Jump to content


Friends, we are happy to invite you to our NEW Global Kaspersky Club! Please follow this link www.kasperskyclub.com , sign-in and enjoy our new platform!


Photo
- - - - -

SPYWARE-SECURE removal


  • Please log in to reply
7 replies to this topic

#1 Brian

Brian

    Rookie

  • Members
  • Pip
  • 21 posts

Posted 24 July 2007 - 04:38 PM

Hi !
I am a new user of KIS and have run my first full scan. I chose KIS because everything I read about it was positive. I have ditched Norton IS as it is pathetic., However, KIS failed to detect SPYWARE-SECURE which has infected my PC and is causing havoc with perpetual pop-ups which keep telling me I have 100's of viruses and need to download their product. I have tried numerous anti spyware programs but non can detect this trojan (which I think it is ). I intend to stick with KIS as I am impressed with it. However, can anyone advise me how to remove SPYWARE-SECURE ? Please answer in simple talk as I am a relatively average PC user with little knowledge of registries/Bios etc.
Thanks in advance
Brian

#2 Lucian Bara

Lucian Bara

    Jedi Master

  • Global Moderators
  • PipPipPipPipPip
  • 912 posts

Posted 24 July 2007 - 05:11 PM

enable riskware detection in settings->protection and do a full my computer scan afterwards.
kaspersky should detect "spyware secure" as an adware, it's probably another part it's not detected.
do a scan with superantispyware: http://www.superantispyware.com/ and see if it detects anything.

If it fails to detect anything.
download hijackthis from here: http://www.trendsecu.../HiJackThis.exe
and safe it to a folder. (example c:\hjt), double click hijackthis.exe
Accpet the license agreement and press "do a scan and save logfile"

After the scan completes a notepad window should open, copy all the text and paste it into your post
Intel Core 2 Duo E4500 @ 2,2GHz, Msi Asus P5PL2-E, 2048MB-DDR2 (2*1024), Leadtek PX6600 256MB, Teac DV-W516GA, Leadtek tv2000 xp Expert, HDD 200GB*2 (sata/sata2)

#3 Brian

Brian

    Rookie

  • Members
  • Pip
  • 21 posts

Posted 24 July 2007 - 10:22 PM

enable riskware detection in settings->protection and do a full my computer scan afterwards.
kaspersky should detect "spyware secure" as an adware, it's probably another part it's not detected.
do a scan with superantispyware: http://www.superantispyware.com/ and see if it detects anything.

If it fails to detect anything.
download hijackthis from here: http://www.trendsecu.../HiJackThis.exe
and safe it to a folder. (example c:\hjt), double click hijackthis.exe
Accpet the license agreement and press "do a scan and save logfile"

After the scan completes a notepad window should open, copy all the text and paste it into your post





enable riskware detection in settings->protection and do a full my computer scan afterwards.
kaspersky should detect "spyware secure" as an adware, it's probably another part it's not detected.
do a scan with superantispyware: http://www.superantispyware.com/ and see if it detects anything.

If it fails to detect anything.
download hijackthis from here: http://www.trendsecu.../HiJackThis.exe
and safe it to a folder. (example c:\hjt), double click hijackthis.exe
Accpet the license agreement and press "do a scan and save logfile"

After the scan completes a notepad window should open, copy all the text and paste it into your post


