cwwllcadaware 0 Report post Posted June 20, 2006 Smitfraud in System File is still showing after I deleted it from the Spybot Quarantine. Before running MWAV, I deleted all the Spybot quarantined files. Share this post Link to post Share on other sites
LS CalamityJane 13 Report post Posted June 20, 2006 For Smitrem, let's run this. Download this free tool called: smitRem http://noahdfear.geekstogo.com/click%20cou.../click.php?id=1 and save the file to your desktop. Double click on the file to extract it to it's own folder on the desktop. Open the smitRem folder, then double click the RunThis.bat file to start the tool. Follow the prompts on screen. Wait for the tool to complete and disk cleanup to finish. The tool will create a log named smitfiles.txt in the root of your drive, eg; Local Disk C: or partition where your operating system is installed. Please post that log along with the Panda Scan log Share this post Link to post Share on other sites
cwwllcadaware 0 Report post Posted June 21, 2006 1. You mentioned Panda in your last posting, is Panda and Kaspersky the same company? 2. Is it safe to run an online scan as opposed to a downloaded scan? Won't the online website have access to my files? 3. Following is the smitRem log: smitRem © log file version 3.0 by noahdfear Windows 98 [Version 4.10.2222] Running from C:\My Documents\Hijack\SmitRem\smitRem ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Pre-run SharedTask Export (GetSTS.exe) SharedTaskScheduler exporter by Lawrence Abrams (Grinler) Copyright© 2006 BleepingComputer.com Registry Pseudo-Format Mode (Not a valid reg file): [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler] "{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader" "{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{438755C2-A8BA-11D1-B96B-00A0C90312E1}\InProcServer32] @="C:\WINDOWS\SYSTEM\BROWSEUI.DLL" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8C7461EF-2B13-11d2-BE35-3078302C2030}\InProcServer32] @="C:\WINDOWS\SYSTEM\BROWSEUI.DLL" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ spyaxe uninstaller NOT present Winhound uninstaller NOT present SpywareStrike uninstaller NOT present AlfaCleaner uninstaller NOT present SpyFalcon uninstaller NOT present SpywareQuake uninstaller NOT present SpywareSheriff uninstaller NOT present Existing Pre-run Files ~~~ Program Files ~~~ ~~~ Shortcuts ~~~ ~~~ Favorites ~~~ ~~~ system folder ~~~ amcompat.tlb nscompat.tlb ~~~ Icons in system folder ~~~ ~~~ Windows directory ~~~ wupdmgr.exe ~~~ Drive root ~~~ ~~~ Miscellaneous Files/folders ~~~ ~~~~ wininet.dll ~~~~ wininet.dll Present!! ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Starting registry repairs Registry repairs complete ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ SharedTask Export after registry fix (GetSTS.exe) SharedTaskScheduler exporter by Lawrence Abrams (Grinler) Copyright© 2006 BleepingComputer.com Registry Pseudo-Format Mode (Not a valid reg file): [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler] "{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader" "{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{438755C2-A8BA-11D1-B96B-00A0C90312E1}\InProcServer32] @="C:\WINDOWS\SYSTEM\BROWSEUI.DLL" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8C7461EF-2B13-11d2-BE35-3078302C2030}\InProcServer32] @="C:\WINDOWS\SYSTEM\BROWSEUI.DLL" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Deleting files ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Remaining Post-run Files ~~~ Program Files ~~~ ~~~ Shortcuts ~~~ ~~~ Favorites ~~~ ~~~ system folder ~~~ ~~~ Icons in system folder ~~~ ~~~ Windows directory ~~~ ~~~ Drive root ~~~ ~~~ Miscellaneous Files/folders ~~~ ~~~~ wininet.dll ~~~~ wininet.dll Clean!! Share this post Link to post Share on other sites
cwwllcadaware 0 Report post Posted June 21, 2006 After running smitRem, I ran MWAV again and have found the following: Precisionpop Spyware/Adware found in File System Smitfraud Browser Hijacker found in File System Share this post Link to post Share on other sites
