Sign in to follow this  
Matthew

Need help with antispy.net virus

Recommended Posts

***UPDATE ON POST 4. READ FIRST***

 

Symptoms:

1. Pop-ups in the lower right-hand corner.

2. When IE is opened I'm redirected to antispy.net

3. Processes are grayed out in the task manager view, preventing me from shutting any processes down.

 

Here is my ad-aware log:

 

 

Ad-Aware SE Build 1.06r1

Logfile Created on:Sunday, August 06, 2006 10:55:32 PM

Created with Ad-Aware SE Personal, free for private use.

Using definitions file:SE1R117 03.08.2006

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

 

References detected during the scan:

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Adware.Admess(TAC index:5):6 total references

Alexa(TAC index:5):17 total references

CoolWebSearch(TAC index:10):6 total references

DailyToolbar(TAC index:5):14 total references

FakeAlert(TAC index:5):25 total references

MRU List(TAC index:0):27 total references

Tracking Cookie(TAC index:3):1 total references

Transponder(TAC index:10):1 total references

WinFavorites(TAC index:6):12 total references

VX2(TAC index:10):5 total references

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

 

Ad-Aware SE Settings

===========================

Set : Search for negligible risk entries

Set : Safe mode (always request confirmation)

Set : Scan active processes

Set : Scan registry

Set : Deep-scan registry

Set : Scan my IE Favorites for banned URLs

Set : Scan my Hosts file

 

Extended Ad-Aware SE Settings

===========================

Set : Unload recognized processes & modules during scan

Set : Scan registry for all users instead of current user only

Set : Always try to unload modules before deletion

Set : During removal, unload Explorer and IE if necessary

Set : Let Windows remove files in use at next reboot

Set : Delete quarantined objects after restoring

Set : Include basic Ad-Aware settings in log file

Set : Include additional Ad-Aware settings in log file

Set : Include reference summary in log file

Set : Include alternate data stream details in log file

Set : Play sound at scan completion if scan locates critical objects

 

 

8-6-2006 10:55:32 PM - Scan started. (Full System Scan)

 

MRU List Object Recognized!

Location: : C:\Documents and Settings\Matt\Application Data\microsoft\office\recent

Description : list of recently opened documents using microsoft office

 

 

MRU List Object Recognized!

Location: : C:\Documents and Settings\Matt\recent

Description : list of recently opened documents

 

 

MRU List Object Recognized!

Location: : software\microsoft\direct3d\mostrecentapplication

Description : most recent application to use microsoft direct3d

 

 

MRU List Object Recognized!

Location: : software\microsoft\direct3d\mostrecentapplication

Description : most recent application to use microsoft direct X

 

 

MRU List Object Recognized!

Location: : software\microsoft\directdraw\mostrecentapplication

Description : most recent application to use microsoft directdraw

 

 

MRU List Object Recognized!

Location: : S-1-5-21-1229272821-879983540-725345543-1003\software\microsoft\internet explorer

Description : last download directory used in microsoft internet explorer

 

 

MRU List Object Recognized!

Location: : S-1-5-21-1229272821-879983540-725345543-1003\software\microsoft\internet explorer\main

Description : last save directory used in microsoft internet explorer

 

 

MRU List Object Recognized!

Location: : S-1-5-21-1229272821-879983540-725345543-1003\software\microsoft\internet explorer\typedurls

Description : list of recently entered addresses in microsoft internet explorer

 

 

MRU List Object Recognized!

Location: : S-1-5-21-1229272821-879983540-725345543-1003\software\microsoft\mediaplayer\medialibraryui

Description : last selected node in the microsoft windows media player media library

 

 

MRU List Object Recognized!

Location: : S-1-5-21-1229272821-879983540-725345543-1003\software\microsoft\mediaplayer\player\settings

Description : last open directory used in jasc paint shop pro

 

 

MRU List Object Recognized!

Location: : S-1-5-21-1229272821-879983540-725345543-1003\software\microsoft\mediaplayer\preferences

Description : last playlist index loaded in microsoft windows media player

 

 

MRU List Object Recognized!

Location: : S-1-5-21-1229272821-879983540-725345543-1003\software\microsoft\mediaplayer\preferences

Description : last playlist loaded in microsoft windows media player

 

 

MRU List Object Recognized!

Location: : S-1-5-21-1229272821-879983540-725345543-1003\software\microsoft\microsoft management console\recent file list

Description : list of recent snap-ins used in the microsoft management console

 

 

MRU List Object Recognized!

Location: : S-1-5-21-1229272821-879983540-725345543-1003\software\microsoft\office\11.0\common\general

Description : list of recently used symbols in microsoft office

 

 

MRU List Object Recognized!

Location: : S-1-5-21-1229272821-879983540-725345543-1003\software\microsoft\office\11.0\common\open find\microsoft office word\settings\open\file name mru

Description : list of recent documents opened by microsoft word

 

 

MRU List Object Recognized!

Location: : S-1-5-21-1229272821-879983540-725345543-1003\software\microsoft\office\11.0\common\open find\microsoft office word\settings\save as\file name mru

Description : list of recent documents saved by microsoft word

 

 

MRU List Object Recognized!

Location: : S-1-5-21-1229272821-879983540-725345543-1003\software\microsoft\office\11.0\publisher\recent file list

Description : list of recent files used by microsoft publisher

 

 

MRU List Object Recognized!

Location: : S-1-5-21-1229272821-879983540-725345543-1003\software\microsoft\search assistant\acmru

Description : list of recent search terms used with the search assistant

 

 

MRU List Object Recognized!

Location: : S-1-5-21-1229272821-879983540-725345543-1003\software\microsoft\windows\currentversion\explorer\comdlg32\lastvisitedmru

Description : list of recent programs opened

 

 

MRU List Object Recognized!

Location: : S-1-5-21-1229272821-879983540-725345543-1003\software\microsoft\windows\currentversion\explorer\comdlg32\opensavemru

Description : list of recently saved files, stored according to file extension

 

 

MRU List Object Recognized!

Location: : S-1-5-21-1229272821-879983540-725345543-1003\software\microsoft\windows\currentversion\explorer\recentdocs

Description : list of recent documents opened

 

 

MRU List Object Recognized!

Location: : S-1-5-21-1229272821-879983540-725345543-1003\software\realnetworks\realplayer\6.0\preferences

Description : list of recent skins in realplayer

 

 

MRU List Object Recognized!

Location: : S-1-5-21-1229272821-879983540-725345543-1003\software\realnetworks\realplayer\6.0\preferences

Description : list of recent clips in realplayer

 

 

MRU List Object Recognized!

Location: : S-1-5-21-1229272821-879983540-725345543-1003\software\realnetworks\realplayer\6.0\preferences

Description : last login time in realplayer

 

 

MRU List Object Recognized!

Location: : .DEFAULT\software\microsoft\windows media\wmsdk\general

Description : windows media sdk

 

 

MRU List Object Recognized!

Location: : S-1-5-18\software\microsoft\windows media\wmsdk\general

Description : windows media sdk

 

 

MRU List Object Recognized!