Hi Lucien....hope this helps...thanks for your input
Brian

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 21:15:07, on 24/07/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe
C:\WINDOWS\system32\Rundll32.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb05.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\SM1BG.EXE
C:\Program Files\Nokia\Nokia PC Suite 6\Launch Application 2.exe
C:\PROGRA~1\COMMON~1\PCSuite\DATALA~1\DATALA~1.EXE
C:\windows\system32\bgtmxirkjh.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\Program Files\Norton GoBack\GBTray.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkCalRem.exe
C:\PROGRA~1\COMMON~1\Nokia\MPAPI\MPAPI3s.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe
C:\PROGRA~1\COMMON~1\PCSuite\Services\SERVIC~1.EXE
C:\Program Files\Norton GoBack\GBPoll.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\brian\Local Settings\Temporary Internet Files\Content.IE5\H744KRRX\HiJackThis[1].exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.co.uk/myway
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.yahoo.co.uk
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.co.uk/myway
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = www.yahoo.co.uk
R3 - URLSearchHook: (no name) - - (no file)
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: StumbleUpon Launcher - {145B29F4-A56B-4b90-BBAC-45784EBEBBB7} - C:\Program Files\StumbleUpon\StumbleUponIEBar.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: AutoDiscovery Class - {CAB710D6-532E-4B68-97AE-398477FA5524} - C:\Program Files\Deskshare\Active Web Reader\IERSSFeedDiscovery.dll
O3 - Toolbar: StumbleUpon Toolbar - {5093EB4C-3E93-40AB-9266-B607BA87BDC8} - C:\Program Files\StumbleUpon\StumbleUponIEBar.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [P17Helper] Rundll32 P17.dll,P17Helper
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SM1BG] C:\WINDOWS\SM1BG.EXE
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\Launch Application 2.exe -onlytray
O4 - HKLM\..\Run: [DataLayer] C:\PROGRA~1\COMMON~1\PCSuite\DATALA~1\DATALA~1.EXE
O4 - HKLM\..\Run: [My Web Search Bar] rundll32 C:\PROGRA~1\MYWEBS~1\bar\2.bin\MWSBAR.DLL,S
O4 - HKLM\..\Run: [bgtmxirkjh] c:\windows\system32\bgtmxirkjh.exe bgtmxirkjh
O4 - HKLM\..\Run: [zzzCamInSuiteIII] D:\SETUP.EXE 2***
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [PcSync] C:\Program
Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: wkcalrem.LNK = C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkCalRem.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O4 - Global Startup: Norton GoBack.lnk = C:\Program Files\Norton GoBack\GBTray.exe
O8 - Extra context menu item: &Search - http://edits.mywebse...?p=ZUxdm080YYES
O8 - Extra context menu item: Add to Anti-Banner - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\ie_banner_deny.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: StumbleUpon PhotoBlog It! - res://StumbleUponIEBar.dll/blogimage
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\scieplugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.stumbleupon.com
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=58813
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1138813624796
O16 - DPF: {B6F0855B-A06D-498B-A537-80AFF04A1B4E} (WSClientCtl Class) - https://www.telefoni...en/WSClient.cab
O16 - DPF: {C45B1500-7B63-47C2-AB25-C28CB46AFDEE} (MediaBar) - http://sib1.od2.com/...nagerPlugin.CAB
O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abac...abasetup161.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{7B36F37E-54A1-46DB-9FFF-0C70CAC1207B}: NameServer = 80.58.61.250,80.58.61.254
O20 - AppInit_DLLs: C:\PROGRA~1\KASPER~1\KASPER~1.0\adialhk.dll
O23 - Service: Kaspersky Internet Security 6.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: Creative Service for CDROM Access - Unknown owner - C:\WINDOWS\system32\CTsvcCDA.EXE (file missing)
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: GoBack Polling Service (GBPoll) - Symantec Corporation - C:\Program Files\Norton GoBack\GBPoll.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O24 - Desktop Component 0: (no name) - http://us.i1.yimg.co...f/bubble-tr.gif
O24 - Desktop Component 1: (no name) - http://translation2....m/images/bg.gif
O24 - Desktop Component 2: (no name) - http://www.davinciin...32f73a0dc_o.jpg

--
End of file - 9889 bytes

#4 Lucian Bara

Lucian Bara

    Jedi Master

  • Global Moderators
  • PipPipPipPipPip
  • 912 posts

Posted 24 July 2007 - 10:54 PM

could you send these file:
C:\windows\system32\bgtmxirkjh.exe
D:\SETUP.EXE
for analysis to newvirus@kaspersky.com: http://forum.kaspers...showtopic=13881

did you also perform the scan with superantispyware & clean up the detected items?

