handplane Posted February 9, 2006 Report Share Posted February 9, 2006 SPYWARENO»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»obj[0]=Regkey : S-1-5-21-1177238915-789336058-839522115-1003\software\microsoft\windows\currentversion\ext\stats\{72267f6a-a6f9-11d0-bc94-00c04fb67863}obj[1]=RegData : software\microsoft\internet explorer\desktop\general "WallpaperStyle"obj[2]=RegData : control panel\desktop "WallpaperStyle"First time to have spyware in the Registery.Does any one know the origin and or what this is?TIA. Link to post Share on other sites
Matt Posted February 9, 2006 Report Share Posted February 9, 2006 This may be a remnant of a smitfraud infection that is no longer present. I'm going to move this to the HJT section since I'd like to see a HJT log.You are going to have to work in safe mode for this, so you may wish to print out these directions.Download smitRem.exe ©noahdfear, and save the file to your desktop.Double click on the file to extract it to it's own folder on the desktop.Place a shortcut to Panda ActiveScan on your desktop (in Internet Explorer, right click on Panda ActiveScan link select "Copy Shortcut" then right click on your desktop and select "Paste Shortcut" or in FireFox right-click the link and select "Save Link As" and save it to your desktop).Reboot your computer in SafeModeOpen the smitRem folder, then double click the RunThis.bat file to start the tool. Follow the prompts on screen.Wait for the tool to complete and disk cleanup to finish.The tool will create a log named smitfiles.txt in the root of your drive, eg; Local Disk C: or partition where your operating system is installed. Post that log in your next reply.Reboot back into Windows and click the Panda ActiveScan shortcut.Once you are on the Panda site click the Scan your PC button.A new window will open...click the Check Now button.Enter your CountryEnter your State/ProvinceEnter your e-mail address and click sendSelect either Home User or CompanyClick the big Scan Now button[*]If it wants to install an ActiveX component allow it[*]It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)[*]When the download is complete, click on My Computer to start the scan[*]When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location.Then, scan agian with HJT and post a new log, along with the smitfiles log and the active scan report. Link to post Share on other sites
handplane Posted February 9, 2006 Author Report Share Posted February 9, 2006 (edited) Matt,Thanks for the response.Lost the Panda short cut after coming out of safe mode. smitRem © log file version 2.8 by noahdfearMicrosoft Windows XP [Version 5.1.2600]The current date is: Thu 02/09/2006 The current time is: 13:12:00.62Running fromC:\Documents and Settings\johnny\Desktop\smitRem~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~Pre-run SharedTask Export(GetSTS.exe) SharedTaskScheduler exporter by Lawrence Abrams (Grinler)Copyright© 2006 BleepingComputer.comRegistry Pseudo-Format Mode (Not a valid reg file):[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader""{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{438755C2-A8BA-11D1-B96B-00A0C90312E1}\InProcServer32]@="%SystemRoot%\System32\browseui.dll"[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8C7461EF-2B13-11d2-BE35-3078302C2030}\InProcServer32]@="%SystemRoot%\System32\browseui.dll"~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ checking for ShudderLTD keyShudderLTD key not present! checking for PSGuard.com keyPSGuard.com key not present! checking for WinHound.com keyWinHound.com key not present!spyaxe uninstaller NOT presentWinhound uninstaller NOT presentSpywareStrike uninstaller NOT present~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Existing Pre-run Files ~~~ Program Files ~~~ ~~~ Shortcuts ~~~ ~~~ Favorites ~~~ ~~~ system32 folder ~~~ ~~~ Icons in System32 ~~~ ~~~ Windows directory ~~~ ~~~ Drive root ~~~ ~~~ Miscellaneous Files/folders ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03Copyright© 2002-2003 [email protected]Killing PID 760 'explorer.exe'Starting registry repairsRegistry repairs complete~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~SharedTask Export after registry fix(GetSTS.exe) SharedTaskScheduler exporter by Lawrence Abrams (Grinler)Copyright© 2006 BleepingComputer.comRegistry Pseudo-Format Mode (Not a valid reg file):[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader""{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{438755C2-A8BA-11D1-B96B-00A0C90312E1}\InProcServer32]@="%SystemRoot%\System32\browseui.dll"[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8C7461EF-2B13-11d2-BE35-3078302C2030}\InProcServer32]@="%SystemRoot%\System32\browseui.dll"~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~Deleting files~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Remaining Post-run Files ~~~ Program Files ~~~ ~~~ Shortcuts ~~~ ~~~ Favorites ~~~ ~~~ system32 folder ~~~ ~~~ Icons in System32 ~~~ ~~~ Windows directory ~~~ ~~~ Drive root ~~~ ~~~ Miscellaneous Files/folders ~~~ ~~~ Wininet.dll ~~~ CLEAN! Activescan report:Incident Status Location Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\johnny\Desktop\smitRem\Process.exe Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\johnny\Desktop\smitRem.exe[Process.exe] Edited February 9, 2006 by handplane Link to post Share on other sites
Matt Posted February 9, 2006 Report Share Posted February 9, 2006 handplane, I'm pretty sure you are clean, based on the panda report, that smitrem didnt remove anything, and this is the only thing ad-aware found. It is most likely a dormant file. See if ad-aware can get rid of it.If you need this reopened, shoot me a PM.Matt Link to post Share on other sites
Matt Posted February 9, 2006 Report Share Posted February 9, 2006 Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread. Everyone else please begin a New Topic. Link to post Share on other sites
Recommended Posts