Location: : S-1-5-21-1229272821-879983540-725345543-1003\software\microsoft\windows media\wmsdk\general

Description : windows media sdk

 

 

Listing running processes

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

 

#:1 [smss.exe]

FilePath : \SystemRoot\System32\

ProcessID : 616

ThreadCreationTime : 8-7-2006 1:45:32 AM

BasePriority : Normal

 

 

#:2 [csrss.exe]

FilePath : \??\C:\WINDOWS\system32\

ProcessID : 680

ThreadCreationTime : 8-7-2006 1:45:35 AM

BasePriority : Normal

 

 

#:3 [winlogon.exe]

FilePath : \??\C:\WINDOWS\system32\

ProcessID : 708

ThreadCreationTime : 8-7-2006 1:45:37 AM

BasePriority : High

 

 

#:4 [services.exe]

FilePath : C:\WINDOWS\system32\

ProcessID : 752

ThreadCreationTime : 8-7-2006 1:45:38 AM

BasePriority : Normal

FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)

ProductVersion : 5.1.2600.2180

ProductName : Microsoft® Windows® Operating System

CompanyName : Microsoft Corporation

FileDescription : Services and Controller app

InternalName : services.exe

LegalCopyright : © Microsoft Corporation. All rights reserved.

OriginalFilename : services.exe

 

#:5 [lsass.exe]

FilePath : C:\WINDOWS\system32\

ProcessID : 764

ThreadCreationTime : 8-7-2006 1:45:38 AM

BasePriority : Normal

FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)

ProductVersion : 5.1.2600.2180

ProductName : Microsoft® Windows® Operating System

CompanyName : Microsoft Corporation

FileDescription : LSA Shell (Export Version)

InternalName : lsass.exe

LegalCopyright : © Microsoft Corporation. All rights reserved.

OriginalFilename : lsass.exe

 

#:6 [svchost.exe]

FilePath : C:\WINDOWS\system32\

ProcessID : 920

ThreadCreationTime : 8-7-2006 1:45:40 AM

BasePriority : Normal

FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)

ProductVersion : 5.1.2600.2180

ProductName : Microsoft® Windows® Operating System

CompanyName : Microsoft Corporation

FileDescription : Generic Host Process for Win32 Services

InternalName : svchost.exe

LegalCopyright : © Microsoft Corporation. All rights reserved.

OriginalFilename : svchost.exe

 

#:7 [svchost.exe]

FilePath : C:\WINDOWS\system32\

ProcessID : 988

ThreadCreationTime : 8-7-2006 1:45:40 AM

BasePriority : Normal

FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)

ProductVersion : 5.1.2600.2180

ProductName : Microsoft® Windows® Operating System

CompanyName : Microsoft Corporation

FileDescription : Generic Host Process for Win32 Services

InternalName : svchost.exe

LegalCopyright : © Microsoft Corporation. All rights reserved.

OriginalFilename : svchost.exe

 

#:8 [svchost.exe]

FilePath : C:\WINDOWS\System32\

ProcessID : 1028

ThreadCreationTime : 8-7-2006 1:45:40 AM

BasePriority : Normal

FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)

ProductVersion : 5.1.2600.2180

ProductName : Microsoft® Windows® Operating System

CompanyName : Microsoft Corporation

FileDescription : Generic Host Process for Win32 Services

InternalName : svchost.exe

LegalCopyright : © Microsoft Corporation. All rights reserved.

OriginalFilename : svchost.exe

 

#:9 [svchost.exe]

FilePath : C:\WINDOWS\system32\

ProcessID : 1080

ThreadCreationTime : 8-7-2006 1:45:40 AM

BasePriority : Normal

FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)

ProductVersion : 5.1.2600.2180

ProductName : Microsoft® Windows® Operating System

CompanyName : Microsoft Corporation

FileDescription : Generic Host Process for Win32 Services

InternalName : svchost.exe

LegalCopyright : © Microsoft Corporation. All rights reserved.

OriginalFilename : svchost.exe

 

#:10 [svchost.exe]

FilePath : C:\WINDOWS\system32\

ProcessID : 1188

ThreadCreationTime : 8-7-2006 1:45:42 AM

BasePriority : Normal

FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)

ProductVersion : 5.1.2600.2180

ProductName : Microsoft® Windows® Operating System

CompanyName : Microsoft Corporation

FileDescription : Generic Host Process for Win32 Services

InternalName : svchost.exe

LegalCopyright : © Microsoft Corporation. All rights reserved.

OriginalFilename : svchost.exe

 

#:11 [ccevtmgr.exe]

FilePath : C:\Program Files\Common Files\Symantec Shared\

ProcessID : 1472

ThreadCreationTime : 8-7-2006 1:45:42 AM

BasePriority : Normal

FileVersion : 103.5.7.3

ProductVersion : 103.5.7.3

ProductName : Client and Host Security Platform

CompanyName : Symantec Corporation

FileDescription : Symantec Event Manager Service

InternalName : ccEvtMgr

LegalCopyright : Copyright © 2000-2005 Symantec Corporation. All rights reserved.

OriginalFilename : ccEvtMgr.exe

 

#:12 [ccsetmgr.exe]

FilePath : C:\Program Files\Common Files\Symantec Shared\

ProcessID : 1488

ThreadCreationTime : 8-7-2006 1:45:43 AM

BasePriority : Normal

FileVersion : 103.5.7.3

ProductVersion : 103.5.7.3

ProductName : Client and Host Security Platform

CompanyName : Symantec Corporation

FileDescription : Symantec Settings Manager Service

InternalName : ccSetMgr

LegalCopyright : Copyright © 2000-2005 Symantec Corporation. All rights reserved.

OriginalFilename : ccSetMgr.exe

 

#:13 [sndsrvc.exe]

FilePath : C:\Program Files\Common Files\Symantec Shared\

ProcessID : 1500

ThreadCreationTime : 8-7-2006 1:45:43 AM

BasePriority : Normal

FileVersion : 6.0.1.105

ProductVersion : 6.0

ProductName : Symantec Security Drivers

CompanyName : Symantec Corporation

FileDescription : Network Driver Service

InternalName : SndSrvc

LegalCopyright : Copyright 2002 - 2005 Symantec Corporation

OriginalFilename : SndSrvc.exe

 

#:14 [wltrysvc.exe]

FilePath : C:\WINDOWS\System32\

ProcessID : 1672

ThreadCreationTime : 8-7-2006 1:45:43 AM

BasePriority : Normal

 

 

#:15 [bcmwltry.exe]

FilePath : C:\WINDOWS\System32\

ProcessID : 1684

ThreadCreationTime : 8-7-2006 1:45:43 AM

BasePriority : Normal

FileVersion : 4.10.47.3

ProductVersion : 4.10.47.3

ProductName : Dell Wireless WLAN Card Wireless Network Controller

CompanyName : Dell Inc.

FileDescription : Dell Wireless WLAN Card Wireless Network Controller

InternalName : bcmwltry.exe

LegalCopyright : 1998-2005, Dell Inc. All Rights Reserved.

OriginalFilename : bcmwltry.exe

 

#:16 [spoolsv.exe]

FilePath : C:\WINDOWS\system32\

ProcessID : 1732

ThreadCreationTime : 8-7-2006 1:45:43 AM

BasePriority : Normal

FileVersion : 5.1.2600.2696 (xpsp_sp2_gdr.050610-1519)

ProductVersion : 5.1.2600.2696

ProductName : Microsoft® Windows® Operating System

CompanyName : Microsoft Corporation

FileDescription : Spooler SubSystem App

InternalName : spoolsv.exe

LegalCopyright : © Microsoft Corporation. All rights reserved.

OriginalFilename : spoolsv.exe

 

#:17 [explorer.exe]

FilePath : C:\WINDOWS\

ProcessID : 1876

ThreadCreationTime : 8-7-2006 1:45:45 AM

BasePriority : Normal

FileVersion : 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)

ProductVersion : 6.00.2900.2180

ProductName : Microsoft® Windows® Operating System

CompanyName : Microsoft Corporation

FileDescription : Windows Explorer

InternalName : explorer

LegalCopyright : © Microsoft Corporation. All rights reserved.