LS CalamityJane 13 Report post Posted June 21, 2006 1. You mentioned Panda in your last posting, is Panda and Kaspersky the same company?2. Is it safe to run an online scan as opposed to a downloaded scan? Won't the online website have access to my files? Sorry, didn't mean to mention Panda - that got in there by mistake. Kaspersky has the best detection is why I want to see that one. I use the online scanners all the time. From a trusted company like Kaspersky this should not be a problem, however if you would rather download the program and scan your PC, they do have 30 days free trial. Get the Kaspeky Antivirus 6.0 Trial version, but make sure you uninstall any existing AVs presently on your system. Norton should probably go any anyway as it is so out of date it's hardly useful. AVG you can uninstall and if you decide you want to keep it you can just reinstall later. Make sure your PC can handle these system requirement before trying the Kaspersky Antivirus 6.0 trial home version. Kaspersky Anti-Virus 6.0 (Home user) http://www.kasperskyusa.com/promotions/tri...apter=146481750 System Requirements General requirements Hardware requirements Microsoft Windows 98 (SE) / NT Workstation 4.0 * Microsoft Windows NT Workstation 4.0 with Service Pack 6a * Microsoft Internet Explorer 5.5 or higher (for product & antivirus database updates via the Internet) * CD-ROM (for product installation) * Internet connection (for product activation) * Intel Pentium 133 MHz or higher * 64 MB RAM * 50 MB available HDD space IMHO, the online scanner is just easier and safe to use. Share this post Link to post Share on other sites
cwwllcadaware 0 Report post Posted June 24, 2006 I installed and ran Kaspersky (May Edition). I didn't want to go online yet so I didn't install the latest updates. It found and deleted a number of infected emails (Outlook folder). Did not find Precision Spyware nor Smitfraud. I then uninstalled Kaspersky and reinstalled ran MWAV and it found again the following: - Precisionpop Spyware/Adware found in File System (you're not too concerned about this one as you mentioned it was a false positive) - Smitfraud Browser Hijacker found in File System Can't seem to get rid of Smitfraud. Following is the latest HJT log: Logfile of HijackThis v1.99.1 Scan saved at 1:47:24 PM, on 06/24/2006 Platform: Windows 98 SE (Win9x 4.10.2222A) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\SYSTEM\KERNEL32.DLL C:\WINDOWS\SYSTEM\MSGSRV32.EXE C:\WINDOWS\SYSTEM\MPREXE.EXE C:\WINDOWS\SYSTEM\SPOOL32.EXE C:\WINDOWS\SYSTEM\WINMODEM.101\wmexe.exe C:\WINDOWS\SYSTEM\MSTASK.EXE C:\WINDOWS\SYSTEM\MDM.EXE C:\WINDOWS\SYSTEM\mmtask.tsk C:\WINDOWS\SYSTEM\RPCSS.EXE C:\WINDOWS\EXPLORER.EXE C:\WINDOWS\TASKMON.EXE C:\WINDOWS\SYSTEM\SYSTRAY.EXE C:\WINDOWS\SYSTEM\STIMON.EXE C:\WINDOWS\TPPALDR.EXE C:\WINDOWS\STARTER.EXE C:\PROGRAM FILES\MICROSOFT HARDWARE\MOUSE\POINT32.EXE C:\PROGRAM FILES\WINFAX\WFXCTL32.EXE C:\WINDOWS\SYSTEM\WMIEXE.EXE C:\WINDOWS\SYSTEM\TAPISRV.EXE C:\PROGRAM FILES\WINFAX\WFXMOD32.EXE C:\MY DOCUMENTS\IOMEGAVAIOBACKUP\AMERICA ONLINE 4.0B\DOWNLOAD\HIJACKING\HIJACKTHIS LOG FILES\HIJACKTHIS.EXE O3 - Toolbar: @msdxmLC.dll,[email protected],&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll O4 - HKLM\..\Run: [scanRegistry] c:\windows\scanregw.exe /autorun O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe O4 - HKLM\..\Run: [systemTray] SysTray.Exe O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme O4 - HKLM\..\Run: [storageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r O4 - HKLM\..\Run: [stillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE O4 - HKLM\..\Run: [TPP Auto Loader] C:\WINDOWS\TPPALDR.EXE O4 - HKLM\..\Run: [EnsoniqMixer] starter.exe O4 - HKLM\..\Run: [POINTER] C:\Program Files\Microsoft Hardware\Mouse\point32.exe O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme O4 - HKLM\..\RunServices: [winmodem] WINMODEM.101\wmexe.exe O4 - HKLM\..\RunServices: [schedulingAgent] mstask.exe O4 - HKLM\..