Jump to content

Recommended Posts

I have received the Spyware Protection spyware for the third time now, each about two weeks apart. It disables my computer, prevents me from downloading or running programs such as MBAM. After shutting down via the power button, I'm sometimes able to reboot in safe mode, and sometimes not, but when I'm successfully in Safe Mode and running a scan, the computer just shuts down - as if it just lost power. The only solution I've found is to restore system to a previous point. But even after the restore, I still can't run MBAM in Safe Mode without a sudden system shutdown. In regular mode MBAM reports no infections, as does Avast antivirus, yet this 'Spyware Protection' keeps finding me - most recently after following a link from the Google News page. I suspect there may be a file lurking somewhere. Not sure if the fact I'm using the laptop wirelessly in my home is a factor? Any ideas?

I appreciate any ideas.

-Brett

Attached are the logs attach.txt and ark.txt. The MBAM and DDS.txt are as follows (note - when running DDS I followed the Avast antivirus recommendation to open in 'sandbox' mode):

Malwarebytes' Anti-Malware 1.45

www.malwarebytes.org

Database version: 3983

Windows 6.0.6002 Service Pack 2

Internet Explorer 7.0.6002.18005

4/12/2010 9:20:12 PM

mbam-log-2010-04-12 (21-20-12).txt

Scan type: Full scan (C:\|D:\|F:\|S:\|)

Objects scanned: 396260

Time elapsed: 1 hour(s), 21 minute(s), 52 second(s)

Memory Processes Infected: 1

Memory Modules Infected: 0

Registry Keys Infected: 30

Registry Values Infected: 1

Registry Data Items Infected: 4

Folders Infected: 5

Files Infected: 10

Memory Processes Infected:

C:\Users\brett\AppData\Local\ave.exe (Rogue.MultipleAV) -> Unloaded process successfully.

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{6fd31ed6-7c94-4bbc-8e95-f927f4d3a949} (Adware.180Solutions) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\cntntcntr.cntntdic (Adware.Zango) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\cntntcntr.cntntdic.1 (Adware.Zango) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\cntntcntr.cntntdisp (Adware.Zango) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\cntntcntr.cntntdisp.1 (Adware.Zango) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\coresrv.coreservices (Adware.Zango) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\coresrv.coreservices.1 (Adware.Zango) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\coresrv.lfgax (Adware.Zango) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\coresrv.lfgax.1 (Adware.Zango) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\hbmain.commband (Adware.Zango) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\hbmain.commband.1 (Adware.Zango) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\hbr.hbmain (Adware.Zango) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\hbr.hbmain.1 (Adware.Zango) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\hostie.bho (Adware.Zango) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\hostie.bho.1 (Adware.Zango) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\hostol.mailanim (Adware.Zango) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\hostol.mailanim.1 (Adware.Zango) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\hostol.webmailsend (Adware.Zango) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\hostol.webmailsend.1 (Adware.Zango) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\srv.coreservices (Adware.Zango) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\srv.coreservices.1 (Adware.Zango) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\toolbar.htmlmenuui (Adware.Zango) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\toolbar.htmlmenuui.1 (Adware.Zango) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\toolbar.toolbarctl (Adware.Zango) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\toolbar.toolbarctl.1 (Adware.Zango) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\zangoax.clientdetector (Adware.Zango) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\zangoax.clientdetector.1 (Adware.Zango) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\zangoax.userprofiles (Adware.Zango) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\zangoax.userprofiles.1 (Adware.Zango) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\zangosa (Adware.Zango) -> Quarantined and deleted successfully.

Registry Values Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\Extensions\zango@zango.com (Adware.Zango) -> Quarantined and deleted successfully.

Registry Data Items Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\open\command\(default) (Hijack.StartMenuInternet) -> Bad: ("C:\Users\brett\AppData\Local\ave.exe" /START "C:\Program Files (x86)\Mozilla Firefox\firefox.exe") Good: (firefox.exe) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command\(default) (Hijack.StartMenuInternet) -> Bad: ("C:\Users\brett\AppData\Local\ave.exe" /START "C:\Program Files (x86)\Internet Explorer\iexplore.exe") Good: (iexplore.exe) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\safemode\command\(default) (Hijack.StartMenuInternet) -> Bad: ("C:\Users\brett\AppData\Local\ave.exe" /START "C:\Program Files (x86)\Mozilla Firefox\firefox.exe" -safe-mode) Good: (firefox.exe -safe-mode) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoActiveDesktopChanges (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:

C:\ProgramData\2ACA5CC3-0F83-453D-A079-1076FE1A8B65 (Adware.Seekmo) -> Quarantined and deleted successfully.