OriginalFilename : EXPLORER.EXE

 

#:18 [stsystra.exe]

FilePath : C:\WINDOWS\

ProcessID : 1988

ThreadCreationTime : 8-7-2006 1:45:46 AM

BasePriority : Normal

FileVersion : 1.0.4717.0 nd286 cp1

ProductVersion : 1.0.4717.0 nd286 cp1

ProductName : C-Major Audio

CompanyName : SigmaTel, Inc.

FileDescription : Sigmatel Audio system tray application

InternalName : stsystray.exe

LegalCopyright : Copyright © 2004-2005, SigmaTel, Inc.

OriginalFilename : stsystray.exe

 

#:19 [syntpenh.exe]

FilePath : C:\Program Files\Synaptics\SynTP\

ProcessID : 1996

ThreadCreationTime : 8-7-2006 1:45:46 AM

BasePriority : Normal

FileVersion : 8.2.4.3 29Nov05

ProductVersion : 8.2.4.3 29Nov05

ProductName : Synaptics Pointing Device Driver

CompanyName : Synaptics, Inc.

FileDescription : Synaptics TouchPad Enhancements

InternalName : Synaptics Enhancements Application

LegalCopyright : Copyright © Synaptics, Inc. 1996-2005

OriginalFilename : SynTPEnh.exe

 

#:20 [wltray.exe]

FilePath : C:\WINDOWS\system32\

ProcessID : 2028

ThreadCreationTime : 8-7-2006 1:45:46 AM

BasePriority : Normal

FileVersion : 4.10.47.3

ProductVersion : 4.10.47.3

ProductName : Dell Wireless WLAN Card Wireless Network Tray Applet

CompanyName : Dell Inc.

FileDescription : Dell Wireless WLAN Card Wireless Network Tray Applet

InternalName : wltray.exe

LegalCopyright : 1998-2005, Dell Inc. All Rights Reserved.

OriginalFilename : wltray.exe

 

#:21 [ccapp.exe]

FilePath : C:\Program Files\Common Files\Symantec Shared\

ProcessID : 292

ThreadCreationTime : 8-7-2006 1:45:47 AM

BasePriority : Normal

FileVersion : 103.5.7.3

ProductVersion : 103.5.7.3

ProductName : Client and Host Security Platform

CompanyName : Symantec Corporation

FileDescription : Symantec User Session

InternalName : ccApp

LegalCopyright : Copyright © 2000-2005 Symantec Corporation. All rights reserved.

OriginalFilename : ccApp.exe

 

#:22 [vptray.exe]

FilePath : C:\PROGRA~1\SYMANT~1\

ProcessID : 320

ThreadCreationTime : 8-7-2006 1:45:47 AM

BasePriority : Normal

FileVersion : 10.0.2.2001

ProductVersion : 10.0.2.2001

ProductName : Symantec AntiVirus

CompanyName : Symantec Corporation

FileDescription : Symantec AntiVirus

LegalCopyright : Copyright 2005 Symantec Corporation. All rights reserved.

 

#:23 [ctfmon.exe]

FilePath : C:\WINDOWS\system32\

ProcessID : 588

ThreadCreationTime : 8-7-2006 1:45:49 AM

BasePriority : Normal

FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)

ProductVersion : 5.1.2600.2180

ProductName : Microsoft® Windows® Operating System

CompanyName : Microsoft Corporation

FileDescription : CTF Loader

InternalName : CTFMON

LegalCopyright : © Microsoft Corporation. All rights reserved.

OriginalFilename : CTFMON.EXE

 

#:24 [hpqtra08.exe]

FilePath : C:\Program Files\HP\Digital Imaging\bin\

ProcessID : 1132

ThreadCreationTime : 8-7-2006 1:45:51 AM

BasePriority : Normal

FileVersion : 45.4.157.000

ProductVersion : 045.004.157.000

ProductName : hp digital imaging - hp all-in-one series

CompanyName : Hewlett-Packard Co.

FileDescription : HP Digital Imaging Monitor

InternalName : HPQTRA00

LegalCopyright : Copyright © Hewlett-Packard Co. 1995-2004

OriginalFilename : HPQTRA00.EXE

Comments : HP Digital Imaging Monitor

 

#:25 [defwatch.exe]

FilePath : C:\Program Files\Symantec AntiVirus\

ProcessID : 448

ThreadCreationTime : 8-7-2006 1:46:02 AM

BasePriority : Normal

FileVersion : 10.0.2.2001

ProductVersion : 10.0.2.2001

ProductName : Symantec AntiVirus

CompanyName : Symantec Corporation

FileDescription : Virus Definition Daemon

InternalName : DefWatch

LegalCopyright : Copyright 1998 - 2005 Symantec Corporation. All rights reserved.

OriginalFilename : DefWatch.exe

 

#:26 [mdm.exe]

FilePath : C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\

ProcessID : 672

ThreadCreationTime : 8-7-2006 1:46:03 AM

BasePriority : Normal

FileVersion : 7.00.9466

ProductVersion : 7.00.9466

ProductName : Microsoft® Visual Studio .NET

CompanyName : Microsoft Corporation

FileDescription : Machine Debug Manager

InternalName : mdm.exe

LegalCopyright : © Microsoft Corporation. All rights reserved.

OriginalFilename : mdm.exe

 

#:27 [svchost.exe]

FilePath : C:\WINDOWS\system32\

ProcessID : 1148

ThreadCreationTime : 8-7-2006 1:46:03 AM

BasePriority : Normal

FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)

ProductVersion : 5.1.2600.2180

ProductName : Microsoft® Windows® Operating System

CompanyName : Microsoft Corporation

FileDescription : Generic Host Process for Win32 Services

InternalName : svchost.exe

LegalCopyright : © Microsoft Corporation. All rights reserved.

OriginalFilename : svchost.exe

 

#:28 [rtvscan.exe]

FilePath : C:\Program Files\Symantec AntiVirus\

ProcessID : 1296

ThreadCreationTime : 8-7-2006 1:46:03 AM

BasePriority : Normal

FileVersion : 10.0.2.2001

ProductVersion : 10.0.2.2001

ProductName : Symantec AntiVirus

CompanyName : Symantec Corporation

FileDescription : Symantec AntiVirus

LegalCopyright : Copyright 2005 Symantec Corporation. All rights reserved.

 

#:29 [wdfmgr.exe]

FilePath : C:\WINDOWS\system32\

ProcessID : 1424

ThreadCreationTime : 8-7-2006 1:46:03 AM

BasePriority : Normal

FileVersion : 5.2.3790.1230 built by: DNSRV(bld4act)

ProductVersion : 5.2.3790.1230

ProductName : Microsoft® Windows® Operating System

CompanyName : Microsoft Corporation

FileDescription : Windows User Mode Driver Manager

InternalName : WdfMgr

LegalCopyright : © Microsoft Corporation. All rights reserved.

OriginalFilename : WdfMgr.exe

 

#:30 [alg.exe]

FilePath : C:\WINDOWS\System32\

ProcessID : 2552

ThreadCreationTime : 8-7-2006 1:46:09 AM

BasePriority : Normal

FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)

ProductVersion : 5.1.2600.2180

ProductName : Microsoft® Windows® Operating System

CompanyName : Microsoft Corporation

FileDescription : Application Layer Gateway Service

InternalName : ALG.exe

LegalCopyright : © Microsoft Corporation. All rights reserved.

