malware? spenserNK

[danihart01]

On starting computer icon comes up on bottom toolbar Spenser NK- Looks like a anti virus program but I do not know how it got there or if it is safe/
Thanks Dani

[polonus]

Hi danihart01,

Information on this: http://forums.majorgeeks.com/showthread.php?t=185476
Get hjt 2.0.2 here: http://www.filehippo.com/download_hijackthis/download/58170ee6e58bba306c943f5b6d745c99/
and give us your hjt logfile txt in additional options attached to your next posting,

Also get this program here, but do nothing with it yet:
http://www.novell.com/coolsolutions/tools/downloads/BHORemover.zip

BHO Remover is the tool to remove unwanted browser helper plugin objects from your system. Internet Explorer provides the feature called Browser Helper Object through which one can extend its functionality. However, this technique is being misused by many spyware programs which monitor your browsing habits and also record your credentials for websites you visit. They also slows down your system considerably.

BHO Remover tool allows you to quickly scan your machines for all installed BHOs, then displays them along with other important details which can help you to quickly identify bad BHOs and kick them off,

polonus

[danihart01]

wow Lot of procedures on forum -geeks Not sure what to do first . Or do I download Hijack this first and do free scan?
Please help amateur Dani

[polonus]

Hi danihart01,

Launch HJT and I will analyze the logfile, then we have a look what to do with BHOremover,
The other link was just for evaluating the problem,
So waiting for your added HJT logfile txt,

pol

[danihart01]

Hi,
Have posted. Is that satisfactory?
Thanks

[polonus]

Hi danihart01,

First what you should and can fix using HijackThis

Fix
   O2 - BHO: (no name) - {5BA7CC49-EC4D-AEB2-C9EF-E8EBB79D10FF} - C:\DOCUME~1\Owner\APPLIC~1\ADMINE~1\Okayway.exe (file missing)
Safety Rating: Known Adware, do not runAdware Family: Part of Adware group - Adware LopMalware Form: EXPLOIT Nasty (2.99 / 5.00)

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file) Safe,
but is empty, so if you do not want this anymore fix, while unnecessary (deactivated) entry that can be fixed. This entry was classified from  as good.

O2 - BHO: Viewpoint Toolbar BHO - {A7327C09-B521-4EDB-8509-7D2660C9EC98} - C:\Program Files\Viewpoint\Viewpoint Toolbar\3.9.0\ViewBarBHO.dll Must be fixed! ViewBarBHO.dll ViewPoint toolbar

O2 - BHO: Ask Toolbar BHO - {FE063DB1-4EC0-403e-8DD8-394C54984B2C} - C:\Program Files\AskTBar\bar\1.bin\ASKTBAR.DLL (file missing) Neutral, but better fix as unwanted.
Unnecessary (deactivated) entry that can be fixed. ASKTBAR.DLL - Ask_Jeeves, hxtp://toolbar.ask.com/ toolbar, - see this_note, http://www.benedelman.org/spyware/instal lations/askjeeves-banner/

O3 - Toolbar: Ask Toolbar - {FE063DB9-4EC0-403e-8DD8-394C54984B2C} - C:\Program Files\AskTBar\bar\1.bin\ASKTBAR.DLL (file missing) Neutral Unnecessary (deactivated) entry that can be fixed. ASKTBAR.DLL - Ask_Jeeves, hxtp://toolbar.ask.com/ toolbar, - see this_note, http://www.benedelman.org/spyware/instal lations/askjeeves-banner/


O4 - HKLM\..\RunOnce: [SpybotDeletingA5910] command /c del "C:\Program Files\AskTBar\bar\1.bin\A5POPSWT.DLL" a5popswt.dll isa process registered by AskTBar - Nasty (2.15 / 5.00)
 
O4 - HKLM\..\RunOnce: [SpybotDeletingC8082] cmd /c del "C:\Program Files\AskTBar\bar\1.bin\A5POPSWT.DLL" Nasty (2.31 / 5.00)
 
O4 - HKLM\..\RunOnce: [SpybotDeletingA269] command /c del "C:\Program Files\AskTBar\bar\1.bin\ASKTBAR.DLL" Nasty (2.21 / 5.00)
 
O4 - HKLM\..\RunOnce: [SpybotDeletingC4446] cmd /c del "C:\Program Files\AskTBar\bar\1.bin\ASKTBAR.DLL" Nasty (2.32 / 5.00)

   O4 - HKCU\..\Run: [SmileboxTray] "C:\Documents and Settings\Owner\Application Data\Smilebox\SmileboxTray.exe" Check this at Virustotal.com else Fix.