C:\Users\brett\AppData\Roaming\Zango (Adware.Zango) -> Delete on reboot.

C:\ProgramData\ZangoSA (Adware.Zango) -> Quarantined and deleted successfully.

C:\Users\brett\AppData\Roaming\WeatherDPA (Adware.Hotbar) -> Quarantined and deleted successfully.

C:\Users\brett\AppData\Roaming\WeatherDPA\Weather (Adware.Hotbar) -> Quarantined and deleted successfully.

Files Infected:

C:\Program Files (x86)\Mozilla Firefox\plugins\npclntax_ZangoSA.dll (Adware.Seekmo) -> Quarantined and deleted successfully.

C:\Users\brett\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\SECLJ1RL\n008102318801r0409J0f000601Ra279044bW81e33969Xda728f46Y91b1dcf1Z03003f361[1] (Malware.Packer.Gen) -> Quarantined and deleted successfully.

C:\Users\brett\AppData\Local\Temp\CSM9977.tmp (Adware.Mongoose) -> Quarantined and deleted successfully.

C:\ProgramData\ZangoSA\ZangoSA.dat (Adware.Zango) -> Quarantined and deleted successfully.

C:\ProgramData\ZangoSA\ZangoSAAbout.mht (Adware.Zango) -> Quarantined and deleted successfully.

C:\ProgramData\ZangoSA\ZangoSAau.dat (Adware.Zango) -> Quarantined and deleted successfully.

C:\ProgramData\ZangoSA\ZangoSAEULA.mht (Adware.Zango) -> Quarantined and deleted successfully.

C:\ProgramData\ZangoSA\ZangoSA_kyf.dat (Adware.Zango) -> Quarantined and deleted successfully.

C:\Users\brett\Local Settings\Application Data\ave.exe (Rogue.MultipleAV) -> Quarantined and deleted successfully.

C:\Users\brett\AppData\Local\ave.exe (Rogue.MultipleAV) -> Quarantined and deleted successfully.

.

DDS (Ver_11-03-05.01) - NTFS_AMD64

Run by brett at 19:51:02.46 on Mon 04/11/2011

Internet Explorer: 7.0.6002.18005 BrowserJavaVersion: 1.6.0_15

Microsoft

logs.zip

Link to post
Share on other sites

  • Staff

Hi and welcome to Malwarebytes.

Please do the following:

  • Download and run mbam-clean.exe from here
  • It will ask to restart your computer, please allow it to do so very important
  • After the computer restarts, temporarily disable your Anti-Virus and install the latest version of Malwarebytes' Anti-Malware from here
    • Note: You will need to reactivate the program using the license you were sent via email if using the Pro version
    • Launch the program and set the Protection and Registration. Then go to the UPDATE tab if not done during installation and check for updates.
      Restart the computer again and verify that MBAM is in the task tray if using the Pro version. Now setup any file exclusions as may be required in your Anti-Virus/Internet-Security/Firewall applications and restart your Anti-Virus/Internet-Security applications. You may use the guides posted in the FAQ's here or ask and we'll explain how to do it.

Link to post
Share on other sites

Screen317 Thank you for your input. I've followed your instructions, ran a MBAM quick scan in regular mode and then in safe mode. Both showed no malicious items or infections, and no shut down in safe mode.

All appears to be good, but since nothing was found, I guess I'm still wary that the Spyware Protection spyware may hit me again. Any ideas why neither Avast nor MBAM protected my computer from this beast (or how to specifically protect myself from it)?

Link to post
Share on other sites

After repeated failed attempts at system restore, one finally 'took' (not sure why after repeated failures) and I'm back up in regular mode - at least for now. I know I'm not going into safe mode again, but I also don't know what the problem is. I suspect my issue may not be appropriate for this forum? That said, I appreciate any suggestions or leads to other resources.

Link to post
Share on other sites

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.