OriginalFilename : ALG.exe

 

#:31 [smartdrv.exe]

FilePath : C:\WINDOWS\system32\

ProcessID : 1548

ThreadCreationTime : 8-7-2006 3:19:24 AM

BasePriority : Normal

FileVersion : 1.00

ProductVersion : 1.00

ProductName : Project1

CompanyName : Trojan Factory

InternalName : main

OriginalFilename : main.dat

 

#:32 [iexplore.exe]

FilePath : C:\Program Files\Internet Explorer\

ProcessID : 2920

ThreadCreationTime : 8-7-2006 3:39:54 AM

BasePriority : Normal

FileVersion : 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)

ProductVersion : 6.00.2900.2180

ProductName : Microsoft® Windows® Operating System

CompanyName : Microsoft Corporation

FileDescription : Internet Explorer

InternalName : iexplore

LegalCopyright : © Microsoft Corporation. All rights reserved.

OriginalFilename : IEXPLORE.EXE

 

#:33 [iexplore.exe]

FilePath : C:\Program Files\Internet Explorer\

ProcessID : 3180

ThreadCreationTime : 8-7-2006 3:44:22 AM

BasePriority : Normal

FileVersion : 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)

ProductVersion : 6.00.2900.2180

ProductName : Microsoft® Windows® Operating System

CompanyName : Microsoft Corporation

FileDescription : Internet Explorer

InternalName : iexplore

LegalCopyright : © Microsoft Corporation. All rights reserved.

OriginalFilename : IEXPLORE.EXE

 

#:34 [officescan.exe]

FilePath : C:\WINDOWS\system32\

ProcessID : 1108

ThreadCreationTime : 8-7-2006 3:50:01 AM

BasePriority : Normal

FileVersion : 1.00

ProductVersion : 1.00

ProductName : Project1

CompanyName : Trojan Factory

InternalName : officescan

OriginalFilename : officescan.exe

 

#:35 [ad-aware.exe]

FilePath : C:\Program Files\Lavasoft\Ad-Aware SE Personal\

ProcessID : 2248

ThreadCreationTime : 8-7-2006 3:55:09 AM

BasePriority : Normal

FileVersion : 6.2.0.236

ProductVersion : SE 106

ProductName : Lavasoft Ad-Aware SE

CompanyName : Lavasoft Sweden

FileDescription : Ad-Aware SE Core application

InternalName : Ad-Aware.exe

LegalCopyright : Copyright © Lavasoft AB Sweden

OriginalFilename : Ad-Aware.exe

Comments : All Rights Reserved

 

Memory scan result:

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

New critical objects: 0

Objects found so far: 27

 

 

Started registry scan

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

 

Adware.Admess Object Recognized!

Type : Regkey

Data :

TAC Rating : 5

Category : Data Miner

Comment :

Rootkey : HKEY_CLASSES_ROOT

Object : appid\{f6bdb4e5-d6aa-4d1f-8b67-bcb0f2246e21}

 

Adware.Admess Object Recognized!

Type : Regkey

Data :

TAC Rating : 5

Category : Data Miner

Comment :

Rootkey : HKEY_CLASSES_ROOT

Object : appid\wstart.dll

 

Adware.Admess Object Recognized!

Type : Regkey

Data :

TAC Rating : 5

Category : Data Miner

Comment :

Rootkey : HKEY_CLASSES_ROOT

Object : clsid\{9896231a-c487-43a5-8369-6ec9b0a96cc0}

 

Adware.Admess Object Recognized!

Type : Regkey

Data :

TAC Rating : 5

Category : Data Miner

Comment :

Rootkey : HKEY_CLASSES_ROOT

Object : wstart.whttphelper

 

Adware.Admess Object Recognized!

Type : Regkey

Data :

TAC Rating : 5

Category : Data Miner

Comment :

Rootkey : HKEY_CLASSES_ROOT

Object : wstart.whttphelper.1

 

Alexa Object Recognized!

Type : Regkey

Data :

TAC Rating : 5

Category : Data Miner

Comment :

Rootkey : HKEY_CLASSES_ROOT

Object : alxtb.bho

 

Alexa Object Recognized!

Type : Regkey

Data :

TAC Rating : 5

Category : Data Miner

Comment :

Rootkey : HKEY_CLASSES_ROOT

Object : interface\{0bbb0424-e98e-4405-9a94-481854765c80}

 

Alexa Object Recognized!

Type : Regkey

Data :

TAC Rating : 5

Category : Data Miner

Comment :

Rootkey : HKEY_CLASSES_ROOT

Object : interface\{0f3332b5-bc98-48af-9fac-05fec94ebe73}

 

Alexa Object Recognized!

Type : Regkey

Data :

TAC Rating : 5

Category : Data Miner

Comment :

Rootkey : HKEY_CLASSES_ROOT

Object : interface\{3e60160f-0ed6-4dcc-b6b6-850cde4fd217}

 

Alexa Object Recognized!

Type : Regkey

Data :

TAC Rating : 5

Category : Data Miner

Comment :

Rootkey : HKEY_CLASSES_ROOT

Object : interface\{a69107cc-bec8-4a34-b474-211b0f46a764}

 

Alexa Object Recognized!

Type : Regkey

Data :

TAC Rating : 5

Category : Data Miner

Comment :

Rootkey : HKEY_CLASSES_ROOT

Object : interface\{b7b84995-8b92-46bf-94aa-fa2f3dd23b84}

 

Alexa Object Recognized!

Type : Regkey

Data :

TAC Rating : 5

Category : Data Miner

Comment :

Rootkey : HKEY_CLASSES_ROOT

Object : interface\{fa77ad79-09cf-41fb-b171-cc856f9e737f}

 

Alexa Object Recognized!

Type : Regkey

Data :

TAC Rating : 5

Category : Data Miner

Comment :

Rootkey : HKEY_CLASSES_ROOT

Object : popmenu.menu

 

Alexa Object Recognized!

Type : Regkey

Data :

TAC Rating : 5

Category : Data Miner

Comment :

Rootkey : HKEY_CLASSES_ROOT

Object : popup.popupkiller

 

Alexa Object Recognized!

Type : Regkey

Data :

TAC Rating : 5

Category : Data Miner

Comment :

Rootkey : HKEY_CLASSES_ROOT

Object : typelib\{547ab549-4dd8-4ea0-b070-f6ea062148ff}

 

Alexa Object Recognized!

Type : Regkey

Data :

TAC Rating : 5

Category : Data Miner

Comment :

Rootkey : HKEY_CLASSES_ROOT

Object : interface\{a6a68cbd-6673-41b1-b997-3f83a25b45b0}

 

Alexa Object Recognized!

Type : Regkey

Data :

TAC Rating : 5

Category : Data Miner

Comment :

Rootkey : HKEY_CLASSES_ROOT

Object : interface\{b71c7d9a-da43-4e8b-bb98-1684ac2af324}

 

DailyToolbar Object Recognized!

Type : Regkey

Data :

TAC Rating : 5

Category : Misc

Comment :

Rootkey : HKEY_CLASSES_ROOT

Object : appid\dailytoolbar.dll

 

DailyToolbar Object Recognized!

Type : Regkey

Data :

TAC Rating : 5

Category : Misc

Comment :

Rootkey : HKEY_CLASSES_ROOT

Object : appid\{951b3138-ae8e-4676-a05a-250a5f111631}

 

DailyToolbar Object Recognized!

Type : Regkey

Data :

TAC Rating : 5

Category : Misc

Comment :

Rootkey : HKEY_CLASSES_ROOT

Object : clsid\{58f9b276-e1cc-458e-8159-21cbc021874b}

 

DailyToolbar Object Recognized!

Type : Regkey

Data :

TAC Rating : 5

Category : Misc

Comment :

Rootkey : HKEY_CLASSES_ROOT

Object : clsid\{8333c319-0669-4893-a418-f56d9249fca6}

 

DailyToolbar Object Recognized!

