TechSpot

Spyware Infestation

By pataz
Apr 22, 2006
Topic Status:
Not open for further replies.
  1. Hey all,

    Having a bit of a spyware and/or virus activity that I can't pin-point...

    I see some things that don't look familiar on the HJT log but haven't done anything but run full scans with Norton Internet Security suite 2005, AdAware, SpyCatcher-- rebooted, ran a HJT scan.

    Continuing probs of random virus files being detected in windows/temp, Norton “fixing the problem only to have another popup in after reboot.

    Also my Yahoo Mail buttons, Delete, Reply, etc won't work, IE says “error on page”.

    I'll stop blabbin' and post the log in the following post-- because it was too many characters to post here. Thanks.
  2. howard_hopkinso

    howard_hopkinso Newcomer, in training Posts: 25,948   +19

    Hello and welcome to Techspot.

    I have deleted you HJT log because it is in the wrong format. I.E it was not as a .txt attachment.

    Go HERE and follow all the instructions exactly.

    Post a fresh HJT log as an attachment, only after doing the above.

    Regards Howard :wave: :wave:
  3. pataz

    pataz Newcomer, in training Topic Starter Posts: 19

    Hey Howard,

    Sorry about the format of my first post. That's a good example of why you should not drink and post! even if you are frustrated...

    Anyway, I ran the eTrust and PC Pitstop full system scans as you asked. However, I don't know if PC Pitstop deleted the infected files or not as there is no option to continue or delete the files once the scan finished. I browsed for a couple of files that were on the list but didn't find any of them. At any rate let me know if you want me to rescan. I've re-ran HJT and attached the new log file as you requested.

    Thank you for your assistance.
    pataz
  4. howard_hopkinso

    howard_hopkinso Newcomer, in training Posts: 25,948   +19

    Boot into safe mode. See how HERE. http://www.bleepingcomputer.com/forums/tutorial61.html

    Turn off system restore.(XP/ME only) See how HERE. http://www.bleepingcomputer.com/forums/tutorial56.html

    In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how HERE. http://www.bleepingcomputer.com/forums/tutorial62.html

    Click start/run and type regsvr32 /u C:\WINDOWS\SYSTEM32\senssrv.dll into the run box and press the enter key.

    Click start/run and type services.msc into the run box and press the enter key. When the window appears, maximise it.

    Locate the following services(if there) and double click on them. Select stop if they are running and set the startup type to disabled.

    eventwvr

    Microsoft Windows System

    Click apply/ok

    Open your task manager, by holding down the ctrl and alt keys and pressing the delete key.

    Click on the processes tab and end process for(if there).

    eventwvr.exe
    srwhost.exe <Note the spelling.
    ibm00001.exe

    Close task manager.

    Run HJT with no other programmes open. Have HJT fix the following, by placing a tick in the little box next to(if there).

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mail.yahoo.com/?.intl=us
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = c:\secure32.html
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://127.0.0.1:4664/&s=zx5Q4CXHPx6SCHKwH_uqaBasxwk

    O4 - HKLM\..\RunServices: [eventwvr] C:\WINDOWS\system32\eventwvr.exe
    O4 - HKLM\..\RunServices: [Microsoft Windows System] srwhost.exe
    O4 - HKCU\..\Run: [Shell] "C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00001.exe"

    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
    O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
    O16 - DPF: {EFAEF0E4-F044-4D57-9900-1C3FF18524C9} (AV Class) - http://www.pcpitstop.com/antivirus/PitPav.cab

    O20 - Winlogon Notify: SensSrv - C:\WINDOWS\SYSTEM32\senssrv.dll

    Click on the fix checked button.

    Close HJT.

    Locate and delete the following bold files(if there).

    C:\WINDOWS\SYSTEM32\senssrv.dll
    C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00001.exe
    C:\WINDOWS\system32\eventwvr.exe

    srwhost.exe Do a search of your computer for this file.

    Reboot into normal mode and turn system restore back on.

    Regards Howard :)
  5. pataz

    pataz Newcomer, in training Topic Starter Posts: 19

    Howard,

    I have completed all your instructions but there were some differences so I am posting them below following your instructions, a new hjt log is attached as well:

    Click start/run and type regsvr32 /u C:\WINDOWS\SYSTEM32\senssrv.dll into the run box and press the enter key.
    LoadLibrary regsvr32 /u C:\WINDOWS\SYSTEM32\senssrv.dll failed – The specified module could not be found

    Click start/run and type services.msc into the run box and press the enter key. When the window appears, maximise it.

    Locate the following services(if there) and double click on them. Select stop if they are running and set the startup type to disabled.

    Eventwvr
    not present

    Microsoft Windows System
    not present


    Click apply/ok

    Open your task manager, by holding down the ctrl and alt keys and pressing the delete key.

    Click on the processes tab and end process for(if there).

    eventwvr.exe
    srwhost.exe <Note the spelling.
    ibm00001.exe
    None of these were listed

    Close task manager.

    Run HJT with no other programmes open. Have HJT fix the following, by placing a tick in the little box next to(if there).
    done


    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mail.yahoo.com/?.intl=us
    not present

    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext =
    not present

    http://127.0.0.1:4664/&s=zx5Q4CXHPx6SCHKwH_uqaBasxwk
    not present

    O4 - HKCU\..\Run: [Shell] "C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00001.exe"
    not present


    Click on the fix checked button.
    done

    Close HJT.
    done

    Locate and delete the following bold files(if there).

    C:\WINDOWS\SYSTEM32\senssrv.dll
    not present

    C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00001.exe
    C:\WINDOWS\system32\eventwvr.exe
    not present

    srwhost.exe Do a search of your computer for this file.
    None found
  6. howard_hopkinso

    howard_hopkinso Newcomer, in training Posts: 25,948   +19

    Let HJT fix these entries(if there) in safe mode.

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html

    Other than that, your HJT log is clean.

    Regards Howard :)
  7. pataz

    pataz Newcomer, in training Topic Starter Posts: 19

    Hey Howard,

    Well it looks like we're clean. I've attached another hjt log but I didn't see either of the 2 items you mention above whle in safemode. Thank you very much for your quick responses and all your help!!!

    Just one more question... since my current protection scheme (Symantec 2005, AdAware, Gogletoolbar, SpyCatcher) didn't seem to do its job, what do you recommend in the way of virus/spyware protection?

    And again, thank you!

    pataz
  8. howard_hopkinso

    howard_hopkinso Newcomer, in training Posts: 25,948   +19

    Yes you`re quite right. Your HJT log is clean.

    As far as antivirus programmes etc.

    I`d recommend that you get rid of that Symantec/Norton crapware, and get the free AVG antivirus programme and the free Zonealarm firewall.

    You can get them HERE and HERE.

    Not only will your system be more secure, but it will be faster as well.

    Regards Howard :)
  9. pataz

    pataz Newcomer, in training Topic Starter Posts: 19

    I think that's good advice. I will definately check it out. With 4 systems at home the norton thing was getting a bit on the pricy side as well.

    Thanks again Howard for your help and advice. Is there anything I can do for you to help with your ratings or a donation to the site?
  10. howard_hopkinso

    howard_hopkinso Newcomer, in training Posts: 25,948   +19

    Thankyou for your kind offer. However, there is no need to make a donation, as this is a commercial website, paid for through advertising.

    You can spread the word about Techspot, amongst you friends and colleagues though.

    Regards Howard :)

    This thread is for the use of pataz only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
  11. pataz

    pataz Newcomer, in training Topic Starter Posts: 19

    I will pass the word about Techspot. Thanks agian for all your help.

    Take care,
    pataz
     
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.