1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

ABetterInternet Spyware

Discussion in 'Virus & Other Malware Removal' started by person, Dec 31, 2006.

Thread Status:
Not open for further replies.
Advertisement
  1. person

    person Thread Starter

    Joined:
    Dec 23, 2006
    Messages:
    972
    Trend Micro Anti-Spyware shows these entries but other programs haven't found them.

    Adware_ABetterInternet

    Windows Registry
    Windows Registry: Found '' in 'CLSID\{7DA06D40-54A0-11CF-A521-0080C77A7786}'
    Windows Registry: Found '' in 'CLSID\{BDC217C5-ED16-11CD-956C-0000C04E4C0A}'
    Windows Registry: Found '' in 'Interface\{2A4FCCB0-DFF1-11CF-8E74-00A0C90F26F8}'
    Windows Registry: Found '' in 'Interface\{BDC217C7-ED16-11CD-956C-0000C04E4C0A}'
    Windows Registry: Found '' in 'TabDlg.SSTab'
    Windows Registry: Found '' in 'TabDlg.SSTab.1'
    Windows Registry: Found '' in 'SOFTWARE\Classes\CLSID\{7DA06D40-54A0-11CF-A521-0080C77A7786}'
    Windows Registry: Found '' in 'SOFTWARE\Classes\CLSID\{BDC217C5-ED16-11CD-956C-0000C04E4C0A}'
    Windows Registry: Found '' in 'SOFTWARE\Classes\Interface\{2A4FCCB0-DFF1-11CF-8E74-00A0C90F26F8}'
    Windows Registry: Found '' in 'SOFTWARE\Classes\Interface\{BDC217C7-ED16-11CD-956C-0000C04E4C0A}'
    Windows Registry: Found '' in 'SOFTWARE\Classes\TabDlg.SSTab'
    Windows Registry: Found '' in 'SOFTWARE\Classes\TabDlg.SSTab.1'

    What is it with Trend Micro Anti-Spyware and so many things they show up as malware that are benign, it's making me paranoid.

    Logfile of HijackThis v1.99.1
    Scan saved at 5:22:15 PM, on 31/12/2006
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.5730.0011)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Windows Defender\MsMpEng.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\ZoneLabs\vsmon.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
    C:\WINDOWS\system32\LxrJD31s.exe
    C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
    C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\ZoneAlarm\zlclient.exe
    C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
    C:\Program Files\Windows Defender\MSASCui.exe
    C:\Program Files\TrojanHunter 4.6\THGuard.exe
    C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
    C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\MSN Messenger\msnmsgr.exe
    C:\Program Files\SpywareGuard\sgmain.exe
    C:\Program Files\SpywareGuard\sgbhp.exe
    C:\HijackThis\HijackThis.exe

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
    O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\ZoneAlarm\zlclient.exe"
    O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
    O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
    O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.6\THGuard.exe"
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
    O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
    O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O11 - Options group: [INTERNATIONAL] International*
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1162247132000
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
    O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
    O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
    O18 - Protocol: x-mem3 - {4F6D06DD-44AB-4F89-BF13-9027B505B15A} - C:\Program Files\Common Files\eztools\eztoolslib2.dll
    O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
    O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
    O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
    O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
    O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
    O23 - Service: GB-PVR Recording Service - Unknown owner - c:\program files\devnz\gbpvr\gbpvrrecordingservice.exe (file missing)
    O23 - Service: Lexar JD31 (LxrJD31s) - Unknown owner - C:\WINDOWS\SYSTEM32\LxrJD31s.exe
    O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
    O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
    O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
     
  2. Cookiegal

    Cookiegal Administrator Malware Specialist Coordinator

    Joined:
    Aug 27, 2003
    Messages:
    111,285
    Those look like legitimate detections to me for a keylogger called PC Police.

    Did you intentionally install such a program?
     