Type : Regkey

Data :

TAC Rating : 5

Category : Misc

Comment :

Rootkey : HKEY_CLASSES_ROOT

Object : dailytoolbar.ieband

 

DailyToolbar Object Recognized!

Type : Regkey

Data :

TAC Rating : 5

Category : Misc

Comment :

Rootkey : HKEY_CLASSES_ROOT

Object : dailytoolbar.sysmgr

 

DailyToolbar Object Recognized!

Type : Regkey

Data :

TAC Rating : 5

Category : Misc

Comment :

Rootkey : HKEY_CLASSES_ROOT

Object : ietoolbar.affiliatectl

 

DailyToolbar Object Recognized!

Type : Regkey

Data :

TAC Rating : 5

Category : Misc

Comment :

Rootkey : HKEY_CLASSES_ROOT

Object : interface\{10195311-e434-47a9-adba-48839e3f7e4e}

 

DailyToolbar Object Recognized!

Type : Regkey

Data :

TAC Rating : 5

Category : Misc

Comment :

Rootkey : HKEY_CLASSES_ROOT

Object : interface\{abafa0b4-f78d-42e5-8c31-1a441d01c1df}

 

FakeAlert Object Recognized!

Type : Regkey

Data :

TAC Rating : 5

Category : Malware

Comment :

Rootkey : HKEY_CLASSES_ROOT

Object : clsid\{60e2e76b-60e2e76b-60e2e76b-60e2e76b-60e2e76b}

 

FakeAlert Object Recognized!

Type : Regkey

Data :

TAC Rating : 5

Category : Malware

Comment :

Rootkey : HKEY_CLASSES_ROOT

Object : clsid\{e52dedbb-d168-4bdb-b229-c48160800e81}

 

WinFavorites Object Recognized!

Type : Regkey

Data :

TAC Rating : 6

Category : Malware

Comment :

Rootkey : HKEY_CLASSES_ROOT

Object : bridge.brdg

 

WinFavorites Object Recognized!

Type : Regkey

Data :

TAC Rating : 6

Category : Malware

Comment :

Rootkey : HKEY_CLASSES_ROOT

Object : clsid\{80bb7465-a638-43b5-9827-8e8fe38dfcc1}

 

WinFavorites Object Recognized!

Type : Regkey

Data :

TAC Rating : 6

Category : Malware

Comment :

Rootkey : HKEY_CLASSES_ROOT

Object : jao.jao

 

WinFavorites Object Recognized!

Type : Regkey

Data :

TAC Rating : 6

Category : Malware

Comment :

Rootkey : HKEY_CLASSES_ROOT

Object : typelib\{c094876d-1b0e-46fa-b6a6-7ffc0f970c27}

 

Adware.Admess Object Recognized!

Type : Regkey

Data :

TAC Rating : 5

Category : Data Miner

Comment :

Rootkey : HKEY_LOCAL_MACHINE

Object : software\wsoft

 

Alexa Object Recognized!

Type : Regkey

Data :

TAC Rating : 5

Category : Data Miner

Comment :

Rootkey : HKEY_LOCAL_MACHINE

Object : software\alexa internet

 

CoolWebSearch Object Recognized!

Type : Regkey

Data :

TAC Rating : 10

Category : Malware

Comment :

Rootkey : HKEY_LOCAL_MACHINE

Object : software\microsoft\windows\currentversion\explorer\browser helper objects\{7b55bb05-0b4d-44fd-81a6-b136188f5deb}

 

DailyToolbar Object Recognized!

Type : Regkey

Data :

TAC Rating : 5

Category : Misc

Comment :

Rootkey : HKEY_LOCAL_MACHINE

Object : software\dailytoolbar

 

DailyToolbar Object Recognized!

Type : Regkey

Data :

TAC Rating : 5

Category : Misc

Comment :

Rootkey : HKEY_LOCAL_MACHINE

Object : software\nix solutions\dailytoolbar

 

Transponder Object Recognized!

Type : Regkey

Data :

TAC Rating : 10

Category : Data Miner

Comment :

Rootkey : HKEY_LOCAL_MACHINE

Object : software\transponder

 

WinFavorites Object Recognized!

Type : Regkey

Data :

TAC Rating : 6

Category : Malware

Comment :

Rootkey : HKEY_LOCAL_MACHINE

Object : software\microsoft\windows\currentversion\explorer\browser helper objects\{9c691a33-7dda-4c2f-be4c-c176083f35cf}

 

WinFavorites Object Recognized!

Type : Regkey

Data :

TAC Rating : 6

Category : Malware

Comment :

Rootkey : HKEY_LOCAL_MACHINE

Object : software\classes\clsid\{80bb7465-a638-43b5-9827-8e8fe38dfcc1}

 

WinFavorites Object Recognized!

Type : Regkey

Data :

TAC Rating : 6

Category : Malware

Comment :

Rootkey : HKEY_LOCAL_MACHINE

Object : software\classes\interface\{4fdbdbad-fefe-4c4c-9cc1-1181052afb12}

 

WinFavorites Object Recognized!

Type : Regkey

Data :

TAC Rating : 6

Category : Malware

Comment :

Rootkey : HKEY_LOCAL_MACHINE

Object : software\classes\typelib\{c094876d-1b0e-46fa-b6a6-7ffc0f970c27}

 

VX2 Object Recognized!

Type : Regkey

Data :

TAC Rating : 10

Category : Malware

Comment :

Rootkey : HKEY_LOCAL_MACHINE

Object : software\respondmiter

 

VX2 Object Recognized!

Type : Regkey

Data :

TAC Rating : 10

Category : Malware

Comment :

Rootkey : HKEY_LOCAL_MACHINE

Object : software\microsoft\windows\currentversion\explorer\browser helper objects\{ffd2825e-0785-40c5-9a41-518f53a8261f}

 

VX2 Object Recognized!

Type : Regkey

Data :

TAC Rating : 10

Category : Malware

Comment :

Rootkey : HKEY_LOCAL_MACHINE

Object : software\microsoft\windows\currentversion\explorer\browser helper objects\{00000000-f09c-02b4-6ec2-ad0300000000}

 

VX2 Object Recognized!

Type : Regkey

Data :

TAC Rating : 10

Category : Malware

Comment :

Rootkey : HKEY_LOCAL_MACHINE

Object : software\microsoft\windows\currentversion\explorer\browser helper objects\{00000000-c1ec-0345-6ec2-4d0300000000}

 

VX2 Object Recognized!

Type : Regkey

Data :

TAC Rating : 10

Category : Malware

Comment :

Rootkey : HKEY_LOCAL_MACHINE

Object : software\microsoft\windows\currentversion\explorer\browser helper objects\{00000000-59d4-4008-9058-080011001200}

 

Registry Scan result:

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

New critical objects: 47

Objects found so far: 74

 

 

Started deep registry scan

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

 

DailyToolbar Object Recognized!

Type : Regkey

Data :

TAC Rating : 5

Category : Misc

Comment :

Rootkey : HKEY_LOCAL_MACHINE

Object : SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{8333c319-0669-4893-a418-f56d9249fca6}

 

FakeAlert Object Recognized!

Type : Regkey

Data :

TAC Rating : 5

Category : Malware

Comment :

Rootkey : HKEY_LOCAL_MACHINE

Object : SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{e52dedbb-d168-4bdb-b229-c48160800e81}

 

Deep registry scan result:

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

New critical objects: 2

Objects found so far: 76

 

Alexa Object Recognized!

Type : Regkey

Data :

TAC Rating : 5

Category : Data Miner

Comment :

Rootkey : HKEY_LOCAL_MACHINE

Object : SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3ceff6cd-6f08-4e4d-bccd-ff7415288c3b}

 

 

Started Tracking Cookie scan

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

 

 

Tracking Cookie Object Recognized!

