Spyware Found By Ad-aware Scan


Recommended Posts

SPYWARENO

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

obj[0]=Regkey : S-1-5-21-1177238915-789336058-839522115-1003\software\microsoft\windows\currentversion\ext\stats\{72267f6a-a6f9-11d0-bc94-00c04fb67863}

obj[1]=RegData : software\microsoft\internet explorer\desktop\general "WallpaperStyle"

obj[2]=RegData : control panel\desktop "WallpaperStyle"

First time to have spyware in the Registery.

Does any one know the origin and or what this is?

TIA.

Link to post
Share on other sites

This may be a remnant of a smitfraud infection that is no longer present. I'm going to move this to the HJT section since I'd like to see a HJT log.

You are going to have to work in safe mode for this, so you may wish to print out these directions.

Download smitRem.exe ©noahdfear, and save the file to your desktop.

Double click on the file to extract it to it's own folder on the desktop.

Place a shortcut to Panda ActiveScan on your desktop (in Internet Explorer, right click on Panda ActiveScan link select "Copy Shortcut" then right click on your desktop and select "Paste Shortcut" or in FireFox right-click the link and select "Save Link As" and save it to your desktop).

Reboot your computer in SafeMode

Open the smitRem folder, then double click the RunThis.bat file to start the tool. Follow the prompts on screen.

Wait for the tool to complete and disk cleanup to finish.

The tool will create a log named smitfiles.txt in the root of your drive, eg; Local Disk C: or partition where your operating system is installed. Post that log in your next reply.

Reboot back into Windows and click the Panda ActiveScan shortcut.

  • Once you are on the Panda site click the Scan your PC button.
  • A new window will open...click the Check Now button.
    • Enter your Country
    • Enter your State/Province
    • Enter your e-mail address and click send
    • Select either Home User or Company
    • Click the big Scan Now button

    [*]If it wants to install an ActiveX component allow it

    [*]It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)

    [*]When the download is complete, click on My Computer to start the scan

    [*]When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location.

    Then, scan agian with HJT and post a new log, along with the smitfiles log and the active scan report.

Link to post
Share on other sites

Matt,

Thanks for the response.

Lost the Panda short cut after coming out of safe mode.

smitRem © log file

version 2.8

by noahdfear

Microsoft Windows XP [Version 5.1.2600]

The current date is: Thu 02/09/2006

The current time is: 13:12:00.62

Running from

C:\Documents and Settings\johnny\Desktop\smitRem

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Pre-run SharedTask Export

(GetSTS.exe) SharedTaskScheduler exporter by Lawrence Abrams (Grinler)

Copyright© 2006 BleepingComputer.com

Registry Pseudo-Format Mode (Not a valid reg file):

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]

"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"

"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{438755C2-A8BA-11D1-B96B-00A0C90312E1}\InProcServer32]

@="%SystemRoot%\System32\browseui.dll"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8C7461EF-2B13-11d2-BE35-3078302C2030}\InProcServer32]

@="%SystemRoot%\System32\browseui.dll"

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

checking for ShudderLTD key

ShudderLTD key not present!

checking for PSGuard.com key

PSGuard.com key not present!

checking for WinHound.com key

WinHound.com key not present!

spyaxe uninstaller NOT present

Winhound uninstaller NOT present

SpywareStrike uninstaller NOT present

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Existing Pre-run Files

~~~ Program Files ~~~

~~~ Shortcuts ~~~

~~~ Favorites ~~~

~~~ system32 folder ~~~

~~~ Icons in System32 ~~~

~~~ Windows directory ~~~

~~~ Drive root ~~~

~~~ Miscellaneous Files/folders ~~~

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03

Copyright© 2002-2003 [email protected]

Killing PID 760 'explorer.exe'

Starting registry repairs

Registry repairs complete

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

SharedTask Export after registry fix

(GetSTS.exe) SharedTaskScheduler exporter by Lawrence Abrams (Grinler)

Copyright© 2006 BleepingComputer.com

Registry Pseudo-Format Mode (Not a valid reg file):

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]

"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"

"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{438755C2-A8BA-11D1-B96B-00A0C90312E1}\InProcServer32]

@="%SystemRoot%\System32\browseui.dll"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8C7461EF-2B13-11d2-BE35-3078302C2030}\InProcServer32]

@="%SystemRoot%\System32\browseui.dll"

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Deleting files

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Remaining Post-run Files

~~~ Program Files ~~~

~~~ Shortcuts ~~~

~~~ Favorites ~~~

~~~ system32 folder ~~~

~~~ Icons in System32 ~~~

~~~ Windows directory ~~~

~~~ Drive root ~~~

~~~ Miscellaneous Files/folders ~~~

~~~ Wininet.dll ~~~

CLEAN! :)

Activescan report:

Incident Status Location

Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\johnny\Desktop\smitRem\Process.exe

Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\johnny\Desktop\smitRem.exe[Process.exe]

Edited by handplane
Link to post
Share on other sites

handplane, I'm pretty sure you are clean, based on the panda report, that smitrem didnt remove anything, and this is the only thing ad-aware found. It is most likely a dormant file. See if ad-aware can get rid of it.

If you need this reopened, shoot me a PM.

Matt

Link to post
Share on other sites

Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :)

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.

Link to post
Share on other sites
Guest
This topic is now closed to further replies.