\RunServices: [Machine Debug Manager] C:\WINDOWS\SYSTEM\MDM.EXE O4 - Startup: Status Monitor.lnk = C:\Program Files\XEROX_XD\ENGSS.EXE O4 - Startup: Controller.LNK = C:\Program Files\WinFax\WFXCTL32.EXE O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present O8 - Extra context menu item: Advanced Email Extractor - res://C:\PROGRAM%20FILES\ADVANCED%20EMAIL%20EXTRACTOR%20PRO\AEEPMSIE.DLL/page.html O8 - Extra context menu item: Scan link with AEE - res://C:\PROGRAM%20FILES\ADVANCED%20EMAIL%20EXTRACTOR%20PRO\AEEPMSIE.DLL/link.html O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmsearch.html O8 - Extra context menu item: &Translate English Word - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmwordtrans.html O8 - Extra context menu item: Cached Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmcache.html O8 - Extra context menu item: Similar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmsimilar.html O8 - Extra context menu item: Backward Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmbacklinks.html O8 - Extra context menu item: Translate Page into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmtrans.html O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file) O9 - Extra button: Email Extractor - {AFA7DB99-3E4D-4396-94F8-B0B135BCB472} - res://C:\PROGRAM%20FILES\ADVANCED%20EMAIL%20EXTRACTOR%20PRO\AEEPMSIE.DLL/page.html (file missing) (HKCU) O9 - Extra 'Tools' menuitem: Advanced Email Extractor - {AFA7DB99-3E4D-4396-94F8-B0B135BCB472} - res://C:\PROGRAM%20FILES\ADVANCED%20EMAIL%20EXTRACTOR%20PRO\AEEPMSIE.DLL/page.html (file missing) (HKCU) O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll O16 - DPF: {CAFEEFAC-0014-0001-0000-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1) - O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.4.1) - Share this post Link to post Share on other sites
LS CalamityJane 13 Report post Posted June 24, 2006 KAV is no help without the updates. It's time for you to go online and get the updates. Get the standard updates AND the extended updates. Standard is for viruses, trojans and worms Extended is for spyware (so you need BOTH) I have instructions here from Kav 5.0 which is an earlier version, but it should be about the same or similar steps to get the extended database. First get the Standard Updates (Kav should do that automatically as soon as you go online) When you have those, then open KAV again, Look under *Settings*, and then *Configure Updater* Choose Extended Database. Click *OK* and then Check for Updates and you will get another smaller update which will install. Share this post Link to post Share on other sites
cwwllcadaware 0 Report post Posted June 26, 2006 Following are both Kaspersky Log and HJT Log. It seems that KAV didn't find any trace what was discovered by MWAV: - Precisionpop Spyware/Adware found in File System - Smitfraud Browser Hijacker found in File System Kaspersky Log: Protection ---------- Total scanned: 1287871 Detected: 2 Untreated: 0 Start time: Unknown Duration: Unknown Finish time: Unknown Detected -------- Status Object ------ ------ deleted: adware not-a-virus:AdWare.Win32.SurfSide.av File: c:\WINDOWS\SYSTEM\bk.exe/InpB/Ssk.exe deleted: Trojan program Trojan-Clicker.Win32.Small.jf File: c:\Program Files\html2.htm Events ------ Time Event ---- ----- 06/24/2006 9:56:54 PM A full computer scan has never been performed. You are advised to perform a full scan as soon as possible. 06/24/2006 10:02:56 PM Kaspersky Anti-Virus 6.0 is not activated. 06/24/2006 10:02:57 PM A full computer scan has never been performed. You are advised to perform a full scan as soon as possible. 06/24/2006 10:06:26 PM Please restart your computer to complete the installation of new or updated protection components. 06/24/2006 10:06:28 PM Update completed successfully. 06/24/2006 10:09:17 PM A full computer scan has never been performed. You are advised to perform a full scan as soon as possible. 06/24/2006 10:17:26 PM A full computer scan has never been performed. You are advised to perform a full scan as soon as possible. 06/25/2006 6:56:31 AM File c:\WINDOWS\SYSTEM\bk.exe/InpB/Ssk.exe: detected adware not-a-virus:AdWare.Win32.SurfSide.av 06/25/2006 6:56:31 AM Security threats have been detected. You are advised to neutralize them immediately. 06/25/2006 6:56:31 AM File c:\WINDOWS\SYSTEM\bk.exe/InpB/Ssk.exe: is not disinfected, postponed 06/25/2006 6:56:31 AM File c:\WINDOWS\SYSTEM\bk.exe/InpB/Ssk.exe: detected adware not-a-virus:AdWare.Win32.SurfSide.av 06/25/2006 6:56:32 AM File c:\WINDOWS\SYSTEM\bk.exe/InpB/Ssk.exe: is not disinfected, postponed 06/25/2006 4:59:00 PM File c:\Program Files\html2.htm: detected Trojan program Trojan-Clicker.Win32.Small.jf 06/25/2006 4:59:00 PM Security threats have been detected. You are advised to neutralize them immediately. 