  3. person

    person Thread Starter

    Joined:
    Dec 23, 2006
    Messages:
    972
    No I didn't and I assumed they were false positives because no other programs I used for security showed any of these entries and in my experience Trend Micro Anti-Spyware has a tendency to come up false positives but maybe this time it actually got one the others didn't. Does my hijack log show anything suspicious and do these entries give any idea as to where this program came from? They probably don't but I thought I'd ask anyway in the slim chance they do. So if I really do have this spyware do I need to do anything else besides deleting these entries to fully get rid of it from my system?
     
  4. Cookiegal

    Cookiegal Administrator Malware Specialist Coordinator

    Joined:
    Aug 27, 2003
    Messages:
    111,285
    It's really only detected as a possible risk as it may have been installed intentionally but I'm surprised your Norton didn't detect it.

    http://www.symantec.com/enterprise/security_response/writeup.jsp?docid=2005-062014-5447-99&tabid=2


    Please go HERE to run Panda's ActiveScan
    • Once you are on the Panda site click the Scan your PC button
    • A new window will open...click the Check Now button
    • Enter your Country
    • Enter your State/Province
    • Enter your e-mail address and click send
    • Select either Home User or Company
    • Click the big Scan Now button
    • If it wants to install an ActiveX component allow it
    • It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
    • When download is complete, click on My Computer to start the scan
    • When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location. Post the contents of the ActiveScan report



    Download WinPFind.exe to your desktop and double click on it open it and then select “extract” to extract the files. This will create a folder named WinPFind on your desktop.

    Start in Safe Mode Using the F8 method:

    • Restart the computer.
    • As soon as the BIOS is loaded begin tapping the F8 key until the boot menu appears.
    • Use the arrow keys to select the Safe Mode menu item.
    • Press the Enter key.

    Double click on the WinPFind folder on your desktop to open it and then double click on the WinPFind.exe file to start the program.

    • Click “Configure scan options”
    • Under “Run AdOns” select the following:
      • Policies.def
      • Security.def
    • Click “apply”
    • Click "Start Scan"
    • It will scan the entire System, so please be patient and let it complete.


    When the scan is complete reboot normally and post the WinPFind.txt file (located in the WinPFind folder) back here along with a new HijackThis log.
     
  5. ChrisRLG

    ChrisRLG

    Joined:
    Jun 25, 2005
    Messages:
    3
    Hi Cookiegal


    we have closed the topic this person has made at MWR - did not wish more than one forum to be helping.
    http://forum.malwareremoval.com/viewtopic.php?t=16802

    I hope that person has not posted to other places too. Perhaps they will confirm to you when they reply.
     
  6. Cookiegal

    Cookiegal Administrator Malware Specialist Coordinator

    Joined:
    Aug 27, 2003
    Messages:
    111,285
    Thanks Chris! :)
     
  7. ChrisRLG

    ChrisRLG

    Joined:
    Jun 25, 2005
    Messages:
    3
    Sorry to say, is also a topic at TomCoyotes - that too has been locked.
     
  8. Cookiegal

    Cookiegal Administrator Malware Specialist Coordinator

    Joined:
    Aug 27, 2003
    Messages:
    111,285
    If we only had a nickle for every time this happens..... :)
     
  9. person

    person Thread Starter

    Joined:
    Dec 23, 2006
    Messages:
    972
    So you security forum people are mostly connected? I only want a second opinion, is that so wrong? You are an expert in this field I admit that but there are reasons I may doubt your conclusion and I simply wanted a second opinion to either confirm your opinion or my doubt. I am more than willing to accept your conclusion and I mean in no way to offend you or doubt your skills but I honestly would like at least one other person to objectively look at the data and give me their honest opinion. I couldn't seem to do that in this forum because you were already helping me so I sought others.

    Just to show I'm not trying to be arrogant these are the reasons I have doubts, maybe you can help with them.