Type : IECache Entry

Data : [email protected][1].txt

TAC Rating : 3

Category : Data Miner

Comment : Hits:3

Value : Cookie:[email protected]/

Expires : 8-5-2011 10:42:14 PM

LastSync : Hits:3

UseCount : 0

Hits : 3

 

Tracking cookie scan result:

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

New critical objects: 1

Objects found so far: 78

 

 

 

Deep scanning and examining files (C:)

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

 

Disk Scan Result for C:\

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

New critical objects: 0

Objects found so far: 78

 

 

Scanning Hosts file......

Hosts file location:"C:\WINDOWS\system32\drivers\etc\hosts".

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

 

Hosts file scan result:

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

1 entries scanned.

New critical objects:0

Objects found so far: 78

 

 

 

 

Performing conditional scans...

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

 

Alexa Object Recognized!

Type : Regkey

Data :

TAC Rating : 5

Category : Data Miner

Comment :

Rootkey : HKEY_LOCAL_MACHINE

Object : software\alexa toolbar

 

Alexa Object Recognized!

Type : Regkey

Data :

TAC Rating : 5

Category : Data Miner

Comment :

Rootkey : HKEY_LOCAL_MACHINE

Object : software\microsoft\windows\currentversion\uninstall\alexa toolbar

 

Alexa Object Recognized!

Type : File

Data : alxres.dll

TAC Rating : 5

Category : Data Miner

Comment :

Object : C:\WINDOWS\system32\

 

 

 

DailyToolbar Object Recognized!

Type : Regkey

Data :

TAC Rating : 5

Category : Misc

Comment :

Rootkey : HKEY_LOCAL_MACHINE

Object : software\nix solutions

 

DailyToolbar Object Recognized!

Type : File

Data : dailytoolbar.dll

TAC Rating : 5

Category : Misc

Comment :

Object : C:\WINDOWS\system32\

 

 

 

FakeAlert Object Recognized!

Type : RegValue

Data :

TAC Rating : 5

Category : Malware

Comment :

Rootkey : HKEY_CURRENT_USER

Object : software\microsoft\windows\currentversion\runonce\srv32 spool service

Value : Adware.Srv32

 

FakeAlert Object Recognized!

Type : RegValue

Data :

TAC Rating : 5

Category : Malware

Comment :

Rootkey : HKEY_LOCAL_MACHINE

Object : software\microsoft\windows\currentversion\run

Value : Adware.Srv32

 

FakeAlert Object Recognized!

Type : File

Data : alexaie.dll

TAC Rating : 5

Category : Malware

Comment :

Object : C:\WINDOWS\

 

 

 

FakeAlert Object Recognized!

Type : File

Data : alxtb1.dll

TAC Rating : 5

Category : Malware

Comment :

Object : C:\WINDOWS\

 

 

 

FakeAlert Object Recognized!

Type : File

Data : alxie328.dll

TAC Rating : 5

Category : Malware

Comment :

Object : C:\WINDOWS\

 

 

 

FakeAlert Object Recognized!

Type : File

Data : BTGrab.dll

TAC Rating : 5

Category : Malware

Comment :

Object : C:\WINDOWS\

 

 

 

FakeAlert Object Recognized!

Type : File

Data : dlmax.dll

TAC Rating : 5

Category : Malware

Comment :

Object : C:\WINDOWS\

 

 

 

FakeAlert Object Recognized!

Type : File

Data : infected.gif

TAC Rating : 5

Category : Malware

Comment :

Object : C:\WINDOWS\

 

 

 

FakeAlert Object Recognized!

Type : File

Data : Pynix.dll

TAC Rating : 5

Category : Malware

Comment :

Object : C:\WINDOWS\

 

 

 

FakeAlert Object Recognized!

Type : File

Data : susp.exe

TAC Rating : 5

Category : Malware

Comment :

Object : C:\WINDOWS\

 

 

 

FakeAlert Object Recognized!

Type : File

Data : win_logo.gif

TAC Rating : 5

Category : Malware

Comment :

Object : C:\WINDOWS\

 

 

 

FakeAlert Object Recognized!

Type : File

Data : ZServ.dll

TAC Rating : 5

Category : Malware

Comment :

Object : C:\WINDOWS\

 

 

 

FakeAlert Object Recognized!

Type : File

Data : a.exe

TAC Rating : 5

Category : Malware

Comment :

Object : C:\WINDOWS\system32\

 

 

 

FakeAlert Object Recognized!

Type : File

Data : bridge.dll

TAC Rating : 5

Category : Malware

Comment :

Object : C:\WINDOWS\system32\

 

 

 

FakeAlert Object Recognized!

Type : File

Data : jao.dll

TAC Rating : 5

Category : Malware

Comment :

Object : C:\WINDOWS\system32\

 

 

 

FakeAlert Object Recognized!

Type : File

Data : questmod.dll

TAC Rating : 5

Category : Malware

Comment :

Object : C:\WINDOWS\system32\

 

 

 

FakeAlert Object Recognized!

Type : File

Data : runsrv32.dll

TAC Rating : 5

Category : Malware

Comment :

Object : C:\WINDOWS\system32\

 

 

 

FakeAlert Object Recognized!

Type : File

Data : runsrv32.exe

TAC Rating : 5

Category : Malware

Comment :

Object : C:\WINDOWS\system32\

 

 

 

FakeAlert Object Recognized!

Type : File

Data : tcpservice2.exe

TAC Rating : 5

Category : Malware

Comment :

Object : C:\WINDOWS\system32\

 

 

 

FakeAlert Object Recognized!

Type : File

Data : txfdb32.dll

TAC Rating : 5

Category : Malware

Comment :

Object : C:\WINDOWS\system32\

 

 

 

FakeAlert Object Recognized!

Type : File

Data : udpmod.dll

TAC Rating : 5

Category : Malware

Comment :

Object : C:\WINDOWS\system32\

 

 

 

FakeAlert Object Recognized!

Type : File

Data : wstart.dll

TAC Rating : 5

Category : Malware

Comment :

Object : C:\WINDOWS\system32\

 

 

 

CONTINUED ON NEXT POST

Share this post


Link to post
Share on other sites

WinFavorites Object Recognized!

Type : Regkey

Data :

TAC Rating : 6

Category : Malware

Comment :

Rootkey : HKEY_CLASSES_ROOT

Object : interface\{4fdbdbad-fefe-4c4c-9cc1-1181052afb12}

 

WinFavorites Object Recognized!

Type : Regkey

Data :

TAC Rating : 6

Category : Malware

Comment :

Rootkey : HKEY_LOCAL_MACHINE

Object : software\microsoft\windows\currentversion\uninstall\bridge

 

WinFavorites Object Recognized!

Type : Regkey

Data :

TAC Rating : 6

Category : Malware

Comment :

Rootkey : HKEY_LOCAL_MACHINE

Object : software\classes\bridge.brdg

 

WinFavorites Object Recognized!

Type : Regkey

Data :

TAC Rating : 6

Category : Malware

Comment :

Rootkey : HKEY_LOCAL_MACHINE

Object : software\classes\jao.jao

 

CoolWebSearch Object Recognized!

Type : Regkey

Data :

TAC Rating : 10

Category : Malware

Comment :

Rootkey : HKEY_CURRENT_USER

Object : software\microsoft\windows\currentversion\internet settings\zonemap\domains\i--search.com

 

CoolWebSearch Object Recognized!

Type : Regkey

Data :

TAC Rating : 10

Category : Malware

Comment :

Rootkey : HKEY_LOCAL_MACHINE

Object : software\microsoft\downloadmanager

 

CoolWebSearch Object Recognized!

