Amaena Virus vs. SpywareAdvisory - Help Please

[Scruffy5389]

Lately I have been getting pop-ups with nearly super powers from a site called "amaena," or sometimes "errorsafe." Mostly, I can close these without any trouble, but others in my family are less computer savvy, and someone hit 'download.'

 

 

 

 

 

 

 

So, now I have a virus on my desktop called 'WinAntiVirusPro 2006.' It pretends to be a security feature, but it's obviously a big security threat.

 

 

 

 

 

 

 

I have found several sites that claim they know how to get rid of it, but I can't tell if these sites are trustworthy or not. So, my question is this:

 

 

 

 

 

 

 

Is the site 'Spywareadvisory.com' a trustworthy site from which I may download an "Amaena Detector" that will remove the problem? It was a "sponsored link" from google and looks legit, but there are typos in the text, and the virus I already have looks legit, too.

 

 

 

 

 

 

 

Any help appreciated.

 

 

 

 

 

 

 

Thanks

 

 

 

 

 

 

 

EDIT: Okay, now I'm noticing that although my address bar says "Spywareadvisory.com," the site claims that it is a .org site. Even less trustworthy. Anyone know what else I can try to get rid of amaena or WinAntiVirus Pro or whatever it calls itself at the moment?

[coltm4carbine]

Can you do a HJT log please. Smells like vundo to me.

 

 

 

 

 

 

 

IMO none of them are trustworthy.

[Nadril]

I've had something like this before, it's a pain. [asked me to download a video codec :/].

 

 

 

 

 

 

 

Was a pain to get off, deffinitly post a HJT log. Also, I belive there is a fix for it lurking somewhere online, although I can not remember where.

[Scruffy5389]

Thanks for your responses, guys. Sorry it took me a lil while to respond.

 

 

 

 

 

 

 

Anyway, can you give me a quick explanation of what a HiJack This Log is (or a link to such an explanation)? I've heard about it but I don't know how to do it. I tried a quick search but couldn't find a tutorial. Just point me in the right direction and I'll figure it out.

 

 

 

 

 

 

 

Also, I just performed a system restore to almost a month ago and the problem appears to be solved. The icon is no longer on my desktop; the viral program no longer seems to be running. But I can't believe it would be that easy, and the "WinAntiVirus Pro 2006" folder is still in my "C:\Program Files" folder. Anyone who knows what they're talking about, feel free to comment on what I may or may not have done by doing a system restore.

 

 

 

 

 

 

 

Oh yeah, in case anyone needs to know, I'm running Windows XP.

 

 

 

 

 

 

 

Thanks

[PumpkinPete112]

Download it from here http://www.download.com/HijackThis/3000 ... ag=lst-0-1

 

 

 

 

 

 

 

Install, Run it, and post when it finds.

[Scruffy5389]

Yeah, after that last post I looked around the forum for thirty seconds longer and found exactly what I needed. Shoulda done that in the first place.

 

 

 

 

 

 

 

Anyway, this is after I performed a system restore. I wish I had done one of these before then.

 

 

 

 

 

 

 

Logfile of HijackThis v1.99.1

 

 

 

Scan saved at 11:13:36 PM, on 12/17/2006

 

 

 

Platform: Windows XP SP2 (WinNT 5.01.2600)

 

 

 

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

 

 

 

 

 

 

 

Running processes:

 

 

 

C:\WINDOWS\System32\smss[Caution: ExecutableFile]

 

 

 

C:\WINDOWS\system32\winlogon[Caution: ExecutableFile]

 

 

 

C:\WINDOWS\system32\services[Caution: ExecutableFile]

 

 

 

C:\WINDOWS\system32\lsass[Caution: ExecutableFile]

 

 

 

C:\WINDOWS\system32\svchost[Caution: ExecutableFile]

 

 

 

C:\WINDOWS\System32\svchost[Caution: ExecutableFile]

 

 

 

C:\WINDOWS\system32\spoolsv[Caution: ExecutableFile]

 

 

 

C:\WINDOWS\scvhost[Caution: ExecutableFile]

 

 

 

C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm[Caution: ExecutableFile]

 

 

 

C:\Program Files\Norton AntiVirus\navapsvc[Caution: ExecutableFile]

 

 

 

C:\Program Files\Norton Internet Security\NISUM[Caution: ExecutableFile]

 

 

 

C:\WINDOWS\System32\nvsvc32[Caution: ExecutableFile]

 

 

 

C:\WINDOWS\Explorer[Caution: ExecutableFile]

 

 

 

C:\WINDOWS\system32\pctspk[Caution: ExecutableFile]

 

 

 

C:\WINDOWS\System32\svchost[Caution: ExecutableFile]

 

 

 

C:\Program Files\Norton Internet Security\SymProxySvc[Caution: ExecutableFile]

 

 

 

C:\Program Files\Norton Internet Security\NISSERV[Caution: ExecutableFile]

 

 

 

C:\Program Files\Compaq\Easy Access Button Support\StartEAK[Caution: ExecutableFile]

 

 

 

C:\WINDOWS\system32\ctfmon[Caution: ExecutableFile]

 

 

 

C:\Program Files\Norton Internet Security\bak\IAMAPP[Caution: ExecutableFile]

 

 

 

C:\Program Files\Norton Internet Security\ATRACK[Caution: ExecutableFile]

 

 

 

C:\Program Files\Internet Explorer\iexplore[Caution: ExecutableFile]

 

 

 

C:\Program Files\WinRAR\WinRAR[Caution: ExecutableFile]

