Spyware Infestation

[pataz]

Hey all,

Having a bit of a spyware and/or virus activity that I can't pin-point...

I see some things that don't look familiar on the HJT log but haven't done anything but run full scans with Norton Internet Security suite 2005, AdAware, SpyCatcher-- rebooted, ran a HJT scan.

Continuing probs of random virus files being detected in windows/temp, Norton “fixing the problem only to have another popup in after reboot.

Also my Yahoo Mail buttons, Delete, Reply, etc won't work, IE says “error on page”.

I'll stop blabbin' and post the log in the following post-- because it was too many characters to post here. Thanks.

 

[howard_hopkinso]

Hello and welcome to Techspot.

I have deleted you HJT log because it is in the wrong format. I.E it was not as a .txt attachment.

Go HERE and follow all the instructions exactly.

Post a fresh HJT log as an attachment, only after doing the above.

Regards Howard :wave: :wave:

 

[pataz]

Hey Howard,

Sorry about the format of my first post. That's a good example of why you should not drink and post! even if you are frustrated...

Anyway, I ran the eTrust and PC Pitstop full system scans as you asked. However, I don't know if PC Pitstop deleted the infected files or not as there is no option to continue or delete the files once the scan finished. I browsed for a couple of files that were on the list but didn't find any of them. At any rate let me know if you want me to rescan. I've re-ran HJT and attached the new log file as you requested.

Thank you for your assistance.
pataz

 

[howard_hopkinso]

Boot into safe mode. See how HERE. http://www.bleepingcomputer.com/forums/tutorial61.html

Turn off system restore.(XP/ME only) See how HERE. http://www.bleepingcomputer.com/forums/tutorial56.html

In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how HERE. http://www.bleepingcomputer.com/forums/tutorial62.html

Click start/run and type regsvr32 /u C:\WINDOWS\SYSTEM32\senssrv.dll into the run box and press the enter key.

Click start/run and type services.msc into the run box and press the enter key. When the window appears, maximise it.

Locate the following services(if there) and double click on them. Select stop if they are running and set the startup type to disabled.

eventwvr

Microsoft Windows System

Click apply/ok

Open your task manager, by holding down the ctrl and alt keys and pressing the delete key.

Click on the processes tab and end process for(if there).

eventwvr.exe
srwhost.exe <Note the spelling.
ibm00001.exe

Close task manager.

Run HJT with no other programmes open. Have HJT fix the following, by placing a tick in the little box next to(if there).

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mail.yahoo.com/?.intl=us
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = c:\secure32.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://127.0.0.1:4664/&s=zx5Q4CXHPx6SCHKwH_uqaBasxwk

O4 - HKLM\..\RunServices: [eventwvr] C:\WINDOWS\system32\eventwvr.exe
O4 - HKLM\..\RunServices: [Microsoft Windows System] srwhost.exe
O4 - HKCU\..\Run: [Shell] "C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00001.exe"

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {EFAEF0E4-F044-4D57-9900-1C3FF18524C9} (AV Class) - http://www.pcpitstop.com/antivirus/PitPav.cab

O20 - Winlogon Notify: SensSrv - C:\WINDOWS\SYSTEM32\senssrv.dll

Click on the fix checked button.

Close HJT.

Locate and delete the following bold files(if there).

C:\WINDOWS\SYSTEM32\senssrv.dll
C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00001.exe
C:\WINDOWS\system32\eventwvr.exe

srwhost.exe Do a search of your computer for this file.

Reboot into normal mode and turn system restore back on.

Regards Howard

 

[pataz]

Howard,

I have completed all your instructions but there were some differences so I am posting them below following your instructions, a new hjt log is attached as well:

Click start/run and type regsvr32 /u C:\WINDOWS\SYSTEM32\senssrv.dll into the run box and press the enter key.
LoadLibrary regsvr32 /u C:\WINDOWS\SYSTEM32\senssrv.dll failed – The specified module could not be found

Click start/run and type services.msc into the run box and press the enter key. When the window appears, maximise it.

Locate the following services(if there) and double click on them. Select stop if they are running and set the startup type to disabled.

Eventwvr
not present

Microsoft Windows System
not present


Click apply/ok

Open your task manager, by holding down the ctrl and alt keys and pressing the delete key.

Click on the processes tab and end process for(if there).

eventwvr.exe
srwhost.exe <Note the spelling.
ibm00001.exe
None of these were listed

Close task manager.

Run HJT with no other programmes open. Have HJT fix the following, by placing a tick in the little box next to(if there).
done


R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mail.yahoo.com/?.intl=us
not present

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext =
not present

http://127.0.0.1:4664/&s=zx5Q4CXHPx6SCHKwH_uqaBasxwk
not present

O4 - HKCU\..\Run: [Shell] "C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00001.exe"
not present


Click on the fix checked button.
done

Close HJT.
done

Locate and delete the following bold files(if there).

C:\WINDOWS\SYSTEM32\senssrv.dll
not present

C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00001.exe
C:\WINDOWS\system32\eventwvr.exe
not present

srwhost.exe Do a search of your computer for this file.
None found

 

[howard_hopkinso]

Let HJT fix these entries(if there) in safe mode.

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html

Other than that, your HJT log is clean.

Regards Howard

 

[pataz]

Hey Howard,

Well it looks like we're clean. I've attached another hjt log but I didn't see either of the 2 items you mention above whle in safemode. Thank you very much for your quick responses and all your help!!!

Just one more question... since my current protection scheme (Symantec 2005, AdAware, Gogletoolbar, SpyCatcher) didn't seem to do its job, what do you recommend in the way of virus/spyware protection?

And again, thank you!

pataz

 

[howard_hopkinso]

Yes you`re quite right. Your HJT log is clean.

As far as antivirus programmes etc.

I`d recommend that you get rid of that Symantec/Norton crapware, and get the free AVG antivirus programme and the free Zonealarm firewall.

You can get them HERE and HERE.

Not only will your system be more secure, but it will be faster as well.

Regards Howard

 

[pataz]

I think that's good advice. I will definately check it out. With 4 systems at home the norton thing was getting a bit on the pricy side as well.

Thanks again Howard for your help and advice. Is there anything I can do for you to help with your ratings or a donation to the site?

 

[howard_hopkinso]

I can do for you to help with your ratings or a donation to the site

Thankyou for your kind offer. However, there is no need to make a donation, as this is a commercial website, paid for through advertising.

You can spread the word about Techspot, amongst you friends and colleagues though.

Regards Howard

This thread is for the use of pataz only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[pataz]

I will pass the word about Techspot. Thanks agian for all your help.

Take care,
pataz