 
O4 - HKCU\..\RunOnce: [SpybotDeletingB7166] command /c del "C:\Program Files\AskTBar\bar\1.bin\A5POPSWT.DLL" Nasty (2.31 / 5.00)
 
O4 - HKCU\..\RunOnce: [SpybotDeletingD6526] cmd /c del "C:\Program Files\AskTBar\bar\1.bin\A5POPSWT.DLL" Nasty (2.31 / 5.00)
 
O4 - HKCU\..\RunOnce: [SpybotDeletingB7349] command /c del "C:\Program Files\AskTBar\bar\1.bin\ASKTBAR.DLL" Nasty (2.32 / 5.00)
 
O4 - HKCU\..\RunOnce: [SpybotDeletingD3063] cmd /c del "C:\Program Files\AskTBar\bar\1.bin\ASKTBAR.DLL" Nasty (2.32 / 5.00)

A survey of you active tasks running:smss.exe   
System Task

Session Manager Subsystem

winlogon.exe   
System Task

Microsoft Windows Logon Process

services.exe   
System Task

Windows Service Controller

lsass.exe   
System Task

Local Security Authority Service

svchost.exe   
System Task

Microsoft Service Host Process

svchost.exe   
System Task

Microsoft Service Host Process

svchost.exe   
System Task

Microsoft Service Host Process

Explorer.EXE   
System Task

Microsoft Windows Explorer

aswUpdSv.exe   
Virusscan

Avast Anti-Virus Component

ashServ.exe   
Virusscan

Avast

hpsysdrv.exe   
Application

Hewlett-Packard Monitoring Tool

hkcmd.exe   
Application

Intel multimedia devices

spoolsv.exe   
System Task

Microsoft Printer Spooler Service

hphmon05.exe   
Application

Hewlett Packard Card Reader

hpcmpmgr.exe   
Application

HP Component Manager

iHPDetect.exe   
Backgroundtask

iHP-100 Drive Letter Search App.

igfxtray.exe   
Application

Intel Graphics configuration and diagnostic application

jusched.exe   
Backgroundtask

Sun Java Update Scheduler

KBD.EXE   
Backgroundtask

Multimedia keyboard manager.

GoogleUpdate.exe   
Backgroundtask

GoogleUpdate.exe

GoogleUpdate.exe   
Backgroundtask

Google Updater

apdproxy.exe   
Application

Adobe Photoshop Album

HPWuSchd.exe   
Backgroundtask
HP software updates.