06/25/2006 4:59:01 PM File c:\Program Files\html2.htm: is not disinfected, postponed 06/25/2006 4:59:11 PM File c:\Program Files\html2.htm: detected Trojan program Trojan-Clicker.Win32.Small.jf 06/25/2006 4:59:11 PM File c:\Program Files\html2.htm: is not disinfected, postponed Reports ------- Task Status Start Finish Size ---- ------ ----- ------ ---- Scan My Computer completed 06/24/2006 10:32:38 PM 06/25/2006 9:13:50 PM 200 MB Scan completed 06/24/2006 10:34:54 PM 06/25/2006 9:13:28 PM 198.3 MB Quarantine ---------- Status Object Size Added ------ ------ ---- ----- Backup ------ Status Object Size ------ ------ ---- --------------------------------------------------------------------------------------- HJT Log: Logfile of HijackThis v1.99.1 Scan saved at 11:31:08 AM, on 06/26/2006 Platform: Windows 98 SE (Win9x 4.10.2222A) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\SYSTEM\KERNEL32.DLL C:\WINDOWS\SYSTEM\MSGSRV32.EXE C:\WINDOWS\SYSTEM\MPREXE.EXE C:\WINDOWS\SYSTEM\SPOOL32.EXE C:\WINDOWS\SYSTEM\WINMODEM.101\wmexe.exe C:\WINDOWS\SYSTEM\MSTASK.EXE C:\WINDOWS\SYSTEM\MDM.EXE C:\WINDOWS\SYSTEM\mmtask.tsk C:\WINDOWS\SYSTEM\RPCSS.EXE C:\WINDOWS\EXPLORER.EXE C:\WINDOWS\TASKMON.EXE C:\WINDOWS\SYSTEM\SYSTRAY.EXE C:\WINDOWS\SYSTEM\STIMON.EXE C:\WINDOWS\TPPALDR.EXE C:\WINDOWS\STARTER.EXE C:\PROGRAM FILES\MICROSOFT HARDWARE\MOUSE\POINT32.EXE C:\WINDOWS\SYSTEM\WMIEXE.EXE C:\MY DOCUMENTS\IOMEGAVAIOBACKUP\AMERICA ONLINE 4.0B\DOWNLOAD\HIJACKING\HIJACKTHIS LOG FILES\HIJACKTHIS.EXE O3 - Toolbar: @msdxmLC.dll,[email protected],&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll O4 - HKLM\..\Run: [scanRegistry] c:\windows\scanregw.exe /autorun O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe O4 - HKLM\..\Run: [systemTray] SysTray.Exe O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme O4 - HKLM\..\Run: [storageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r O4 - HKLM\..\Run: [stillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE O4 - HKLM\..\Run: [TPP Auto Loader] C:\WINDOWS\TPPALDR.EXE O4 - HKLM\..\Run: [EnsoniqMixer] starter.exe O4 - HKLM\..\Run: [POINTER] C:\Program Files\Microsoft Hardware\Mouse\point32.exe O4 - HKLM\..\Run: [kav] "C:\PROGRAM FILES\KASPERSKY LAB\KASPERSKY ANTI-VIRUS 6.0\AVP.EXE" O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme O4 - HKLM\..\RunServices: [winmodem] WINMODEM.101\wmexe.exe O4 - HKLM\..\RunServices: [schedulingAgent] mstask.exe O4 - HKLM\..\RunServices: [Machine Debug Manager] C:\WINDOWS\SYSTEM\MDM.EXE O4 - HKLM\..\RunServices: [AVP] "C:\PROGRAM FILES\KASPERSKY LAB\KASPERSKY ANTI-VIRUS 6.0\AVP.EXE -r" O4 - Startup: Status Monitor.lnk = C:\Program Files\XEROX_XD\ENGSS.EXE O4 - Startup: Controller.LNK = C:\Program Files\WinFax\WFXCTL32.EXE O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present O8 - Extra context menu item: Advanced Email Extractor - res://C:\PROGRAM%20FILES\ADVANCED%20EMAIL%20EXTRACTOR%20PRO\AEEPMSIE.DLL/page.html O8 - Extra context menu item: Scan link with AEE - res://C:\PROGRAM%20FILES\ADVANCED%20EMAIL%20EXTRACTOR%20PRO\AEEPMSIE.DLL/link.html O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmsearch.html O8 - Extra context menu item: &Translate English Word - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmwordtrans.html O8 - Extra context menu item: Cached Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmcache.html O8 - Extra context menu item: Similar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmsimilar.html O8 - Extra context menu item: Backward Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmbacklinks.html O8 - Extra context menu item: Translate Page into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmtrans.html O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file) O9 - Extra button: Web Anti-Virus - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\PROGRAM FILES\KASPERSKY LAB\KASPERSKY ANTI-VIRUS 6.0\SCIEPLUGIN.DLL O9 - Extra button: Email Extractor - {AFA7DB99-3E4D-4396-94F8-B0B135BCB472} - res://C:\PROGRAM%20FILES\ADVANCED%20EMAIL%20EXTRACTOR%20PRO\AEEPMSIE.DLL/page.html (file missing) (HKCU) O9 - Extra 'Tools' menuitem: Advanced Email Extractor - {AFA7DB99-3E4D-4396-94F8-B0B135BCB472} - res://C:\PROGRAM%20FILES\ADVANCED%20EMAIL%20EXTRACTOR%20PRO\AEEPMSIE.DLL/page.html (file missing) (HKCU) O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll O16 - DPF: {CAFEEFAC-0014-0001-0000-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1) - O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.4.1) - Share this post Link to post Share on other sites