When you are done with sending, boot the pc into safe mode and delete the following file:
c:\windows\system32\bgtmxirkjh.exe

open hjt again, choose do a scan only, mark the following items in the list and press fix checked:
R3 - URLSearchHook: (no name) - - (no file)
O4 - HKLM\..\Run: [My Web Search Bar] rundll32 C:\PROGRA~1\MYWEBS~1\bar\2.bin\MWSBAR.DLL,S
O4 - HKLM\..\Run: [bgtmxirkjh] c:\windows\system32\bgtmxirkjh.exe bgtmxirkjh
O8 - Extra context menu item: &Search - http://edits.mywebse...?p=ZUxdm080YYES
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)

an d press fix checked.
Do you still get those popups afterwards?
Intel Core 2 Duo E4500 @ 2,2GHz, Msi Asus P5PL2-E, 2048MB-DDR2 (2*1024), Leadtek PX6600 256MB, Teac DV-W516GA, Leadtek tv2000 xp Expert, HDD 200GB*2 (sata/sata2)

#5 Brian

Brian

    Rookie

  • Members
  • Pip
  • 21 posts

Posted 25 July 2007 - 09:15 PM

could you send these file:
C:\windows\system32\bgtmxirkjh.exe
D:\SETUP.EXE
for analysis to newvirus@kaspersky.com: http://forum.kaspers...showtopic=13881

did you also perform the scan with superantispyware & clean up the detected items?

When you are done with sending, boot the pc into safe mode and delete the following file:
c:\windows\system32\bgtmxirkjh.exe

open hjt again, choose do a scan only, mark the following items in the list and press fix checked:
R3 - URLSearchHook: (no name) - - (no file)
O4 - HKLM\..\Run: [My Web Search Bar] rundll32 C:\PROGRA~1\MYWEBS~1\bar\2.bin\MWSBAR.DLL,S
O4 - HKLM\..\Run: [bgtmxirkjh] c:\windows\system32\bgtmxirkjh.exe bgtmxirkjh
O8 - Extra context menu item: &Search - http://edits.mywebse...?p=ZUxdm080YYES
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)

an d press fix checked.
Do you still get those popups afterwards?


Hi Lucien !
I am unable to send you the file C:\windows\system32\bgtmxirkjh.exe as my e mail is through Yahoo and is not OE.
However, I opened hjt again and ran a scan as instructed and deleted all you told me to except item 2 which did not show up.I have ran the pc for an hour now and can report no pop-ups or interruptions at all. Indeed, if anything the PC is faster and quieter than before.
I would like to thank you for taking the time to help me .
Many many thanks
Brian


Hi Lucien !
I am unable to send you the file C:\windows\system32\bgtmxirkjh.exe as my e mail is through Yahoo and is not OE.
However, I opened hjt again and ran a scan as instructed and deleted all you told me to except item 2 which did not show up.I have ran the pc for an hour now and can report no pop-ups or interruptions at all. Indeed, if anything the PC is faster and quieter than before.
I would like to thank you for taking the time to help me .
Many many thanks
Brian



#6 Lucian Bara

Lucian Bara

    Jedi Master

  • Global Moderators
  • PipPipPipPipPip
  • 912 posts

Posted 25 July 2007 - 09:41 PM

you could have sent it through yahoo, to newvirus@kaspersky.com, it would have helped to improve detection rates.
Intel Core 2 Duo E4500 @ 2,2GHz, Msi Asus P5PL2-E, 2048MB-DDR2 (2*1024), Leadtek PX6600 256MB, Teac DV-W516GA, Leadtek tv2000 xp Expert, HDD 200GB*2 (sata/sata2)

#7 Brian

Brian

    Rookie

  • Members
  • Pip
  • 21 posts

Posted 25 July 2007 - 10:48 PM

you could have sent it through yahoo, to newvirus@kaspersky.com, it would have helped to improve detection rates.



yahoo tells me "missing or malformed recipient " when I click "send "

#8 Lucian Bara

Lucian Bara

    Jedi Master

  • Global Moderators
  • PipPipPipPipPip
  • 912 posts

Posted 25 July 2007 - 11:38 PM

oh well, it will be caught eventually.
Intel Core 2 Duo E4500 @ 2,2GHz, Msi Asus P5PL2-E, 2048MB-DDR2 (2*1024), Leadtek PX6600 256MB, Teac DV-W516GA, Leadtek tv2000 xp Expert, HDD 200GB*2 (sata/sata2)