    1. I searched online for PC Police and checked the files it puts on the users computer and I have none of these.
    2. Only one of the many Anti-Spyware products I used showed those registry entries and even then it classified them as belonging to something other than PC Police. I used Panda Activescan, AVG Anti-Spyware, Spy Sweeper, Windows Defender, Ad-Aware Professional and Spybot - Search & Destroy as well as Rootkit Revealer and the antivirus program I have.
    3. I have rarely noticed the symptoms that are usually associated with this form of spyware such as my computer or internet connection being slower than usual.
    4. Honestly I suppose I would rather these be false positives but that doesn't play a large part in my doubts.
     
  10. Cookiegal

    Cookiegal Administrator Malware Specialist Coordinator

    Joined:
    Aug 27, 2003
    Messages:
    111,285
    It could be PC Police or something else or it could be a false positive but one thing is certain, we need to investigate further.

    Please follow my previous instructions and post those logs and we'll take it from there.
     
  11. person

    person Thread Starter

    Joined:
    Dec 23, 2006
    Messages:
    972
    I ran the Activescan, it didn't find anything. I tried to run Winpfind but after hours it wasn't doing anything.
     
  12. Cookiegal

    Cookiegal Administrator Malware Specialist Coordinator

    Joined:
    Aug 27, 2003
    Messages:
    111,285
    What keys were those items found under, i.e. HKEY_LOCAL_MACHINE, HKEY_CURRENT_USER, etc.?


    Open HijackThis and click on the "Open the Misc Tools Section" button. Click on the "Open Uninstall Manager" button. Click the "Save List" botton. Copy and paste that list here please.
     
  13. person

    person Thread Starter

    Joined:
    Dec 23, 2006
    Messages:
    972
    Do I need to have a normal setup when windows starts like when you usually post a HJT log or doesn't it matter? I could use Trend Micro Anti-Spyware to scan again and then try to get the areas of where these entries are.
     
  14. Cookiegal

    Cookiegal Administrator Malware Specialist Coordinator

    Joined:
    Aug 27, 2003
    Messages:
    111,285
    You can just run the HijackThis uninstall scan the same way you did your Hijackthis log.

    Please do rescan with Trend and find out the entire paths in the registry.
     
  15. person

    person Thread Starter

    Joined:
    Dec 23, 2006
    Messages:
    972
    These are the full registry paths for those entries

    HKCR\CLSID\{7DA06D40-54A0-11CF-A521-0080C77A7786}'


    HKCR\CLSID\{BDC217C5-ED16-11CD-956C-0000C04E4C0A}'


    HKCR\Interface\{2A4FCCB0-DFF1-11CF-8E74-00A0C90F26F8}'


    HKCR\Interface\{BDC217C7-ED16-11CD-956C-0000C04E4C0A}'
    HKCR\TabDlg.SSTab'
    HKCR\TabDlg.SSTab.1'


    HKLM\SOFTWARE\Classes\CLSID\{7DA06D40-54A0-11CF-A521-0080C77A7786}'


    HKLM\SOFTWARE\Classes\CLSID\{BDC217C5-ED16-11CD-956C-0000C04E4C0A}'


    HKLM\SOFTWARE\Classes\Interface\{2A4FCCB0-DFF1-11CF-8E74-00A0C90F26F8}'


    HKLM\SOFTWARE\Classes\Interface\{BDC217C7-ED16-11CD-956C-0000C04E4C0A}'
    HKLM\SOFTWARE\Classes\TabDlg.SSTab'
    HKLM\SOFTWARE\Classes\TabDlg.SSTab.1'

    Maybe this can help you work out what's going on. I'll post the HJT log bit after I wake up(I'm going to bed soon).
     
  16. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Similar Threads - ABetterInternet Spyware
  1. TeeTee7
    Replies:
    1
    Views:
    660
  2. HollyG
    Replies:
    14
    Views:
    1,155
  3. tcmiller94
    Replies:
    12
    Views:
    1,403
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/530968

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice