"Smart Anti virus- 2009" zlob? help! Win32:Adware-gen [Adw]

[sbMama]

HELP! Okay, so I am here:
http://www.castlecops.com/t165203-IceSword_Instructions_in_English_Illustrated.html

I downloaded the 1.20 version because I have XP. I followed steps 1 and 2, fortunately, there are no red entries.

The only red entries are in the SSDT and I don't understand how to go about deleting/stopping them. If I am suppose to find the folders and delete them from there, how do I go about finding the unknowns? I saved the red entries and attached them.
======================
the SDFix report is attached
======================

please see the updated SuperAntiSpyware
=======================
new hjt also attaches.
=======================

thank you thank you thank you!!!!!

[sbMama]

hmmm... so before going to bed last night, I was going to deselect 'turn off system restore on all drives', but when looking in the system properties, I didn't see the 'system restore' tab. i had someone else look and review this info: http://support.microsoft.com/default.aspx?scid=kb%3Ben-us%3B310405
but they didn't see the system restore tab either.

I ran spybot while I slept and in the middle of the night I checked the comp and spybot wasn't running and there was no one who could have canceled the scan and close the program. so I just opened it again and had it scan, it picked up one entry, "Microsoft.WindowsSecurityCenter_disabled Settings".

i attached the earlier log (of the scan that disappeared at 1am), and the log of the scan I ran afterwards at 5am. i wonder if there was anything my techy angles can determine was the problem, should I contact spybotsd directly?

OH, after fixing what spybot found this morning, I looked in systems properties and the system restore tab was there/visible.

could all that be apart of the virus?

=====================
okay, I have just updated the current definitions and will be running another spybotsd scan.

ok. off to run a new spybotsd scan.

[wyrmrider]

Hi 
SYSTEM MAINTENANCE DAY (till Polonus gets back to you on the rootkit thing)
Dbl check your AV and Firewall status after cleaning

I would say you have been working methodically to get rid of the multiple Anti-Virus apps
some posters are impatient want to jump to the BIG FIX and leave the details undone- then the say all done bye and leave there system vulnerable  --good work
stir the AV removal with your other hand  did you run he Antivir uninstall and regcleaner- that should do it?

Let's think of NOSCRIPT add in for FIREFOX for awhile or something to keep these pop ups away
make especially sure your Adobe Flash is up to date-- did we remove old JAVA - I forget

SAS only showed tracking cookies this time  good news- you used the latest definitions-good
but new ones today- maybe 30 targeting the batch of crud you are finding  worth another scan while you take a nap or eat or walk down the hall or something

your spybot is out of date
remove 1.52
if you ever had 1.3 or 1.4 installed
run the uninstaller  search for "small fix" within spybot forum or I can get the link later today
google "spybot forum" or go to safernetworking and then to Spybot S and D forum-- good place
you will end up with 1.6.0.30 and todays definitions  re immunize and run a new scan
if spybot hangs you can run it in safe mode

MBAM has a new version 1.27 out so remove the old one while you are in maintenance mode- give new one a shot too

Yesterday was MS patch day so run SECUNIA SECURITY INSPECTOR and get everything up to date


I looked in systems properties and the system restore tab was there/visible.---GOOD NEWS

Polonus will have to get with you on the rootkit
the GMER in HPFIX did not find anything

HPFIX comments  definitely worth doing
smchk.exe.bat is xpantivirus so is sfsrv.exe.bat  so the rest of those trojans found are also very suspect
what about that last one Temp\desktop_background.zip  running from temp  click on that one and you open the door

I think that latest detection that was found was already on your machine and just popped up with the latest definitions
THis is why it is important to go around again with latest definitions

What did we decide about this one
O4 - HKLM\..\Run: [rspNotify] "C:\WINDOWS\TEMP\GenesisAluMsg.exe" /delay

THINGS TO DO LATER
It is NOT good to always run as administrato
set up user accounts
"probably another account with only user rights to go onto the Internet, and another account to get MS updates and program updates, at least that is what has kept me safe,"
Another thing to do will be to go in and remove all the old quarantinefiles-like antivir- so they do nto polute future scans
SEE WHAT HAPPENS WITH MULTIPLE AV's

Except for the Rootkit analysis we ought to be getting pretty good to go
still lots to do
WE have to select some REAL TIME LOAD AT BOOT UP anti spyware/malware protection

one thing to do might be go to the website of the Rootkit tool used and see if they have a forum
If Polonus is out we could post there for an interpretation

Cheers

[sbMama]

I would say you have been working methodically to get rid of the multiple Anti-Virus apps
some posters are impatient want to jump to the BIG FIX and leave the details undone-

Wow, I really appreciate that! I was just telling my friend that I was concerned you might get frustrated w/me for not moving things along faster and asking so many questions =)

I haven't been able to do much with the laptop today, except for run another SAS scan while I was out, so I will post the log for info purposes.
I will reply and follow your recommendations after I get some sleep.

Thank you!!

[wyrmrider]

Polonus  could you look at his Rootkit attachment above- thanks

Dear sb
you might wonder why we do it the way we do it
most high volume shops run HJT and then run "COMBO fix" and if nothing is active they are done and if not they go on from there

The problem with this is that there are lots of "traces" "fragments" registry enteries, files etc that are left over
Then one of your programs improves detections and these leftovers are found and "YOU HAVE MALWARE"
of course it's just crap but like the files in quarantine - cause nothing but problems down the road

We try and find the "universe" what's out there
and
then run general purpose scanners to hopefully get the main thing AND all associated garbage
This also turns up other things which would not have been found by the usual quick and dirty method

We then travel down each lead tll we get rid of everything we can find
In your case I think we are getting there (as soon as we rule out rootkits which could start us all over again and we DO NOT WANT THAT

SAS has some new updates ( and always will

hope to hear from you soon

[wyrmrider]

I'm NOT that fast
I had it typed BEFORE your last post
however
SAS is up 3 versions later than the database you used
be sure and update before each scan

just cookies
nothing is showing back up  good

nite nite

copy of something polonus posted in another thread- might help
Turning on "Show all files":

Windows XP

Click Start.
Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab.
Under the Hidden files and folders heading select Show hidden files and folders.
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm.
Click OK.

