16 replies to this topic

[franci]

Hi I bought malwarebytes about a week ago because my pc was running slow and I thought I had been infected I ran the in depth scanner and it picked up a dozen or so trojans. Ok I was very happy then a friend contacted me and warned that he was having aproblem with skype and warned that the infection could have been transfered to mine. I ran Malwarebytes and luckily it was clear but I still had a nagging feeling about it so I ran the free version of Avast and withing 10 seconds of running i I had 3 infections show up.

Obviously as I bought this I'm not going to pay for Avast to remove them so I'm including the info here. Please let me know what to do.

----------------------------------------------------------------

From Avast

Spyware Details

Name: BrowserAid
Type: Registry
Level: HIGH RISK
Location: HKEY_CLASSES_ROOT\appid\bho.dll


Description: BrowserAid is a family of interrelated Internet Explorer toolbars and hijackers from browseraid.com, most of which seem to be stealth-installed.


Advice: CyberDefender earlySPY recommends you remove this risk item.


------------------------------------------------------------------------


Spyware Details

Name: Parental Control Tool
Type: Registry
Level: HIGH RISK
Location: HKEY_CURRENT_USER\Software\ASProtect


Description: Spyware may monitor your activity on the Internet and transmits that information, in the background, to someone else. Spyware can also gather information about e-mail addresses, passwords and credit card numbers.


Advice: CyberDefender earlySPY recommends you remove this risk item.

-------------------------------------------------------------------


Spyware Details

Name: MSN Track Monitor
Type: Registry
Level: HIGH RISK
Location: HKEY_CURRENT_USER\Software\Local AppWizard-Generated Applications


Description: Spyware may monitor your activity on the Internet and transmits that information, in the background, to someone else. Spyware can also gather information about e-mail addresses, passwords and credit card numbers.


Advice: CyberDefender earlySPY recommends you remove this risk item.

[YoKenny1]

Welcome franci

Did you ask over at avast! forum about that infection?
http://forum.avast.c...x.php?board=4.0

Can you move the detected files to the protected Chest area?

[nosirrah]

Avast does not detect registry entries like this and this is not avast you are running :

Advice: CyberDefender earlySPY recommends you remove this risk item.


Somehow you were tricked into installing CyberDefender , an application with a bad history :

http://74.125.93.132/search?q=cache:7gT7_h...=clnk&gl=us

http://www.google.com/search?hl=en&q=C...;oq=&aqi=g1

[TeMerc]

I'm thinking this is more a case the user downloaded CyberDefender by mistake, looking for Malwarebytes. This happens all the time due to marketing ploys by download sites to prominently display paid adverts.

[franci]

nosirrah, on Aug 23 2009, 03:35 PM, said:

Avast does not detect registry entries like this and this is not avast you are running :

Advice: CyberDefender earlySPY recommends you remove this risk item.


Somehow you were tricked into installing CyberDefender , an application with a bad history :

http://74.125.93.132/search?q=cache:7gT7_h...=clnk&gl=us

http://www.google.com/search?hl=en&q=C...;oq=&aqi=g1

yes you're right I have download this by mistake in my haste I clicked on a clone of avast so my mistake. How can get rid of the malware as malwarebytes doesnt see them?

[TonyKlein]

Also, the "BrowserAid" detection is almost certainly a False Positive. It must have been four or five years ago since I last came across one of those....

There is at least one legitimate application (Snagit is one I know of) that registers the exact same key

[franci]

YoKenny1, on Aug 23 2009, 01:05 PM, said:

Welcome franci

Did you ask over at avast! forum about that infection?
http://forum.avast.c...x.php?board=4.0

Can you move the detected files to the protected Chest area?

No I never, to be honest I don't have the time that is why I purchased Malwarebytes.

[franci]

TonyKlein, on Aug 23 2009, 05:06 PM, said:

Also, the "BrowserAid" detection is almost certainly a False Positive. It must have been four or five years ago since I last came across one of those....

There is at least one legitimate application (Snagit is one I know of) that registers the exact same key

Yes I use snagit all the time

[TonyKlein]

franci, on Aug 23 2009, 06:08 PM, said:

Yes I use snagit all the time

Well, you can write that 'detection' off right away then...

I have a hunch that the other items may well be False Positives too, but we'd have to see exports of the registry keys in question if we're to be sure

Please copy the text in the box below to Notepad and save it to your desktop as reginfo.bat


< batchfile removed by TonyKlein pending adaptation >


Double-click your newly created reginfo.bat file, and it will run and create a text document on your desktop which will open in Notepad.

Copy and paste the contents of that entire file in this thread.

[franci]

TonyKlein, on Aug 23 2009, 04:25 PM, said:

Well, you can write that 'detection' off right away then...

