can't get rid of spy-agent.an

Hi,

I’ve been having a couple virus/spyware problems. They all started after I downloaded a copy of Web_data_Extractor_v4.3.zip This zip file contained a patcher.exe and also a crack.exe Right after I ran the crack.exe I got the firewall is disabled message (you dumbass I hear you say…I know). This is what I did before I found the majorgeeks website and went through the “read and run me first” procedures:

******************************************************************************
I first used adaware and spybot search and destroy to get rid of a bunch of spyware that was on my computer. This was after I suddenly received the message that windows firewall had been disabled. Security Center couldn’t re-enable it and so the message advised me to go straight to firewall settings in control panel, but “due to an unidentified problem...” or something of the sort, that applet wouldn’t even load. So no way to re-enable my firewall. I then removed a bunch of spyware from my pc (from safe-mode, with restarts, etc…). This didn’t work cos my McAfee viruscan 7 pro kept on detecting viruses (spy-agent.an, proxy-agent.k.gen, etc) but couldn’t remove them as they kept coming back. Then I also found this file “tool3.exe” in my root folder which I couldn’t delete. Then with the help of a little utility smitrem.exe and doing this in safe mode I was able to get rid of the tool3.exe and some other stuff. I also scanned with CWShredder, XoftSpy and hijackthis but they found nothing. Also used mcAfee’s stinger.exe utility, also nothing.
Eventually I was able to get my firewall back online with SharedAccess.reg http://windowsxp.mvps.org/sharedaccess.htm

Then I installed ZoneAlarm’s latest virusscan/firewall, cos my mcAfee virusscan 7 found the spy-agent.an on every scan, but couldn’t remove it. This spy-agent.an kept on trying to access the internet. I don’t know if this is actually so, but it seemed that everytime I scanned my computer (and the virus was detected by mcAfee) it would activate. At that time it creates a process with a different name every time, something like “C4D3.tmp”. This file showed up in a list of processes that connect to the internet. I found these files in my windows/temp folder and also in a windows/prefetch folder. There’s also an executable called ym11[1].exe that found a home in my “local settings\temporary internet files\content.ie5\CHMFG5IJ” folder. I also used Complete Internet Cleanup to try and empty all that, but it’s no use, it stays there (or maybe is copied there from somewhere else).

Anyway, a normal scan with zonealarm’s latest software doesn’t detect any virus, although its firewall does report the processes trying to access the internet zone and the trusted zone. Then I byte level virusscan but nothing.
Also, after I installed zonealarm I couldn’t access the internet any longer: Limited or no connectivity error. I found the answer to that here http://www.pcreview.co.uk/forums/thread-1701201.php
This solved that problem:
1. from cmd: netsh int ip reset resetlog.txt
2. From cmd: netsh winsock reset
3. Reboot

Then I installed McAfee Virusscan 10 and it found the .tmp files and the ym11[1].exe and removed it all, or so I thought.

Just as I was celebrating, an E537.tmp popped up in my taskmanager's process window and ZoneAlarm's firewall gave me the same old warning.

So all that seems to be remaining is this “virus” or whatever it is, that creates processes…

******************************************************************************
Then I uninstalled ZoneAlarm, kept McAfee and ran through the entire majorgeeks procedure and yes, I followed it to the letter ;-). Here are the results of that:

1. CCleaner did its cleaner job.

2. Microsoft windows malicious software remover tool didn’t find anything.

3. Spybot Search & Destroy found and fixed:
- Windows Security Center.AntivirusDisableNotify 1 entries
- Windows Security Center.FirewallDisableNotify 1 entries
- Windows.ActiveDesktop 1 entries
I also ran the immunize feature and got the message “2576 bad products are now blocked”

4. I had to run CounterSpy because Defender would not install (it told me I needed a valid Microsoft product key). Here are the results:
- Unclassified.Spyware.103 Spyware (2 objects)
Spyware components detected: 1

5. AboutBuster 6.01 (because before Spybot gave me messages that something changed somewhere, sorry don’t remember what exactly, but the message said new value about:blank and so I wanted to scan for this)
No ads found

6. I also ran CWShredder (found nothing)
7. I also ran kill2Me
7. I also ran smitRem (see log)
8. I also ran HS Remove v2.40 (10 Items Removed. REMOVAL COMPLETE)