Turning off and on System Restore:
http://www.pchell.com/virus/systemrestore.shtml

http://www.matousec.com/projects/firewall-challenge/results.php

[sbMama]

Hello,
I had a hectic day and will be away most of the day tomorrow. I will write again (most likely on Saturday evening est), when I have completed all the updates/scans/changes/drizzled holy water on the laptop/etc! (lol)
Be Well.
sbM

[sbMama]

*blows the dust off of the thread*

Hi!

So I've been preoccupied with everything else, but the computer.

OK, so yesterday I created a user account, but it kept prompting me to create an admin account. Which was confusing because I figured if there was only one user acct, it was admin. So I created an account named "Admin" and the other one with limited access is sbMama.

Earlier I reread post from pages 4 and 5, made notes of what to do. One being to:
Click Start.
Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab.
Under the Hidden files and folders heading select Show hidden files and folders.
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm.
Click OK.

the other was to uninstall Spybots&d so that I can install the newer version. After uninstalling, I rebooted and the original Administrator account is not visible?!?!?! My hair is practically white! What does that I mean, as you know, I am usually in Administrator mode, so I have a ton of files I can no longer access.

Did I set myself up by having two administrator accounts? One being Administrator and the other Admin?

*scream*

[sbMama]

opps. nevermind.

[sbMama]

just fyi. between tonight and tomorrow, I will be updating and running:
rogue remover
secunia software inspector
MBAM
SAS ( I will temp disable norton b4 running)
spybot  1.6

I will be disabling system restore first, then running the programs in safe mode.

Oh, the forum on the antirootkit site isn't helpful.

Ok, I'm updated now... dizzy, but updated.

Thanks!

[sbMama]

just fyi. between tonight and tomorrow, I will be updating and running:
rogue remover
secunia software inspector
MBAM
SAS ( I will temp disable norton b4 running)
spybot  1.6

I will be disabling system restore first, then running the programs in safe mode.

Oh, the forum on the antirootkit site isn't helpful.

Ok, I'm updated now... dizzy, but updated.

Thanks!

**I know Polonus mentioned:

then we'll think about the following (do you want to be clean or REALLY CLEAN...)
and let him do the following:
have him run Silent Runners from here:
http://www.silentrunners.org/Silent%20Runners.vbs
and attach a log file,

and let him have a go at it with StartDreck:
http://www.niksoft.at/php/dl.php?f=startdreck.zip
and post a logfile.txt,

Is that one of the finals scans?

[sbMama]

when I was in safe mode to run SAS, I was able to see the Administrator user, but am still not sure why I can't simply log off and switch to it in reg mode. I will try and obtain more info as to why that is happening later. what I read in the windows help section wasn't useful.

I uninstalled the old spybot, reinstalled the new 1.6, updated, immunized and scanned. pls see attached

I updated and ran SAS early this morning, half asleep. pls see attached.

Rogue remover didn't find anything.

Secunia is some kid of awesome! I had no idea that type of software was out there. It found about 9 fixes, and 14 that it recommends a techy person perform. I was half asleep and didn't disable the feature that would let me view those particular fixes. I suppose I should sometime today to see what programs they're referring to?

I am about to uninstall MBAM and install/run the newer version

bbl =)

just fyi. between tonight and tomorrow, I will be updating and running:
rogue remover
secunia software inspector
MBAM
SAS ( I will temp disable norton b4 running)
spybot  1.6

I will be disabling system restore first, then running the programs in safe mode.

Oh, the forum on the antirootkit site isn't helpful.

Ok, I'm updated now... dizzy, but updated.

Thanks!

**I know Polonus mentioned:

then we'll think about the following (do you want to be clean or REALLY CLEAN...)
and let him do the following:
have him run Silent Runners from here:
http://www.silentrunners.org/Silent%20Runners.vbs
and attach a log file,

and let him have a go at it with StartDreck:
http://www.niksoft.at/php/dl.php?f=startdreck.zip
and post a logfile.txt,

Is that one of the finals scans?

[wyrmrider]

SAS found nothing which is good
did spybot find any bad stuff- that log does not show the scan results?
see if mbam finds anything but you should be getting clean
if you do those scans polonus mentioned i'm sure he will look at them
I have little experience with them

[sbMama]

Hi Wyrmrider =)

I attached the spybotsd file with the list of found objects. MBAM hasn't found anything.

I've reviewed this page:
http://www.silentrunners.org/Silent%20Runners.vbs

and I don't know what to do once I run the program? It might as well be in Chinese! lol

the other program Polonus mentioned, StartDeck, appears to be in German.. so I'm reading the translated page, then will run the program and post.

I haven't been able to find any other helpful info on what to do with those red entries in the antirootkit result, I am in the process of signing on to that site so that I can write them directly.

Hope you had a great weekend.

I'll be back soon!


In a previous post, you mentioned: WE have to select some REAL TIME LOAD AT BOOT UP anti spyware/malware protection
are we almost at that point?

[wyrmrider]

YES
Spybot only found cookies  a privacy issue
I hope Polonus will be by on the other issues

On Wednesday (s) update spybot and reimmunize
I'll be back tomorrow and look over the whole thread

cheers