Type : RegValue

Data :

TAC Rating : 10

Category : Malware

Comment :

Rootkey : HKEY_CURRENT_USER

Object : software\microsoft\internet explorer\main

Value : Search Bar

 

CoolWebSearch Object Recognized!

Type : RegValue

Data :

TAC Rating : 10

Category : Malware

Comment :

Rootkey : HKEY_CURRENT_USER

Object : software\microsoft\internet explorer\new windows

Value : PopupMgr

 

CoolWebSearch Object Recognized!

Type : RegData

Data : about:blank

TAC Rating : 10

Category : Malware

Comment :

Rootkey : HKEY_CURRENT_USER

Object : software\microsoft\internet explorer\main

Value : Start Page

Data : about:blank

 

Conditional scan result:

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

New critical objects: 36

Objects found so far: 114

 

11:02:02 PM Scan Complete

 

Summary Of This Scan

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Total scanning time:00:06:30.328

Objects scanned:132330

Objects identified:87

Objects ignored:0

New critical objects:87

Share this post


Link to post
Share on other sites

Here is my HijackThis Log

 

Logfile of HijackThis v1.99.1

Scan saved at 11:19:55 PM, on 8/6/2006

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

C:\WINDOWS\System32\WLTRYSVC.EXE

C:\WINDOWS\System32\bcmwltry.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\stsystra.exe

C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

C:\WINDOWS\system32\WLTRAY.exe

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\PROGRA~1\SYMANT~1\VPTray.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe

C:\Program Files\Symantec AntiVirus\DefWatch.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Symantec AntiVirus\Rtvscan.exe

C:\WINDOWS\system32\smartdrv.exe

C:\WINDOWS\system32\officescan.exe

C:\Program Files\Lavasoft\Ad-Aware SE Personal\Ad-Aware.exe

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\WINDOWS\system32\NOTEPAD.EXE

C:\HiJackThis\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://my.netzero.net/s/search?r=minisearch

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = https://resnet.baylor.edu

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://my.netzero.net/s/search?r=minisearch

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://my.netzero.net/s/search?r=minisearch

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = https://resnet.baylor.edu

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://my.netzero.net/s/search?r=minisearch

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://my.netzero.net/s/search?r=minisearch

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Residential Technology Services

R3 - URLSearchHook: URLSearchHook Class - {37D2CDBF-2AF4-44AA-8113-BD0D2DA3C2B8} - C:\Program Files\NZSearch\SearchEnh1.dll

O2 - BHO: (no name) - {00000000-59D4-4008-9058-080011001200} - (no file)

O2 - BHO: (no name) - {00000000-C1EC-0345-6EC2-4D0300000000} - (no file)

O2 - BHO: (no name) - {00000000-F09C-02B4-6EC2-AD0300000000} - (no file)

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {3ceff6cd-6f08-4e4d-bccd-ff7415288c3b} - (no file)

O2 - BHO: Popup-Blocker Class - {52706EF7-D7A2-49AD-A615-E903858CF284} - C:\Program Files\NetZero\qsacc\x1IEBHO.dll

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

O2 - BHO: (no name) - {7b55bb05-0b4d-44fd-81a6-b136188f5deb} - (no file)

O2 - BHO: (no name) - {8333c319-0669-4893-a418-f56d9249fca6} - (no file)

O2 - BHO: (no name) - {9c691a33-7dda-4c2f-be4c-c176083f35cf} - (no file)

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll

O2 - BHO: office_pnl.office_panel - {B53455DB-5527-4041-AC41-F86E6947AA47} - C:\WINDOWS\system32\office_pnl.dll

O2 - BHO: (no name) - {e52dedbb-d168-4bdb-b229-c48160800e81} - (no file)

O2 - BHO: (no name) - {ffd2825e-0785-40c5-9a41-518f53a8261f} - (no file)

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll

O3 - Toolbar: ZeroBar - {F5735C15-1FB2-41FE-BA12-242757E69DDE} - C:\Program Files\NetZero\toolbar.dll

O3 - Toolbar: ZeroBar - {F0F8ECBE-D460-4B34-B007-56A92E8F84A7} - C:\Program Files\NetZero\Toolbar.dll

O4 - HKLM\..\Run: [bacstray] C:\Program Files\Broadcom\BACS\BacsTray.exe

O4 - HKLM\..\Run: [sigmatelSysTrayApp] stsystra.exe

O4 - HKLM\..\Run: [synTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe

O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe

O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe

O4 - HKLM\..\Run: [broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe

O4 - HKLM\..\Run: [ssdiag] C:\WINDOWS\ssdiag.exe

O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe

O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [Transponder] C:\WINDOWS\system32\susp.exe

O4 - HKLM\..\Run: [Adware.Srv32] C:\WINDOWS\system32\runsrv32.exe

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [spc_w] "C:\Program Files\NZSearch\nzspc.exe" -w

O4 - HKCU\..\Run: [NetZero_uoltray] C:\Program Files\NetZero\exec.exe regrun

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html

O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html

O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html

O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html

O8 - Extra context menu item: Display All Images with Full Quality - res://C:\Program Files\NetZero\qsacc\appres.dll/228

O8 - Extra context menu item: Display Image with Full Quality - res://C:\Program Files\NetZero\qsacc\appres.dll/227

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html

O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O14 - IERESET.INF: START_PAGE_URL=https://resnet.baylor.edu

O14 - IERESET.INF: MS_START_PAGE_URL=https://resnet.baylor.edu

O15 - Trusted Zone: http://bigdog.baylor.edu

O15 - Trusted Zone: http://its01.baylor.edu

O15 - Trusted Zone: http://mail.baylor.edu

O15 - Trusted Zone: http://raymond.baylor.edu

O15 - Trusted Zone: http://rmsweb.baylor.edu

O15 - Trusted Zone: http://bigdog.baylor.edu (HKLM)

O15 - Trusted Zone: http://its01.baylor.edu (HKLM)

O15 - Trusted Zone: http://mail.baylor.edu (HKLM)

O15 - Trusted Zone: http://raymond.baylor.edu (HKLM)

O15 - Trusted Zone: http://rmsweb.baylor.edu (HKLM)

O16 - DPF: {2DFF31F9-7893-4922-AF66-C9A1EB4EBB31} (Rhapsody Player Engine) - http://forms.real.com/real/player/download...ne_Inst_Win.cab

O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab

O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll

O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll

O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe

O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe

O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE

O23 - Service: NICCONFIGSVC - Unknown owner - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe (file missing)

O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe

O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe

O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

Share this post


Link to post
Share on other sites

I ran Ewido and that seemed to get rid of all the negative effects and my computer is running smoothly. I quarantined everything using Ewido, so do I now need to delete these files?

 

Is there anything else I need to do?

Share this post


Link to post
Share on other sites

Hi ,

 

Apologies for the late reply, we've been quite swamped in here as you can probably see.

 

Are you still needing help?

 

I'm now subscribed to this topic so I will receive a notice from the board as soon as you reply, so I can be here much more quickly than it has taken to get to your new topic.

