Jump to content
Sign in to follow this  
connie6121

SmartEnhancer and Friends keep coming back

Recommended Posts

Hello,

I've been working on a friend's infected laptop for several weeks. It has been pronounced clean by another expert, and I see nothing in the HJT logs to dispute that opinion, but there is still one issue bothering me.

History: To clean infections, I have run the Avira Rescue Disk, turned off System Restore, run Avira a-v, Malwarebytes, Spybot S&D, which all found much infection but now find nothing. Also ran the f-secure online scan, which found, I think, 4 items.

Super also found many, and is still finding something (more on that below).

Current:

There are still entries in the msconfig Startup that I would like to remove but don't know how. They are unchecked, and not running in Task Manager. The only checked items in Startup are Avira and Spybot TeaTimer.

Also remaining in Add-Remove Programs is Mirar, which I cannot remove from there. When I try, it wants to get online, which I mostly have not been allowing. I finally did let it online once. The website required me to affirm that Mirar was not spyware before any other buttons would work, but then still did not remove it.

The laptop is totally offline -no phone cable attached, and wi-fi is disabled.

Now back to Super. Every time I run it, it finds the same group of infections, generally labeled as SmartEnhancer-AD. In Quick Scan, it finds 7 registry entries, and in Full Scan it finds 35 registry entries plus 1 file. In Safe Mode, it only finds the 7. It wants to restart to finish cleaning, and I do that. Then I run Super again, and it finds them again. Over and over and over. They all appear in the Quarantine folders, each time I've run it. I can't find the file where it should be (C:\Program Files\VisualTool\VisualTool-1), or with Start >Search. System Restore is still off, the Recycle Bin is empty, and the last several days I have been deleting all quarantine files after every run.

I've pretty much decided that Super is removing these items, but something is still running that puts them back on reboot, but I can't find it. My last try was starting msconfig Services and unchecking (1)AOL Connectivity Service and (2)Symantec Core LC and (3)Windows Media Player Network Sharing Service -not from Microsoft, listed as unknown mfg.

I don't know much about working with the registry, but decided it was okay to 'look'.

General info on the registry entries: There are 5 ID(?) numbers

68BF610F-C5CD-C624-6B44-224AEE8B95EB

E2ED872C-4118-2D61-A187-6100030472B0

E4424E6E-B629-0171-CD10-959D401754AD

829537D5-A960-FEB0-C6DB-654DDA176EA5

F3A54897-9E68-B11E-A37A-4D1422CE9CAA

I went farther with some called VisualTool.PornPro, assuming if I managed to delete them it would be no loss. However, I could not. The msg was "cannot delete -- Error while deleting key"

I discovered that the 'owner' of these is not 'administrator', or the laptop owner, but something called 'S-1-5-21-1360426424-1458802794-909473479-1006'. I did manage to change the owner of one of them to the laptop owner, but still could not delete.

I hope you can help -it's driving me nuts!!

Thank You!

Connie

Note: These logs are not from today, as I have not transferred today's to this computer, but they are exactly the same as today's. It has not been online since these logs were run.

Here is the 'Safe Mode' log:

SUPERAntiSpyware Scan Log

https://www.superantispyware.com

Generated 02/26/2009 at 01:11 PM

Application Version : 4.25.1012

Core Rules Database Version : 3775

Trace Rules Database Version: 1734

Scan type : Complete Scan

Total Scan Time : 01:14:50

Memory items scanned : 195

Memory threats detected : 0

Registry items scanned : 5763

Registry threats detected : 7

File items scanned : 18730

File threats detected : 0

Trojan.Unclassified/SmartEnhancer-AD

HKLM\Software\Classes\CLSID\{F3A54897-9E68-B11E-A37A-4D1422CE9CAA}

HKCR\CLSID\{F3A54897-9E68-B11E-A37A-4D1422CE9CAA}

HKCR\CLSID\{F3A54897-9E68-B11E-A37A-4D1422CE9CAA}\InprocServer32

HKCR\CLSID\{F3A54897-9E68-B11E-A37A-4D1422CE9CAA}\ProgID

HKCR\CLSID\{F3A54897-9E68-B11E-A37A-4D1422CE9CAA}\Programmable

HKCR\CLSID\{F3A54897-9E68-B11E-A37A-4D1422CE9CAA}\TypeLib

HKCR\CLSID\{F3A54897-9E68-B11E-A37A-4D1422CE9CAA}\VersionIndependentProgID

And here is the 'Windows' log:

