Hello,
I recently downloaded some Screen Mates from Screenmates.com. They seemed pretty cool at first and Spybot didn't pick up any spyware.
(Cuz they are new ones, so I guess they've not been found yet :P )

Anyway, I picked up some old ones that Spybot found and removed the registry entry. However, I'm certain I still have some of the spyware since the old ones were picked up.

If it is possible, I wish to remove the spyware and keep the screen mates :laugh:

If not well... I guess I'll get rid of them, since they are quite bad with adware etc... :sad:


Here's is the Spybot S&D log in PDF, since my Adobe can be made a Printer this is the only way I know how to make it...
http://www.rocketsoft.gm-school.uni.cc/uploads/Spybot%20-%20Search%20&%20Destroy%20scan%20report.pdf

Please tell me how to remove the Scree-Mates spyware :spider:
I browsed in Regedit btw, and some of the screenmates reg keys are in other places than just adtools inc. others such as:
HKEY_CURRENT_USER\Software\Ice Age ScreenMate

Your time is greatly appreciated.


Gaming4JC

Oh, and one more thing.
ZoneAlarm Deteced that the screenmates wanted to access the internet.
I denied access, so I'm guessing even if it is spyware I'm probably safe for now. :angel:

Gaming4JC

Welcome to the forum

Post a SpyBot results report.
Run SpyBot check for problems, fix all red items, when its finished right click and choose copy results (not full report) to clipboard and paste that back here please. we dont need to see cookies and tracts.

Please go here and follow instructions.
http://forums.spybot.info/showthread.php?t=288
Post A Hijackthis log and an online scan report here in this thread.

:oops:

Here you are:


Message Mates: User settings (Registry key, fixed)
HKEY_USERS\S-1-5-21-507921405-2139871995-725345543-1004\Software\AdTools, Inc.


--- Spybot - Search & Destroy version: 1.4 (build: 20050523) ---

2005-05-31 blindman.exe (1.0.0.1)
2005-05-31 SpybotSD.exe (1.4.0.3)
2005-05-31 TeaTimer.exe (1.4.0.2)
2006-05-29 unins000.exe (51.41.0.0)
2005-05-31 Update.exe (1.4.0.0)
2006-02-06 advcheck.dll (1.0.2.0)
2005-05-31 aports.dll (2.1.0.0)
2005-05-31 borlndmm.dll (7.0.4.453)
2005-05-31 delphimm.dll (7.0.4.453)
2005-05-31 SDHelper.dll (1.4.0.0)
2006-02-20 Tools.dll (2.0.0.2)
2005-05-31 UnzDll.dll (1.73.1.1)
2005-05-31 ZipDll.dll (1.73.2.0)
2006-12-01 Includes\Cookies.sbi (*)
2006-10-13 Includes\Dialer.sbi (*)
2006-12-01 Includes\DialerC.sbi (*)
2006-11-24 Includes\Hijackers.sbi (*)
2006-12-01 Includes\HijackersC.sbi (*)
2006-10-27 Includes\Keyloggers.sbi (*)
2006-12-01 Includes\KeyloggersC.sbi (*)
2004-11-29 Includes\LSP.sbi (*)
2006-10-13 Includes\Malware.sbi (*)
2006-12-01 Includes\MalwareC.sbi (*)
2006-10-20 Includes\PUPS.sbi (*)
2006-12-01 Includes\PUPSC.sbi (*)
2006-12-01 Includes\Revision.sbi (*)
2006-10-13 Includes\Security.sbi (*)
2006-12-01 Includes\SecurityC.sbi (*)
2006-10-13 Includes\Spybots.sbi (*)
2006-12-01 Includes\SpybotsC.sbi (*)
2005-02-17 Includes\Tracks.uti
2006-12-01 Includes\Trojans.sbi (*)
2006-12-01 Includes\TrojansC.sbi (*)