LS CalamityJane 13 Report post Posted June 26, 2006 These two Kaspersky detected...those are real - you can let KAV disinfect/delete them. MWAV had 2 FPs that I told you about. That one for precision pop is definintely an FP and I would have to see the other one to tell what it is. But I trust KAV with current detections IS finding the two bad ones left and not the others by MWAV which is now out of date. You should probably delete that and if you want to scan with MWAV - get a fresh new copy. The FPs may have been fixed in their detection database. Share this post Link to post Share on other sites
cwwllcadaware 0 Report post Posted June 26, 2006 MWAV is in the process of scanning (latest update 06-20-06) and it found them again: - Precisionpop Spyware/Adware found in File System - Smitfraud Browser Hijacker found in File System Share this post Link to post Share on other sites
LS CalamityJane 13 Report post Posted June 26, 2006 When it finishes save the log and post it here: http://www.thespykiller.co.uk/forum/index.php?topic=1909.0 I'll be happy to review it and find exactly what it is finding. As I said, I know the PrecisionPop is definitely a FP and I'll need to see the location of the other one. Share this post Link to post Share on other sites
cwwllcadaware 0 Report post Posted June 26, 2006 In the mean time, I wanted to ask you a couple of questions, if I may, regarding future security: - You had mentioned that Norton Antivirus 2003 was obsolete for today’s malware. I just bought a copy of Norton Internet Security 2005 (Antivirus & Personal Firewall). The 2006 version doesn't work on Win98. Is this version good enough for today's viruses, malware, etc.? - What do you recommend having installed at all times from the usual list (Adaware, Spybot, AVG, Kaspersky, etc.)? It seems that AVG was the only one that removed Qoologic. What are your feelings about the software? - Are there any known conflicts between the above AV software and Norton? - What about Norton Personal Firewall? Any feelings on the software? - Do you have any recommendation on security Equipment (Routers, etc.)? Share this post Link to post Share on other sites
LS CalamityJane 13 Report post Posted June 26, 2006 In the mean time, I wanted to ask you a couple of questions, if I may, regarding future security: - You had mentioned that Norton Antivirus 2003 was obsolete for today’s malware. I just bought a copy of Norton Internet Security 2005 (Antivirus & Personal Firewall). The 2006 version doesn't work on Win98. Is this version good enough for today's viruses, malware, etc.? Yes, should be much better than the 2003 version - What do you recommend having installed at all times from the usual list (Adaware, Spybot, AVG, Kaspersky, etc.)? It seems that AVG was the only one that removed Qoologic. What are your feelings about the software? In my opinion (and I handle a lot of malware), Kaspesky is absolutely the best in detection and usually the first to detect new variants of viruses, trojans and spyware. For cleaning Adaware and Spybot are dedicated privacy software scanners for adware/spyware pests and do a very good job of registry cleaning that the AVs don't (AVs will usually stop the active infection but don't scan deep for system changes, etc. like the Antispyware cleaners do). I recommend keeping those. They are both on my list of the top Antispyware scanners. - Are there any known conflicts between the above AV software and Norton? You should only have one AV running realtime protection. Otherwise you may have conflicts. Having a 2nd as a backup scanner is ok, as long as it isn't running realtime while Norton is. - What about Norton Personal Firewall? Any feelings on the software? All of the software firewalls do about the same - and all perform well. Be sure you turn off the alerts though. Incoming alerts will make you paranoid. They are a normal part of the internet and everyday they block those incoming events as they are supposed to do. The incoming alerts turn off. It is the outgoing alerts you should check out. If something you don't recognize is trying to get out, that's when you need to know about it. - Do you have any recommendation on security Equipment (Routers, etc.)