I have a hunch that the other items may well be False Positives too, but we'd have to see exports of the registry keys in question if we're to be sure

Please copy the text in the box below to Notepad and save it to your desktop as reginfo.bat

Regedit /e Info1.txt "HKEY_CURRENT_USER\Software\ASProtect"

Regedit /e Info2.txt "HKEY_CURRENT_USER\Software\Local AppWizard-Generated Applications"

copy Info1.txt + Info2.txt RegInfo.txt
del Info1.txt
del Info2.txt

Start RegInfo.txt

Double-click your newly created reginfo.bat file, and it will run and create a text document on your desktop which will open in Notepad.

Copy and paste the contents of that entire file in this thread.

Ok I did that, however I keep getting an error message which wont let me save or paste so I have attached a a screenshot of it.


thanks

Attached Images

• 

[exile360]

I saw your error and just thought I'd jump in with a quick assist . Since you're running Vista you'll need to right-click on the .bat file you created and select Run as administrator and then click Continue at the User Account Control prompt. If you have User Account Control disabled then I HIGHLY recommend that you turn it back on for the security of your PC as well as compatibility with software, as the majority of current programs are UAC aware and will fail if run with incorrect privelages which is what happens when UAC is off.

[TonyKlein]

Thanks, exile360

Also, I was careless myself as well.

After following exile360's advice, please create the following batfile, call it peek.bat, and run that instead:

regedit /e peek1.txt "HKEY_CURRENT_USER\Software\ASProtect"
regedit /e peek2.txt "HKEY_CURRENT_USER\Software\Local AppWizard-Generated Applications"

type peek1.txt >> look.txt
type peek2.txt >> look.txt

del peek*.txt

start notepad look.txt

Post the contents of the created look.txt file

[franci]

exile360, on Aug 24 2009, 05:40 AM, said:

I saw your error and just thought I'd jump in with a quick assist . Since you're running Vista you'll need to right-click on the .bat file you created and select Run as administrator and then click Continue at the User Account Control prompt. If you have User Account Control disabled then I HIGHLY recommend that you turn it back on for the security of your PC as well as compatibility with software, as the majority of current programs are UAC aware and will fail if run with incorrect privelages which is what happens when UAC is off.

Thanks for your help here I should have known that

[franci]

TonyKlein, on Aug 24 2009, 07:48 AM, said:

Thanks, exile360

Also, I was careless myself as well.

After following exile360's advice, please create the following batfile, call it peek.bat, and run that instead:

regedit /e peek1.txt "HKEY_CURRENT_USER\Software\ASProtect"
regedit /e peek2.txt "HKEY_CURRENT_USER\Software\Local AppWizard-Generated Applications"

type peek1.txt >> look.txt
type peek2.txt >> look.txt

del peek*.txt

start notepad look.txt

Post the contents of the created look.txt file

Ok here it is:


Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Software\ASProtect]

[HKEY_CURRENT_USER\Software\ASProtect\SpecData]
@="E6657A401DB572AB"
"E6657A401DB572AB"=hex:a9,c5,92,b6,5f,47,3d,f7,c5,83,6a,0a,47,3a,73,b2,62,0f,\
4b,07,b8,64,73,53,94,60,64,ed,83,fa
"8AB2DCE2F3BB1387"=hex:4c,29,80,1d,b5,e6,3d,56,19,4f,52,c2,1a,56,5a,70,52,e0,\
fa,59,58,ef,af,dd,83,a2,4e,bd,6c,a9

Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Software\Local AppWizard-Generated Applications]

[HKEY_CURRENT_USER\Software\Local AppWizard-Generated Applications\CameraWindow]

[HKEY_CURRENT_USER\Software\Local AppWizard-Generated Applications\CameraWindow\Settings]

[HKEY_CURRENT_USER\Software\Local AppWizard-Generated Applications\Samsung Media Studio]

[HKEY_CURRENT_USER\Software\Local AppWizard-Generated Applications\Samsung Media Studio\Settings]

[HKEY_CURRENT_USER\Software\Local AppWizard-Generated Applications\Viewer]

[HKEY_CURRENT_USER\Software\Local AppWizard-Generated Applications\Viewer\Settings]

[TonyKlein]

Thanks!

I think we consider those two remaining detections False Positives as well. The "ASProtect" registry key could be created by any number of applications, and it is harmless by itself anyway.

As for "Local AppWizard-Generated Applications", as you can see for yourself it only references legitimate applications, so you can disregard that one as well.

[franci]

[quote name='TonyKlein' date='Aug 24 2009, 12:03 PM' post='114080']
Thanks!

I think we consider those two remaining detections False Positives as well. The "ASProtect" registry key could be created by any number of applications, and it is harmless by itself anyway.

As for "Local AppWizard-Generated Applications", as you can see for yourself it only references legitimate applications, so you can disregard that one as well.
[/quote

Thanks for your help here I appreciated it

[TonyKlein]

np at all; glad we were able to help.

Happy surfing!