Pest Trap is a variant of the infamous SpySheriff, downloadable from pesttrap(dot)com
SpySheriff is one of these nasty rogue antispyare applications, was one of the top 10 rogue anti-spyware apps of 2005, coming in at number 2.
PestTrap was found being advertised on a new fake security center web page, uptodatesecurity.com . I don’t recommend going to that page in Internet Explorer. Even in Mozilla a fake warning pops up saying “your pc is infected with spyware blah.. blah…
Another fake security center. Googling for Pest Trap info brought the following:
Security CenterRecommended Anti-Spyware Software: Pest Trap, Malware Wipe, Spy Guard, Online Security. Pest Trap Most popular spyware/adware cleaner software all over the …
securitycaution.com/ – 9k – Jan 24, 2006 – Cached – Similar pages
Any idea on how to get rid of pest trap/malewarewipe?
to jon
Make HijackThis log and post there
Thank you Patrik, here it is:
Logfile of HijackThis v1.99.1
Scan saved at 7:20:43 PM, on 2/3/2006
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\AMD\Cool’n’Quiet\GemServ.exe
C:\Program Files\AMD\Cool’n’Quiet\gemback.exe
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\system32\ZONELABS\vsmon.exe
C:\WINNT\System32\ZoneLabs\isafe.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\nvraidservice.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINNT\System32\wbem\unsecapp.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINNT\System32\DeltTray.exe
C:\Program Files\DIGStream\digstream.exe
C:\Program Files\ESPNRunTime\DIGServices.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINNT\System32\wuauclt.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Administrator\Desktop\HijackThis.exe
C:\WINNT\system32\NOTEPAD.EXE
R0 – HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O2 – BHO: HomepageBHO – {4da4616d-7e6e-4fd9-a2d5-b6c535733e22} – C:\WINNT\System32\hp8E65.tmp
O3 – Toolbar: &Radio – {8E718888-423F-11D2-876E-00A0C9082467} – C:\WINNT\System32\msdxm.ocx
O3 – Toolbar: &Google – {2318C2B1-4965-11d4-9B18-009027A5CD4F} – c:\program files\google\googletoolbar1.dll
O4 – HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 – HKLM\..\Run: [NVRaidService] C:\WINNT\System32\nvraidservice.exe
O4 – HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 – HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\System32\NvCpl.dll,NvStartup
O4 – HKLM\..\Run: [nwiz] nwiz.exe /install
O4 – HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINNT\System32\NvMcTray.dll,NvTaskbarInit
O4 – HKLM\..\Run: [AdaptecDirectCD] “C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe”
O4 – HKLM\..\Run: [DeltTray] DeltTray.exe
O4 – HKLM\..\Run: [DIGStream] C:\Program Files\DIGStream\digstream.exe
O4 – HKLM\..\Run: [DIGServices] C:\Program Files\ESPNRunTime\DIGServices.exe /brand=ESPN /priority=0 /poll=24
O4 – HKLM\..\Run: [iTunesHelper] “C:\Program Files\iTunes\iTunesHelper.exe”
O4 – HKLM\..\Run: [QuickTime Task] “C:\Program Files\QuickTime\qttask.exe” -atboottime
O4 – HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 – HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 – Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 – Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 – Extra context menu item: &Google Search – res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 – Extra context menu item: &Translate English Word – res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 – Extra context menu item: Backward Links – res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 – Extra context menu item: Cached Snapshot of Page – res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 – Extra context menu item: E&xport to Microsoft Excel – res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 – Extra context menu item: Similar Pages – res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 – Extra context menu item: Translate Page into English – res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 – Extra button: AIM – {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} – C:\Program Files\AIM\aim.exe
O23 – Service: CA ISafe (CAISafe) – Computer Associates International, Inc. – C:\WINNT\System32\ZoneLabs\isafe.exe
O23 – Service: AMD PowerNow! ™ Technology Service (GemServ) – Advanced Micro Devices – C:\Program Files\AMD\Cool’n’Quiet\GemServ.exe
O23 – Service: InstallDriver Table Manager (IDriverT) – Macrovision Corporation – C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 – Service: iPodService – Apple Computer, Inc. – C:\Program Files\iPod\bin\iPodService.exe
O23 – Service: Macromedia Licensing Service – Macromedia – C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 – Service: NVIDIA Display Driver Service (NVSvc) – NVIDIA Corporation – C:\WINNT\System32\nvsvc32.exe
O23 – Service: TrueVector Internet Monitor (vsmon) – Zone Labs, LLC – C:\WINNT\system32\ZONELABS\vsmon.exe
Go to Start > Control Panel > Add or Remove Programs and remove the following programs, if found: PestTrap
Then using Windows Explorer, delete the following folder: C:\Program Files\PestTrap
please reboot your computer in Safe Mode by doing the following:
1. Restart your computer
2. After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3. Instead of Windows loading as normal, a menu should appear
4. Select the first option, to run Windows in Safe Mode.
Now you need to run HijackThis and click “Do a system scan only”
Place a check next to the following entries (if they are still there):
O2 – BHO: HomepageBHO – {4da4616d-7e6e-4fd9-a2d5-b6c535733e22} – C:\WINNT\System32\hp8E65.tmp
Click Fix Checked
Restart your computer in normal mode.
Run the Panda online virus scan, after scan post log there.
And one question, These programs AIM, Itunes, QuickTime installed by you ??
That fixed the stolen homepage problem, thanks. Yeah I installed most of those programs myself, except quicktime, which installed itself with itunes somehow. heres the panda scan.
Incident Status Location
Adware:adware/securityerror Not disinfected C:\WINNT\system32\mscornet.exe
Adware:Adware/SpywareStrike Not disinfected C:\WINNT\system32\1024\ld6D.tmp
Spyware:Spyware/Smitfraud Not disinfected C:\WINNT\Temp\SSLanguage.ini
Spyware:Cookie/go Not disinfected C:\FOUND.005\FILE0000.CHK
Spyware:Cookie/2o7.net Not disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\Cookies\administrator@2o7[1].txt
Spyware:Cookie/go Not disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\Cookies\administrator@go[1].txt
Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\Cookies\administrator@perf.overture[1].txt
Spyware:Cookie/QuestionMarket Not disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\Cookies\administrator@questionmarket[1].txt
Spyware:Cookie/PointRoll Not disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\Cookies\administrator@ads.pointroll[2].txt
Spyware:Cookie/Bluestreak Not disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\Cookies\administrator@bluestreak[1].txt
Spyware:Cookie/CentrPort Not disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\Cookies\administrator@centrport[1].txt
Spyware:Cookie/2o7.net Not disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\Cookies\administrator@2o7[2].txt
Spyware:Cookie/Ask Not disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\Cookies\administrator@ask[1].txt
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\Cookies\administrator@realmedia[1].txt
Spyware:Cookie/Falkag Not disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\Cookies\administrator@as-us.falkag[1].txt
Spyware:Cookie/QuestionMarket Not disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\Cookies\administrator@questionmarket[2].txt
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\Cookies\administrator@belnk[2].txt
Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\Cookies\administrator@tribalfusion[1].txt
Spyware:Cookie/Traffic Marketplace Not disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\Cookies\administrator@trafficmp[2].txt
Spyware:Cookie/Apmebf Not disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\Cookies\administrator@apmebf[1].txt
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\Cookies\administrator@ad.yieldmanager[1].txt
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\Cookies\administrator@ath.belnk[1].txt
Spyware:Cookie/FastClick Not disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\Cookies\administrator@fastclick[2].txt
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\Cookies\administrator@dist.belnk[1].txt
Spyware:Cookie/go Not disinfected C:\Documents and Settings\Administrator\Cookies\administrator@go[1].txt
Spyware:Cookie/go Not disinfected C:\FOUND.006\FILE0000.CHK
Adware:Adware/SpywareStrike Not disinfected C:\Recycled\Dc244\SpywareStrike.exe
Spyware:Cookie/Com.com Not disinfected C:\Recycled\Dc248.txt
Spyware:Cookie/Statcounter Not disinfected C:\Recycled\Dc254.txt
Spyware:Cookie/go Not disinfected C:\Recycled\Dc264.txt
PandaScan found SpywareStrike, for remove:
Download smitRem and save the file to your desktop.Double click on the file to extract it to it’s own folder on the desktop.
Reboot your computer in Safe Mode.
Open the smitRem folder, then double click the RunThis.bat file to start the tool. Follow the prompts on screen. Your desktop and icons will disappear and then reappear again — this is normal.
Wait for the tool to complete and Disk Cleanup to finish — this may take a while; please be patient.
Also install good Free Anti Spyware Tools.
pls excuse the “me too” post, but me too.
I ran smitRem and that seems to have helped a lot.
I ran Panda ActiveScan:
Panda ActiveScan5.52.00
Incident Status Location
Spyware:Cookie/2o7.net Not disinfected C:\Documents and Settings\Melissa\Cookies\melissa@2o7[2].txt
Adware:Adware/PsGuard Not disinfected C:\Documents and Settings\LocalService\Application Data\Microsoft\Internet Explorer\Desktop.htt
Spyware:Cookie/2o7.net Not disinfected C:\Documents and Settings\Melissa\Cookies\melissa@2o7[2].txt
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Melissa\Desktop\smitRem\Process.exe
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Melissa\Desktop\smitRem.exe[Process.exe]
Virus:W32/Smitfraud.E Not disinfected C:\WINDOWS\$NtUninstallKB896727-IE6SP1-20050719.165959$\wininet.dll
Adware:Adware/PsGuard Not disinfected C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\Internet Explorer\Desktop.htt
Spyware:Spyware/Zhopa Not disinfected C:\~WRF0409.tmp
I also ran HijackThis:
Logfile of HijackThis v1.99.1
Scan saved at 9:27:39 PM, on 3/5/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\atievxx.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\mcshield.exe
C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Juno6\zCast.exe
C:\Program Files\Juno6\chkras.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Fix-It Programs\Hijack This\HijackThis.exe
R1 – HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://my.juno.com/s/search?r=minisearch
R1 – HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://my.juno.com/s/search?r=minisearch
R0 – HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 – HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://my.juno.com/s/search?r=minisearch
R1 – HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://my.juno.com/s/search?r=minisearch
R0 – HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://my.juno.com/s/search?r=minisearch
R1 – HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://my.juno.com/s/search?r=minisearch
R0 – HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 – HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://my.juno.com/s/sp?r=al&cf=sp&mem=geokp&key=519c911024d1f2e25dfa8f014cd610b5&ts=3fec9668&A=264339310000729&B=1049097600000&C=1049097600000&D=0&I=6.1.4JU&L=g%236&M=1049097600000&N=PLOC&O=I
R0 – HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 – URLSearchHook: URLSearchHook Class – {37D2CDBF-2AF4-44AA-8113-BD0D2DA3C2B8} – C:\Program Files\JUSearch\SearchEnh1.dll
F2 – REG:system.ini: Shell=Explorer.exe, msmsgs.exe
O2 – BHO: (no name) – {53707962-6F74-2D53-2644-206D7942484F} – C:\Program Files\Fix-It Programs\Spybot – Search & Destroy\SDHelper.dll
O3 – Toolbar: &Radio – {8E718888-423F-11D2-876E-00A0C9082467} – C:\WINDOWS\System32\msdxm.ocx
O4 – HKLM\..\Run: [ShStatEXE] “C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE” /STANDALONE
O4 – HKLM\..\Run: [McAfeeUpdaterUI] “C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe”
O4 – HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 – HKLM\..\Run: [gcasServ] “C:\Program Files\Microsoft AntiSpyware\gcasServ.exe”
O4 – HKCU\..\Run: [spc_w] “C:\Program Files\JUSearch\juspc.exe” -w
O4 – Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O9 – Extra button: Related – {c95fe080-8f5d-11d2-a20b-00aa003c157a} – C:\WINDOWS\web\related.htm
O9 – Extra ‘Tools’ menuitem: Show &Related Links – {c95fe080-8f5d-11d2-a20b-00aa003c157a} – C:\WINDOWS\web\related.htm
O9 – Extra button: Messenger – {FB5F1910-F110-11d2-BB9E-00C04F795683} – C:\Program Files\Messenger\MSMSGS.EXE
O9 – Extra ‘Tools’ menuitem: Messenger – {FB5F1910-F110-11d2-BB9E-00C04F795683} – C:\Program Files\Messenger\MSMSGS.EXE
O16 – DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) – http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O17 – HKLM\System\CCS\Services\Tcpip\..\{3DF42833-D7BF-4B3C-A222-9191CB1A8C70}: NameServer = 64.136.28.122 64.136.20.122
O17 – HKLM\System\CCS\Services\Tcpip\..\{CA0AF209-CB06-49E7-AED6-F1AA748CCCDC}: NameServer = 209.149.56.2,209.149.56.3
O23 – Service: McAfee Framework Service (McAfeeFramework) – Network Associates, Inc. – C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 – Service: Network Associates McShield (McShield) – Network Associates, Inc. – C:\Program Files\Network Associates\VirusScan\mcshield.exe
O23 – Service: Network Associates Task Manager (McTaskManager) – Network Associates, Inc. – C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
Any suggestions?
Thanks,
capt.pearl
ok, only please post your log to the Forum – Spyware Removal