? You need a router if you have a network. If this is a standalone PC, I think a software firewall should be adequate. Share this post Link to post Share on other sites
cwwllcadaware 0 Report post Posted June 27, 2006 The latest MWAV Log is 24,994 KB. The link will accept up to 20,048 KB. Are there any other links where it can be uploaded. Share this post Link to post Share on other sites
LS CalamityJane 13 Report post Posted June 27, 2006 The latest MWAV Log is 24,994 KB. The link will accept up to 20,048 KB. Are there any other links where it can be uploaded. Can you divide it into two files? Upload each one separately Share this post Link to post Share on other sites
cwwllcadaware 0 Report post Posted June 27, 2006 The log file is so large it freezes each time I try to open it. Not sure what to do. Also, once you view it, what happens to the file? Do you delete, does a copy remain somewhere, etc.? Share this post Link to post Share on other sites
LS CalamityJane 13 Report post Posted June 28, 2006 Put it into a zip file. Then it will compress it to a size you can upload at spykiller Share this post Link to post Share on other sites
cwwllcadaware 0 Report post Posted June 28, 2006 Can't believe I didn't think of zipping it. Also, what happens to the file? Do you delete, does a copy remain somewhere, etc.? Share this post Link to post Share on other sites
LS CalamityJane 13 Report post Posted June 28, 2006 Can't believe I didn't think of zipping it. Can't believe I didn't either! Also, what happens to the file? Do you delete, does a copy remain somewhere, etc.? When I receive the file I put it into a folder named: Deletable stuff (because I clean that out regularly and don't need to keep old logs once a problem is resolved). The file on your system remains unless you delete it. Share this post Link to post Share on other sites
cwwllcadaware 0 Report post Posted June 28, 2006 Upload complete. Thanks. Share this post Link to post Share on other sites
LS CalamityJane 13 Report post Posted June 28, 2006 Only approved Malware Fighters can see any of the attachments in that forum. In accordance with your request I removed both MWAV logs. These were the two items found and my comments follow on each: Mon Jun 26 13:09:38 2006 => Offending file found: C:\WINDOWS\starter.exe Mon Jun 26 13:09:38 2006 => System found infected with precisionpop Spyware/Adware (starter.exe)! IAction taken: No Action Taken. I had you upload this file: C:\WINDOWS\starter.exe for analysis This file is clean and is NOT PrecisionPop. It belongs to Creative Technologies and is a legitimate on your system Description: starter.exe is installed alongside Creative Labs Ensoniq Mixer and provides added functionality to the default Windows volume facility. This is a False Finding by MWAV. ..................................... Mon Jun 26 13:09:50 2006 => Offending file found: C:\WINDOWS\Favorites\exporting\pharmacies\uae\directories\pharmacy.url Mon Jun 26 13:09:50 2006 => System found infected with smitfraud Browser Hijacker (pharmacy.url)! Action taken: No Action Taken. This is an URL added to your Favorites. It cannot harm your system (unless you click on it, and then it might be a harmful site). You can delete this file from your favorites: C:\WINDOWS\Favorites\exporting\pharmacies\uae\directories\pharmacy.url In fact, if you don't have a folder for pharmacies in your favorites you can just delete the "Pharmacies" folder in your Favorites. Share this post Link to post Share on other sites