ashDisp.exe   
Virusscan

Avast AntiVirus

point32.exe   
Application

Microsoft Intellimouse Monitor

rundll32.exe   
System Task

Microsoft Rundll32

iTunesHelper.exe   
Application

Apple Itunes

mnyexpr.exe   
Backgroundtask

Microsoft Money Express

PCHButton.exe   
Backgroundtask

Hewlett-Packard Instant Support Software

Skype.exe   
Backgroundtask

Skype Internet Telephoney

PhotoshopElementsFileAgent.exe   
Backgroundtask

Adobe Photoshop Elements

MySpaceIM.exe   
Backgroundtask

MySpace Instant Messenger

AppleMobileDeviceService.exe   
Backgroundtask

Apple Mobile Device Service

mssysmgr.exe   
Backgroundtask

PhotoShow Deluxe Media Manager

ymsgr_tray.exe   
Backgroundtask

Yahoo! Messenger Server Traybar

mDNSResponder.exe   
Backgroundtask

Bonjour for Windows Component

wcescomm.exe   
System task

Microsoft ActiveSync Connection Manager

WMPNSCFG.exe   
Backgroundtask

Windows Media Player Network Sharing Service Confi

btwdins.exe   
System task

Microsoft Bluetooth Service

ctfmon.exe   
System task

Alternative User Input Services

PCSuite.exe   
Backgroundtask

Nokia PC Suit

rapimgr.exe   
Backgroundtask

Microsoft ActiveSync Module

svchost.exe   
System task

Microsoft Service Host Process

jqs.exe   
Backgroundtask

jqs.exe

hpqtra08.exe   
Backgroundtask


Hewlett Packard Imaging

NetMDSB.exe  File NetMDSB.exe is located in a subfolder of "C:\Program Files". Known file sizes on Windows XP are 782,336 bytes (50% of all occurrence), 749,568 bytes, 684,032 bytes.
There is an icon for this program on the taskbar next to the clock. The program has a visible window. It is not a Windows core file. NetMDSB.exe is able to hide itself, monitor applications, record inputs. Therefore the technical security rating is 16% dangerous, however also read the users reviews. Could check at VirusTotal.com whether this is the genuine file...

Unknown task

svchost.exe   
System task

Microsoft Service Host Process

symlcsvc.exe   
Firewall

Norton Internet Security Suite

ashMaiSv.exe   
Virusscan

Avast Anti-Virus Component

ashWebSv.exe   
Virusscan

avast! Web Scanner

iPodService.exe   
Backgroundtask

Apple iTunes

ServiceLayer.exe   
Backgroundtask

Nokia Connectivity Library

NclUSBSrv.exe   
Backgroundtask

Nokia USB Media Server

NclIrSrv.exe   
Backgroundtask

PC Connectivity Solution

SkypePM.exe   
Backgroundtask

Skype Extras Manager

jucheck.exe   
Backgroundtask

Sun Java UpdateChecker Module

OUTLOOK.EXE   
Application

Microsoft Outlook

WINWORD.EXE   
Application

Microsoft Word

iexplore.exe   
Application

Microsoft Internet Explorer

ashSimpl.exe   
Virusscan

Virus scanner

ViewMgr.exe   
Application

ViewPoint Media Player

ViewpointService.exe   
Backgroundtask

View Manager Service

HPZipm12.exe   
Driver

HP Taskbar Utility

HijackThis.exe   
Application

Hijackthis 2.0.2

That is it,

polonus

[danihart01]

Thanks Polonus,
Have removed suggested items and will see if that works

[danihart01]

Hi Polonus,
Had HiJack this Fix entries suggested except 04 Smilebox tray.Shutdown and restarted computer but unfortunately Spenser NK icon is still in tray
Thanks

[danihart01]

Hi ,Checked smilebox tray exe with virustotal and result showed 0/40
Thanks

[polonus]

Hi danihart01,

Well you computer is cleansed, if you wanna get rid of the Spenser NK icon, I did inform and will tell you in an upcoming posting, at least it can do no harm as far as I concluded,

polonus

[danihart01]

Thanks, That would be appreciated .It is quite late here so will shutdown for the night and check tomorrow

Cheers

[essexboy]

This appears to be new, is there an entry for it in add/remove ?

Please download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.

• Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  
• If an update is found, it will download and install the latest version.
• Once the program has loaded, select "Perform Quick Scan", then click Scan.
  
• The scan may take some time to finish,so please be patient.
• When the scan is complete, click OK, then Show Results to view the results.
• Make sure that everything is checked, and click Remove Selected.
  
• When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
• Copy&Paste the entire report in your next reply.

Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.

[danihart01]

Hi ,
There is no entry in add/ remove and can only close it in status not disable
Thanks

[danihart01]

Hi
Have done scan with malware and copied log.
Restarted computer and nk icon still coming up in bottom tool bar?
Thanks


alwarebytes' Anti-Malware 1.36
Database version: 1973
Windows 5.1.2600 Service Pack 3

13/04/2009 2:37:18 PM
mbam-log-2009-04-13 (14-37-18).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 268999
Time elapsed: 3 hour(s), 12 minute(s), 16 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\rhcrwqj0egep (Rogue.AntivirusXP2008) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

[danihart01]

morning Polonus
Has anyone else seen this spenser nkl? and what do Ido from here?
Thanks