SUPERAntiSpyware Scan Log

https://www.superantispyware.com

Generated 02/26/2009 at 02:03 PM

Application Version : 4.25.1012

Core Rules Database Version : 3775

Trace Rules Database Version: 1734

Scan type : Complete Scan

Total Scan Time : 00:27:59

Memory items scanned : 397

Memory threats detected : 0

Registry items scanned : 5751

Registry threats detected : 35

File items scanned : 18734

File threats detected : 1

Trojan.Unclassified/SmartEnhancer-AD

HKLM\Software\Classes\CLSID\{F3A54897-9E68-B11E-A37A-4D1422CE9CAA}

HKCR\CLSID\{F3A54897-9E68-B11E-A37A-4D1422CE9CAA}

HKCR\CLSID\{F3A54897-9E68-B11E-A37A-4D1422CE9CAA}

HKCR\CLSID\{F3A54897-9E68-B11E-A37A-4D1422CE9CAA}\InprocServer32

HKCR\CLSID\{F3A54897-9E68-B11E-A37A-4D1422CE9CAA}\InprocServer32#ThreadingModel

HKCR\CLSID\{F3A54897-9E68-B11E-A37A-4D1422CE9CAA}\ProgID

HKCR\CLSID\{F3A54897-9E68-B11E-A37A-4D1422CE9CAA}\Programmable

HKCR\CLSID\{F3A54897-9E68-B11E-A37A-4D1422CE9CAA}\TypeLib

HKCR\CLSID\{F3A54897-9E68-B11E-A37A-4D1422CE9CAA}\VersionIndependentProgID

HKCR\VisualTool.PornPro_BHO.1

HKCR\VisualTool.PornPro_BHO.1\CLSID

HKCR\VisualTool.PornPro_BHO

HKCR\VisualTool.PornPro_BHO\CLSID

HKCR\VisualTool.PornPro_BHO\CurVer

HKCR\TypeLib\{829537D5-A960-FEB0-C6DB-654DDA176EA5}

HKCR\TypeLib\{829537D5-A960-FEB0-C6DB-654DDA176EA5}\1.0

HKCR\TypeLib\{829537D5-A960-FEB0-C6DB-654DDA176EA5}\1.0\0

HKCR\TypeLib\{829537D5-A960-FEB0-C6DB-654DDA176EA5}\1.0\0\win32

HKCR\TypeLib\{829537D5-A960-FEB0-C6DB-654DDA176EA5}\1.0\FLAGS

HKCR\TypeLib\{829537D5-A960-FEB0-C6DB-654DDA176EA5}\1.0\HELPDIR

C:\PROGRAM FILES\VISUALTOOL\VISUALTOOL-1.DLL

HKCR\Interface\{68BF610F-C5CD-C624-6B44-224AEE8B95EB}

HKCR\Interface\{68BF610F-C5CD-C624-6B44-224AEE8B95EB}\ProxyStubClsid

HKCR\Interface\{68BF610F-C5CD-C624-6B44-224AEE8B95EB}\ProxyStubClsid32

HKCR\Interface\{68BF610F-C5CD-C624-6B44-224AEE8B95EB}\TypeLib

HKCR\Interface\{68BF610F-C5CD-C624-6B44-224AEE8B95EB}\TypeLib#Version

HKCR\Interface\{E2ED872C-4118-2D61-A187-6100030472B0}

HKCR\Interface\{E2ED872C-4118-2D61-A187-6100030472B0}\ProxyStubClsid

HKCR\Interface\{E2ED872C-4118-2D61-A187-6100030472B0}\ProxyStubClsid32

HKCR\Interface\{E2ED872C-4118-2D61-A187-6100030472B0}\TypeLib

HKCR\Interface\{E2ED872C-4118-2D61-A187-6100030472B0}\TypeLib#Version

HKCR\Interface\{E4424E6E-B629-0171-CD10-959D401754AD}

HKCR\Interface\{E4424E6E-B629-0171-CD10-959D401754AD}\ProxyStubClsid

HKCR\Interface\{E4424E6E-B629-0171-CD10-959D401754AD}\ProxyStubClsid32

HKCR\Interface\{E4424E6E-B629-0171-CD10-959D401754AD}\TypeLib

HKCR\Interface\{E4424E6E-B629-0171-CD10-959D401754AD}\TypeLib#Version

Share this post


Link to post
Share on other sites

Update:

Per the answer to another question, I have today downloaded the SAS new version, the manual updates, and the uninstaller, and run all of those.

The results have not changed at all.

The laptop is 2-3 yrs old, running Win XP Media Center, SP2. When it finally gets clean, I will update it to SP3.

It got infected in the first place by her grandchildren borrowing it.

Thanks Again!

Connie

Share this post


Link to post
Share on other sites

I have started the ticket -Thank You.

While waiting for the next step, I'm continuing to look at the registry -not changing, just getting more acquainted with it, and finding available tools.

Connie

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

×