cwwllcadaware 0 Report post Posted June 28, 2006 I really don't know how to thank you. I am very, very lucky to have run into you. Your non-stop help and compassion is very much appreciated. You were right when you said it might take days to fix it. But, nevertheless, we did it thanks to you. It has been a definite learning experience. So, to sum it up: 1. Regarding Anti-Virus software, you recommend only installing one program; and you prefer Kaspersky over Norton Anti-Virus or AVG. I assume the paid version of Kaspersky. Does it use a lot of memory while running in the background? 2. Regarding spyware/adware, it is OK to have multiple programs installed (Ad-Aware, Spybot, Webroot Spy Sweeper, etc.). 3. Regarding firewall, I am assuming that any of them will do (Norton, Webroot, Zone Alarm, etc.) 4. Regarding system back-ups, I forgot to ask you this before, how do you feel about the program BackupMyPC? Any programs that you might be aware of that you recommend? Also, will the Anti-Virus and Spyware programs detect problems with already backed-up data? Share this post Link to post Share on other sites
LS CalamityJane 13 Report post Posted June 28, 2006 Yes, your summary is correct. I wouldn't have more than one Antispyware program running realtime protection though. People tend to go overboard on having too many Antispyware products. For backups, Acronis True Image is the most often recommended I have seen. http://www.acronis.com/homecomputing/products/trueimage/ I have all my backups on an additional external hard drive. You'll need to empty out all the quarantined items in the various programs used to clean your system, and you can delete any of the special tools we used or programs you don't intend to keep. Ewido is a nice anti-trojan scanner that you can keep after the trial is over as a free on-demand scanner. It will need to be updated manually but the cleaning function still works if needed. I ran Zone Alarm 2.6 on my Win98 and I have it on my XP as well - that particular old version is still a good one and a lot less resource hungry than the newer versions of ZA, which is usually just packed with extra "features" that don't really enhance the security/firewall function. You can get v. 2.6 ZA here: http://www.oldversion.com/program.php?n=zalarm These are my recommendations for extra protection to prevent future infections. Here are some things you can do and some free programs to help . How do I prevent Browser Hijacks and Spyware? http://www.dslreports.com/faq/13620 In that article, IESPYAD is really worth looking into (yes, it's free). It will put over 20,000 known bad websites into your restricted zone so even if you hit one by accident, it can't harm your PC. Spyware Guard and SpywareBlaster (also free) and two other "must haves" IMHO. Those 3 programs only need to be updated about 1 a month. Share this post Link to post Share on other sites
cwwllcadaware 0 Report post Posted June 29, 2006 You'll need to empty out all the quarantined items in the various programs used to clean your system, and you can delete any of the special tools we used or programs you don't intend to keep. Ewido is a nice anti-trojan scanner that you can keep after the trial is over as a free on-demand scanner. It will need to be updated manually but the cleaning function still works if needed. Where are the quarantined files usually located? Share this post Link to post Share on other sites
LS CalamityJane 13 Report post Posted June 29, 2006 Where are the quarantined files usually located? It's usually obvious within each program. Norton has a "quarantine" AVG calls it the "Virus Vault" Adaware has a quarantine Spybot has "Recovery" Not sure about KAV but probably something similar. Adaware's quarantine can be viewed from the main screen click on the link that says: "Open Quarantine List" After a period of time (say, a couple of weeks) there is no need to keep those items in quarantine once you are sure all your program and computer are running properly. The whole idea is that if a problem is discovered and you needed to recover something previously "deleted and held in quarantine", you could do that. Nothing can run from there, but keeping those old infected files around is ineffective and other security programs will most likely alert on them, so it's a good idea to clean them out so you are not continually tripping over them Share this post Link to post Share on other sites