 

 

 

C:\DOCUME~1\Russell\LOCALS~1\Temp\Rar$EX02.641\HijackThis[Caution: ExecutableFile]

 

 

 

 

 

 

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://store.presario.net/scripts/redir ... 01&lc=0409

 

 

 

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://store.presario.net/scripts/redir ... 01&lc=0409

 

 

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Compaq

 

 

 

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

 

 

 

O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll

 

 

 

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll

 

 

 

O4 - HKLM\..\Run: [CPQEASYACC] C:\Program Files\Compaq\Easy Access Button Support\StartEAK[Caution: ExecutableFile]

 

 

 

O4 - HKLM\..\Run: [srmclean] C:\Cpqs\Scom\srmclean[Caution: ExecutableFile]

 

 

 

O4 - HKLM\..\Run: [iamapp] C:\Program Files\Norton Internet Security\IAMAPP[Caution: ExecutableFile]

 

 

 

O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32[Caution: ExecutableFile]

 

 

 

O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10[Caution: ExecutableFile]

 

 

 

O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched[Caution: ExecutableFile]

 

 

 

O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k

 

 

 

O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2[Caution: ExecutableFile]

 

 

 

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask[Caution: ExecutableFile]" -atboottime

 

 

 

O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr[Caution: ExecutableFile]

 

 

 

O4 - HKCU\..\Run: [ctfmon[Caution: ExecutableFile]] C:\WINDOWS\system32\ctfmon[Caution: ExecutableFile]

 

 

 

O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader[Caution: ExecutableFile]

 

 

 

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl[Caution: ExecutableFile]

 

 

 

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL[Caution: ExecutableFile]/3000

 

 

 

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll

 

 

 

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll

 

 

 

O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim[Caution: ExecutableFile]

 

 

 

O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll

 

 

 

O9 - Extra button: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\WINDOWS\System32\shdocvw.dll

 

 

 

O9 - Extra 'Tools' menuitem: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\WINDOWS\System32\shdocvw.dll

 

 

 

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs[Caution: ExecutableFile]

 

 

 

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs[Caution: ExecutableFile]

 

 

 

O9 - Extra button: Support - {7CD5E71A-1576-45A9-9A84-368111603647} - C:\Program Files\Internet Explorer\SIGNUP\Presario.htm (HKCU)

 

 

 

O14 - IERESET.INF: START_PAGE_URL=http://store.presario.net/scripts/redirectors/presario/storeredir2.dll?s=consumerfav&c=3c01&lc=0409

 

 

 

O16 - DPF: Yahoo! Hearts - http://download.games.yahoo.com/games/c ... /ht1_x.cab

 

 

 

O16 - DPF: Yahoo! Poker - http://download.games.yahoo.com/games/c ... /pt1_x.cab

 

 

 

O16 - DPF: Yahoo! Word Racer - http://download.games.yahoo.com/games/c ... /wt1_x.cab

 

 

 

O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab

 

 

 

O16 - DPF: {288C5F13-7E52-4ADA-A32E-F5BF9D125F99} (CR64Loader Object) - http://www.miniclip.com/puzzlepirates/m ... Loader.dll

 

 

 

O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/ ... 0_0_44.cab

 

 

 

O16 - DPF: {99410CDE-6F16-42ce-9D49-3807F78F0287} (ClientInstaller Class) - http://www.zango.com/GetZango/Download/zangoax.cab

 

 

 

O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.popcap.com/games/popcaploader_v6.cab

 

 

 

O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://www.gamespot.com/KDX/kdx.cab

 

 

 

O16 - DPF: {FF65677A-8977-48CA-916A-DFF81B037DF3} - http://download.overpro.com/WildApp.cab

 

 

 

O20 - AppInit_DLLs:

 

 

 

O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc[Caution: ExecutableFile]

 

 

 

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT[Caution: ExecutableFile]

 

 

 

O23 - Service: Local Security Authority Subsystem Service (lsass) - Unknown owner - C:\WINDOWS\scvhost[Caution: ExecutableFile]

 

 

 

O23 - Service: Macromedia Licensing Service - Macromedia - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing[Caution: ExecutableFile]

 

 

 

O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc[Caution: ExecutableFile]

 

 

 

O23 - Service: Norton Internet Security Service (NISSERV) - Symantec Corporation - C:\Program Files\Norton Internet Security\NISSERV[Caution: ExecutableFile]

 

 

 

O23 - Service: Norton Internet Security Accounts Manager (NISUM) - Symantec Corporation - C:\Program Files\Norton Internet Security\NISUM[Caution: ExecutableFile]

 

 

 

O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32[Caution: ExecutableFile]

 

 

 

O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk[Caution: ExecutableFile]

 

 

 

O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ[Caution: ExecutableFile]

 

 

 

O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc[Caution: ExecutableFile]

 

 

 

O23 - Service: Norton Internet Security Proxy Service (SymProxySvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\SymProxySvc[Caution: ExecutableFile]

 

 

 

 

 

 

 

Thanks all. :D

[coltm4carbine]

Since you've done a system restore then I think your alright now.

 

 

 

 

 

 

 

The reason why you can still see the file is because system restore saves all your files too.

 

 

 

 

 

 

 

You can manually delete that file if you want.

 

 

 

 

 

 

 

Move HJT out of the temp. Save it to a new folder on your desktop.

[compfreak847]

If you still have problems, download Spybot S&D. Your restore should have killed all but the hardiest spyware :lol: