SpywareStormer

[rolu]

Found by Spybot S&D.
Has three entries.
It was found a day ago. After cleaning it didn't show up.
It now does!
I have now three infections in the same registry spots.
I'm running 98SE.
Ad-AwareSE.
SpyBot S&D.
SpywareBlaster.
A-squared.
AVG 7.0 free.
*All updated* and run as of 2.00am UTC 13/04/05
CWShredder 2.14 doesn't find anything.
I have a Hijackthis 1.99.1 log
---
Thanks
rolu

[siljaline]

"rolu" wrote:
> Found by Spybot S&D.
> Has three entries.
> It was found a day ago. After cleaning it didn't show up.
> It now does!
> I have now three infections in the same registry spots.
> I'm running 98SE.
> Ad-AwareSE.
> SpyBot S&D.
> SpywareBlaster.
> A-squared.
> AVG 7.0 free.
> *All updated* and run as of 2.00am UTC 13/04/05
> CWShredder 2.14 doesn't find anything.
> I have a Hijackthis 1.99.1 log

"SpywareStormer" is a *rogue* anti-spyware scanner scam.
<http://www.webhelper4u.com/scams/spywarestromer.html>
<http://www.spywarewarrior.com/rogue_anti-spyware.htm>

Post your HijackThis log here:
<http://aumha.net/viewforum.php?f=30>
Note: Registration is required.
<http://aumha.net/profile.php?mode=register>

Silj

--
siljaline

[rolu]

"siljaline" <siljaline@invalid.com> wrote in message
news:l707e.3424$MZ2.603603@news20.bellglobal.com.. .
> "rolu" wrote:
> > Found by Spybot S&D.
> > Has three entries.
> > It was found a day ago. After cleaning it didn't show up.
> > It now does!
> > I have now three infections in the same registry spots.
> > I'm running 98SE.
> > Ad-AwareSE.
> > SpyBot S&D.
> > SpywareBlaster.
> > A-squared.
> > AVG 7.0 free.
> > *All updated* and run as of 2.00am UTC 13/04/05
> > CWShredder 2.14 doesn't find anything.
> > I have a Hijackthis 1.99.1 log
>
> "SpywareStormer" is a *rogue* anti-spyware scanner scam.
> <http://www.webhelper4u.com/scams/spywarestromer.html>
> <http://www.spywarewarrior.com/rogue_anti-spyware.htm>
>
> Post your HijackThis log here:
> <http://aumha.net/viewforum.php?f=30>
> Note: Registration is required.
> <http://aumha.net/profile.php?mode=register>
>
I seems the registration at aumha doesn't work!
All my details are correct.
I've allowed cookies.
They seem to think I've registered before but I can't get the password! even
if 'I've forgotten it'
Is there somewhere else I can get some kind person to look at my HijackThis
log?
---
Thanks
rolu

[Annette Kurten]

"rolu" <rolu@rolu.org> wrote in message
news:la17e.9513$5F3.1635@news-server.bigpond.net.au...
>
> "siljaline" <siljaline@invalid.com> wrote in message
> news:l707e.3424$MZ2.603603@news20.bellglobal.com.. .
> > "rolu" wrote:
> > > Found by Spybot S&D.
> > > Has three entries.
> > > It was found a day ago. After cleaning it didn't show up.
> > > It now does!
> > > I have now three infections in the same registry spots.
> > > I'm running 98SE.
> > > Ad-AwareSE.
> > > SpyBot S&D.
> > > SpywareBlaster.
> > > A-squared.
> > > AVG 7.0 free.
> > > *All updated* and run as of 2.00am UTC 13/04/05
> > > CWShredder 2.14 doesn't find anything.
> > > I have a Hijackthis 1.99.1 log
> >
> > "SpywareStormer" is a *rogue* anti-spyware scanner scam.
> > <http://www.webhelper4u.com/scams/spywarestromer.html>
> > <http://www.spywarewarrior.com/rogue_anti-spyware.htm>
> >
> > Post your HijackThis log here:
> > <http://aumha.net/viewforum.php?f=30>
> > Note: Registration is required.
> > <http://aumha.net/profile.php?mode=register>
> >
> I seems the registration at aumha doesn't work!
> All my details are correct.
> I've allowed cookies.
> They seem to think I've registered before but I can't get the password!
even
> if 'I've forgotten it'
> Is there somewhere else I can get some kind person to look at my
HijackThis
> log?
> ---
> Thanks
> rolu
>
>
http://www.hijackthis.de/index.php?langselect=english
regards

[siljaline]

"rolu" wrote:
<snip>
> I seems the registration at aumha doesn't work!
> All my details are correct.
> I've allowed cookies.
> They seem to think I've registered before but I can't get the password! even
> if 'I've forgotten it'
> Is there somewhere else I can get some kind person to look at my HijackThis
> log?

What user-name did you or are you currently registered under at AumHa Forums?

Silj

--
siljaline

[siljaline]

"Annette Kurten" wrote"
<snip>
> http://www.hijackthis.de/index.php?langselect=english

This site provides an automated service, it's speculative and
data-based, not the best alternative for someone that really
needs experts HJT analysis.

Silj

--
siljaline

[rolu]

User name: rolyp1
The password you are not having!
An email arrived from 'aumha' confirming my user name and password which
were as was submited!
That's after their server failed to recognise me!
My details *were and are correct*.
I have posted the hijackthis log file to a forum at 'aumha'.
Maybe we can find SpywareStormer in my 98SE registry
Thanks mutchly (if that's a word)
---
rolu


"siljaline" <siljaline@invalid.com> wrote in message
news:YO17e.3474$MZ2.619966@news20.bellglobal.com.. .
> "rolu" wrote:
> <snip>
> > I seems the registration at aumha doesn't work!
> > All my details are correct.
> > I've allowed cookies.
> > They seem to think I've registered before but I can't get the password!
even
> > if 'I've forgotten it'
> > Is there somewhere else I can get some kind person to look at my
HijackThis
> > log?
>
> What user-name did you or are you currently registered under at AumHa
Forums?
>
> Silj
>
> --
> siljaline

[rolu]

"rolu" <rolu@rolu.org> wrote in message
news:qs27e.9583$5F3.983@news-server.bigpond.net.au...
> User name: rolyp1
> The password you are not having!
> An email arrived from 'aumha' confirming my user name and password which
> were as was submited!
> That's after their server failed to recognise me!
> My details *were and are correct*.
> I have posted the hijackthis log file to a forum at 'aumha'.
> Maybe we can find SpywareStormer in my 98SE registry
> Thanks mutchly (if that's a word)
> ---
> rolu
>
Duh, mea culpa the word is "muchly' me thinks.
But Spyware Stormer is still storming me.
A link to someone who knows how to remove it would be appreciated.
I do know format c:/s will work!
As for aumha !!?
---
rolu.

[siljaline]

"rolu" wrote:
<snip>
> I have posted the hijackthis log file to a forum at 'aumha'.

Please post back the URL from AumHa Forums, here_

Silj

--
siljaline

[rolu]

"siljaline" <siljaline@invalid.com> wrote in message
news:wFm7e.4129$MZ2.747025@news20.bellglobal.com.. .
> "rolu" wrote:
> <snip>
> > I have posted the hijackthis log file to a forum at 'aumha'.
>
> Please post back the URL from AumHa Forums, here_

You posted:
http://aumha.net/viewforum.php?f=30>
You posted:
http://aumha.net/profile.php?mode=register

The post back from Aumha has been not only deleted, but removed.
Sorry, but do like to keep, not only myself, but my computer clean!
It seems I now have registration rights, *but how can AumHa's software
decide I'm who I'am and then reject me.?!
And email *then* me with confirmation with the details I entered?!

Now for SpywareStormer!

Here's the log:
Logfile of HijackThis v1.99.1
Scan saved at 5:12:21 PM, on 14/04/05
Platform: Windows 98 SE (Win9x 4.10.2222B)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGCC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGEMC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.EXE
C:\PROGRAM FILES\AHEAD\INCD\INCD.EXE
C:\PROGRAM FILES\SCANSOFT\OMNIPAGESE2.0\OPWARESE2.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\STARTUPMONITOR.EXE
C:\PROGRAM FILES\KEMAILKB\KEMAILKB.EXE
C:\PROGRAM FILES\ERASER\ERASER.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\PROGRAM FILES\OUTLOOK EXPRESS\MSIMN.EXE
C:\PROGRAM FILES\HIJACKTHIS\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
http://www.abc.net.au/newsradio
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
http://pcworld.idg.com.au
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext =
http://www.javacoolsoftware.com/spyw...terdonate.html
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} -
C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} -
C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} -
c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} -
C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program
files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe
powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGEMC.EXE
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE
O4 - HKLM\..\Run: [InCD] C:\Program Files\ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [OpwareSE2] "C:\Program
Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe"
O4 - HKLM\..\Run: [OPSE2 Reminder] "C:\PROGRAM
FILES\SCANSOFT\OMNIPAGESE2.0\EREGENG\EREG.EXE" -r "C:\PROGRAM
FILES\SCANSOFT\OMNIPAGESE2.0\EREGENG\ereg.ini"
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [Run StartupMonitor] StartupMonitor.exe
O4 - HKLM\..\Run: [KEMailKb] C:\PROGRA~1\KEMAILKB\KEMailKb.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe
powrprof.dll,LoadCurrentPwrScheme
O4 - HKCU\..\Run: [Eraser] C:\PROGRAM FILES\ERASER\ERASER.EXE -hide
O4 - HKCU\..\RunServices: [Eraser] C:\PROGRAM FILES\ERASER\ERASER.EXE -hide
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM
FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmsearch.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\PROGRAM
FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\PROGRAM
FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmsimilar.html
O8 - Extra context menu item: Backward Links - res://C:\PROGRAM
FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate into English - res://C:\PROGRAM
FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmtrans.html

---
rolu