Deleted
C:\WINDOWS\window.exe Deleted
C:\WINDOWS\wininet32.exe Deleted
C:\WINDOWS\winmgnt.exe Deleted
C:\WINDOWS\x.exe Deleted
C:\WINDOWS\xplugin.dll Deleted
C:\WINDOWS\xxxvideo.hta Deleted
C:\WINDOWS\y.exe Deleted
C:\WINDOWS\system32\ace16win.dll Deleted
C:\WINDOWS\system32\anti_troj.exe Deleted
C:\WINDOWS\system32\dload.exe Deleted
C:\WINDOWS\system32\iewd.exe Deleted
C:\WINDOWS\system32\ioctrl.dll Deleted
C:\WINDOWS\system32\kernels64.exe Deleted
C:\WINDOWS\system32\lfd.dat Deleted
C:\WINDOWS\system32\mpsegment.exe Deleted
C:\WINDOWS\system32\msmapi32.exe Deleted
C:\WINDOWS\system32\msmsn.exe Deleted
C:\WINDOWS\system32\msvol.tlb Deleted
C:\WINDOWS\system32\ncompat.tlb Deleted
C:\WINDOWS\system32\netstat2.exe Deleted
C:\WINDOWS\system32\oiso.bin Deleted
C:\WINDOWS\system32\ot.ico Deleted
C:\WINDOWS\system32\pcf.pdf Deleted
C:\WINDOWS\system32\perfont.exe Deleted
C:\WINDOWS\system32\performent202.dll Deleted
C:\WINDOWS\system32\POPCORN72.EXE Deleted
C:\WINDOWS\system32\proqlaim.exe Deleted
C:\WINDOWS\system32\ts.ico Deleted
C:\WINDOWS\system32\vxgamet?.exe Deleted
C:\WINDOWS\system32\vxh8jkdq?.exe Deleted
C:\WINDOWS\system32\win32hp.dll Deleted
C:\WINDOWS\system32\winmuse.exe Deleted

Deleting Temp Files


Registry Cleaning

Registry Cleaning done.

After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


End

tashi
2006-11-07, 21:00
Hello and sorry for the wait.

If you have not resolved the problem, we do have this sticky topic:

If you have waited four days for advice post here. (http://forums.spybot.info/showthread.php?p=4836#post4836)

tashi
2006-11-19, 04:06
This topic has been archived.

If you need it re-opened please send me a private message (pm) and provide a link to the thread.
Applies only to the original topic starter.