HJT log:
Logfile of HijackThis v1.99.1
Scan saved at 10:01:23 PM, on 12/11/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\Softwin\BITDEF~1\bdmcon.exe
C:\progra~1\softwin\bitdef~1\bdnagent.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\WinFast\WFTVFM\WFWIZ.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\WINDOWS\system32\RunDLL32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\CallWave\IAM.exe
C:\Program Files\MagicDisc\MagicDisc.exe
C:\Program Files\NYKO\Gamepad Mapping Tools\ngpmap.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\Documents and Settings\Luke\Start Menu\Programs\Startup\VGSAutorun.exe
C:\Program Files\WordWeb\wweb32.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\pctspk.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe
C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Ice Age ScreenMate\Ice Age ScreenMate.exe
C:\Program Files\Lost In Space\Lost In Space.exe
C:\Program Files\Finding Nemo ScreenMate\Finding Nemo ScreenMate.exe
C:\Documents and Settings\Luke\My Documents\My Downloads\security\hijackthis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: (no name) - {FFFFFEF0-5B30-21D4-945D-000000000000} - C:\PROGRA~1\STARDO~1\SDIEInt.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [BDMCon] C:\PROGRA~1\Softwin\BITDEF~1\bdmcon.exe
O4 - HKLM\..\Run: [BDNewsAgent] "C:\PROGRA~1\Softwin\BITDEF~1\bdnagent.exe"
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [WinFast Schedule] C:\Program Files\WinFast\WFTVFM\WFWIZ.exe
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Finding Nemo ScreenMate] "C:\Program Files\Finding Nemo ScreenMate\Finding Nemo ScreenMate.exe" -r
O4 - HKCU\..\Run: [Lost In Space] C:\Program Files\Lost In Space\Lost In Space.exe
O4 - Startup: MagicDisc.lnk = C:\Program Files\MagicDisc\MagicDisc.exe
O4 - Startup: NYKO Gamepad Mapping Tools.lnk = C:\Program Files\NYKO\Gamepad Mapping Tools\ngpmap.exe
O4 - Startup: VGSAutorun.exe
O4 - Startup: WordWeb.lnk = C:\Program Files\WordWeb\wweb32.exe
O4 - Global Startup: CallWave.lnk = C:\Program Files\CallWave\IAM.exe
O8 - Extra context menu item: &WordWeb... - res://C:\WINDOWS\wweb32.dll/lookup.html
O8 - Extra context menu item: Download with Star Downloader - C:\Program Files\Star Downloader\sdie.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1148950792843
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1157648596875
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{28CF5789-BFE9-4C50-8EFB-0AA167E18C09}: NameServer = 207.172.3.8
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: BitDefender Scan Server (bdss) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe" /service (file missing)
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: BitDefender Communicator (XCOMM) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe" /service (file missing)


Hope that is what you need :red:

Gaming4JC

Screensaver, wallpaper software is notorious for spyware, since you know yours includes spyware i suggest it be uninstalled asap.

Your running both avg and bit-defender, having two or more can cause both to be ineffective, Uninstall all but one antivirus program, you can supplement by getting occasional an on-line scans.

For security your Sun Java program should be undated
http://forums.spybot.info/showpost.php?p=12880&postcount=2
afterwards It's very important to uninstall the old version's via addremove programs.

Hello,
I decided to remove the screenmates by using their own uninstaller.
(hope that works...)
Also, I've removed Bit Defender. But I am vary dissatisfied with the results of both of my anti-viruses...

Bit Defender does a better scan, but doesn't check e-mail or have a resident shield.

AVG (still on my comp...) does have both resident shield and e-mail checker, but only catches a few viruses, and therefore let's others come right on in...

So I've been looking at one of Dr. Web's freebies:
http://download.drweb.com/win/

I've not heard of Dr. Web much, so I decided it best to ask first, before downloading. Just to be sure it weren't a PUP or something. :eek:
So do you feel Dr. Web is an O.K. freeware antivirus utility?
If not please let me know a good alternative. As I have Dial-up you can probably imagine how long an online scan would take to scan my 160GB hard drive. :sad:

I am upgrading my Java runtime right now. Thanks for the advice, I hadn't even thought of the Java until you mentioned it. :bigthumb:

Thanks for all the helps, and Happy Holidays! :present:

Gaming4JC

Hello,
I've been looking for other antiviruses other than AVG.
and I found this too:
http://www.activevirusshield.com/antivirus/freeav/index.adp?

Please let me know of a good one when you have the time :)


Gaming4JC

"Powered by Kaspersky Lab"
Kaspersky is a great av.
If you can Id suggest getting the antivirus from Kaspersky themselves.

Dr. Web's a good backup scanner

Hello again,
I've downloaded it, it works great! It caught to trojans one of them a "backdoor".

I also tested it with the fake EICAR test virus, it caught it and deleted it.
I would get Kaspersky directly but it cost $$ and this is great and free :bigthumb:

Thanks again for all your help.

Hmm...
I thought it were all over until now :eek:
I also recently installed Deskmates, Oska to be specific.

However, after removing them I've noticed a file called "Thumbs.db" appearing in all of my folders. I'm not sure what it is, but when I try to delete them it says it is a system file. I've deleted a few appearing in files I send out by using the "Shift+Delete". :lip:
:oops:
Please let me know how to fix this problem if you can.

Gaming4JC

-------------
http://xs110.xs.to/xs110/06513/spybot1.png (http://www.safer-networking.org/en/index.html)
Hosted by Xs.to (http://xs.to)

Thumbs.db are normal
You probaly set windows to show hidden files (in folder options view tab), You could rehide them.

Surf safe

Glad we could help, as the problem appears to be resolved this topic has been archived.

If you need it re-opened please send me or your helper a private message (pm) and provide a link to the thread; this applies only to the original topic starter.

Anyone else with similar problems please start a new topic.