9. Bitdefender came up with a couple of viruses (amongst others that crack.exe that started it all), but was able to remove most of them (see log)
10. So did Panda Activescan (see log). This one did ask me right before the scan terminated, which outlook profile I wanted to use????? I just canceled that…

RUN FROM SAFE MODE WITH NETWORKING

11. Then I ran HijackThis (see log). Nothing seemed too out of the ordinary there…
12. In the meantime, I checked the running processes, and there it was again E44A.tmp :’(

13. Ran BitDefender again after I manually deleted the compressed files that contained viruses and it didn’t find any problems anymore. There was a 23ED.tmp process running though :’(

14. Went over some special removal procedures:
- SpywareStrike, Smitfraud, SpySheriff, SpyAxe & PSGuard Removal: nothing
- About:Blank and HSA: Judging from the hijackThis log I don’t seem to have any of the symptoms, or do I ?
- I looked at all the others too, but I don’t seem to have those symptoms
- I also let hijackthis remove all the 01 keys

15. Ran SpySweeper: It found 3 trojan horses (see log). After I removed them and closed SpySweeper, I found an 8EFA.tmp process running :’(

16. Ran ewido anti-malware: it found and cleaned 4 infections (see log)

17. Ran Trojanscan and it found 1 Malware, but it’s an executable that’s part of the smitRem files: \smitrem\process.exe. So I’m guessing that’s ok. Trojanscan gave me this description for it: “Riskware.RiskTool.Win32.Processor.20”
Checked the running processes in taskmanager again and there it was 27D3.tmp, sigh…

18. Ran Kaspersky On-line Scanner and it found 3 viruses and 10 infected objects. (see log)

19. Ran a complete Trend Micro's Free Online Virus Scan. It found:
- TSPY_AGENT.BRE (removed on first pass)
- ADW_SE.123473 (all the ADW’s could not seem to be removed)
- ADW_SE.123475
- ADW_SE.123477
- ADW_SE.123478
- ADW_SE.123481

All the ADW infections seemed to be in the registry. 3 infections per ADW, namely:
HKCU\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\P3P\History\bfast.com

HKCU\S-1-5-21-1547161642-1202660629-1957994488-1003\ Software\Microsoft\Windows\CurrentVersion\Internet Settings\P3P\History\bfast.com

HKCU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings\P3P\History\bfast.com

Exactly the same registry keys for the other 4 ADW’s but with:
- commission-junction.com
- fastclick.com
- fastclick.net
- linksynergy.com
In that order.

Checked taskmanager again and now there were two processes: B328.tmp and 75A4.tmp

20. Ran a-squared but it didn’t detect anything except the smitRem process.exe and a couple of StumbleUpon registry entries. I installed stumbleupon months ago myself. (see log)

21. Ran avast! Virus Cleaner Tool and it found no viruses in memory and no virus bodies (0 infections), although a 43B9.tmp process was running… Two files could not be scanned though. I included the log.

22. I already ran stinger before starting this entire procedure, but I just ran it again. Stinger didn’t find anything.

23. Restarted my computer in normal mode to run Blacklight Beta. When I restarted spybot kept giving me messages like

Browser Page – Value changed
Old data: %systemroot%\system32\blank.htm
New data: C:\WINDOWS\SYSTEM32\blank.htm

Anyway, Blacklight didn’t find anything, but I included the log anyway.

No tmp processes running though…

24. Decided to scan once more with McAfee and it found and removed three tmp files in the windows temp folder.

25. I also included a final hijackthis log.

Anyone?

 

Thank you for the warm welcome
I removed the SensSrv entry and emptied the temp folder with ccleaner.
I don't seem to have any more problems now (no more tmp processes), but I'll wait a little while longer with the celebrations.
I removed all the spyware detectors from my system, but scanned with everyone of them (with the latest updates) before doing so and none of them found anything.
The only problem I have now is that I can't seem to enable McAfee Virusscan. I can run scans, but the ActiveShield function doesn't seem to want to be activated. I suspect this has something to do with tea-timer cos during the whole removal procedure I said "deny change" or entry and remember decision to a couple of McAfee related spybot messages. I did remove spybot though and it still does not want to activate...

Any thoughts on this?

Thanks!

 

Yeah, I might have been a little overzealous
However, I reinstalled virusscan and now everything is working nicely.
I also have the full McAfee Security Suite 2006 with AntiSpyware installed, so I should be ok.
Thanks for all the hints and tips Major!

Vincent