 

If you still need help, please post a fresh HijackThis log so I can see where you are at this point

Share this post


Link to post
Share on other sites

Thanks for the reply. I'm not sure if I need help or not. My computer has been working fine, but sometimes I won't even have an IE window open and my Symantec antivirus autoprotect will pop up with warnings about some type of spyware, malware, etc. that has been quarantined. That kinda leads me to believe that maybe I got rid of the worst of it but something is still lurking. Here is my HJT log:

 

 

Logfile of HijackThis v1.99.1

Scan saved at 4:13:54 PM, on 8/13/2006

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

C:\WINDOWS\System32\WLTRYSVC.EXE

C:\WINDOWS\System32\bcmwltry.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Symantec AntiVirus\DefWatch.exe

C:\Program Files\ewido anti-spyware 4.0\guard.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Symantec AntiVirus\Rtvscan.exe

C:\WINDOWS\stsystra.exe

C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

C:\WINDOWS\system32\hkcmd.exe

C:\WINDOWS\system32\igfxsrvc.exe

C:\WINDOWS\system32\igfxpers.exe

C:\WINDOWS\system32\WLTRAY.exe

C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\PROGRA~1\SYMANT~1\VPTray.exe

C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe

C:\Program Files\QuickTime\qttask.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\Program Files\ewido anti-spyware 4.0\ewido.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\AIM\aim.exe

C:\Program Files\Messenger\msmsgs.exe

C:\Program Files\NetZero\exec.exe

C:\Program Files\NetZero\exec.exe

C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe

C:\Program Files\NetZero\qsacc\x1exec.exe

C:\WINDOWS\system32\wuauclt.exe

C:\HiJackThis\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://my.netzero.net/s/search?r=minisearch

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cnn.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = https://resnet.baylor.edu

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://my.netzero.net/s/search?r=minisearch

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://my.netzero.net/s/search?r=minisearch

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = https://resnet.baylor.edu

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://my.netzero.net/s/search?r=minisearch

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://my.netzero.net/s/search?r=minisearch

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Residential Technology Services

R3 - URLSearchHook: URLSearchHook Class - {37D2CDBF-2AF4-44AA-8113-BD0D2DA3C2B8} - C:\Program Files\NZSearch\SearchEnh1.dll

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: Popup-Blocker Class - {52706EF7-D7A2-49AD-A615-E903858CF284} - C:\Program Files\NetZero\qsacc\x1IEBHO.dll

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll

O3 - Toolbar: ZeroBar - {F5735C15-1FB2-41FE-BA12-242757E69DDE} - C:\Program Files\NetZero\toolbar.dll

O3 - Toolbar: ZeroBar - {F0F8ECBE-D460-4B34-B007-56A92E8F84A7} - C:\Program Files\NetZero\Toolbar.dll

O4 - HKLM\..\Run: [bacstray] C:\Program Files\Broadcom\BACS\BacsTray.exe

O4 - HKLM\..\Run: [sigmatelSysTrayApp] stsystra.exe

O4 - HKLM\..\Run: [synTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe

O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe

O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe

O4 - HKLM\..\Run: [broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe

O4 - HKLM\..\Run: [ssdiag] C:\WINDOWS\ssdiag.exe

O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe

O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [spc_w] "C:\Program Files\NZSearch\nzspc.exe" -w

O4 - HKCU\..\Run: [NetZero_uoltray] C:\Program Files\NetZero\exec.exe regrun

O4 - HKCU\..\RunOnce: [untd_recovery] "C:\Program Files\NetZero\qsacc\x1exec.exe"

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html

O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html

O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html

O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html

O8 - Extra context menu item: Display All Images with Full Quality - res://C:\Program Files\NetZero\qsacc\appres.dll/228

O8 - Extra context menu item: Display Image with Full Quality - res://C:\Program Files\NetZero\qsacc\appres.dll/227

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html

O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O14 - IERESET.INF: START_PAGE_URL=https://resnet.baylor.edu

O14 - IERESET.INF: MS_START_PAGE_URL=https://resnet.baylor.edu

O15 - Trusted Zone: http://bigdog.baylor.edu

O15 - Trusted Zone: http://its01.baylor.edu

O15 - Trusted Zone: http://mail.baylor.edu

O15 - Trusted Zone: http://raymond.baylor.edu

O15 - Trusted Zone: http://rmsweb.baylor.edu

O15 - Trusted Zone: http://bigdog.baylor.edu (HKLM)

O15 - Trusted Zone: http://its01.baylor.edu (HKLM)

O15 - Trusted Zone: http://mail.baylor.edu (HKLM)

O15 - Trusted Zone: http://raymond.baylor.edu (HKLM)

O15 - Trusted Zone: http://rmsweb.baylor.edu (HKLM)

O16 - DPF: {2DFF31F9-7893-4922-AF66-C9A1EB4EBB31} (Rhapsody Player Engine) - http://forms.real.com/real/player/download...ne_Inst_Win.cab

O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab

O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll

O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll

O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe

O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe

O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe

O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE

O23 - Service: NICCONFIGSVC - Unknown owner - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe (file missing)

O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe

O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe

O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

Share this post


Link to post
Share on other sites

Your HijackThis log looks good.

 

Download SmitfraudFix (by S!Ri) to your Desktop (Win2k/WinXP only!).

http://siri.urz.free.fr/Fix/SmitfraudFix.zip

Extract all the files to your Destop. A folder named SmitfraudFix will be created on your Desktop.

 

How to extract (decompress) zipped or compressed files

http://www.lvsonline.com/compresstut/index.shtml

 

Note : process.exe is part of the SmitFraudFix tool and is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky, Panda) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.

 

Open the SmitfraudFix folder and double-click smitfraudfix.cmd

 

At the prompt type in a 1 for search and hit Enter to let it search and create a report of any infected files. The report can be found at the root of the system drive, usually at C:\rapport.txt Please copy the result from that report back here for review :D

Share this post


Link to post
Share on other sites

Ok, here is the rapport.txt file:

 

SmitFraudFix v2.81

 

Scan done at 18:29:16.54, Sun 08/13/2006

Run from C:\Documents and Settings\Matt\Desktop\SmitfraudFix\SmitfraudFix

OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT

Fix ran in normal mode

 

»»»»»»»»»»»»»»»»»»»»»»»» C:\

 

 

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS

 

C:\WINDOWS\bg_bg.gif FOUND !

C:\WINDOWS\big_red_x.gif FOUND !

C:\WINDOWS\buy_now.gif FOUND !

C:\WINDOWS\click_for_free_scan.gif FOUND !

C:\WINDOWS\close_ico.gif FOUND !

C:\WINDOWS\download.gif FOUND !

C:\WINDOWS\download_product.gif FOUND !

C:\WINDOWS\free_scan_red_btn.gif FOUND !

C:\WINDOWS\icon_warning_big.gif FOUND !

C:\WINDOWS\infected_top_bg.gif FOUND !

C:\WINDOWS\logo.gif FOUND !

C:\WINDOWS\navibar_bg.gif FOUND !

C:\WINDOWS\navibar_corner_left.gif FOUND !

C:\WINDOWS\navibar_corner_right.gif FOUND !

C:\WINDOWS\product_box.gif FOUND !

C:\WINDOWS\red_warning_ico.gif FOUND !

C:\WINDOWS\remove_spyware_header.gif FOUND !

C:\WINDOWS\safe_and_trusted.gif FOUND !

C:\WINDOWS\spyware_detected.gif FOUND !

C:\WINDOWS\yellow_warning_ico.gif FOUND !

 

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system

 

 

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web

 

 

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32

 

C:\WINDOWS\system32\mshtml32.tdb FOUND !

C:\WINDOWS\system32\officescan.exe FOUND !

C:\WINDOWS\system32\smaexp32.dll FOUND !

 

»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Matt\Application Data

 

 

»»»»»»»»»»»»»»»»»»»»»»»» Start Menu

 

 

»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\Matt\FAVORI~1

 

 

»»»»»»»»»»»»»»»»»»»»»»»» Desktop

 

 

»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files

 

 

»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys

 

 

»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

 

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]

"Source"="About:Home"

"SubscribedURL"="About:Home"

"FriendlyName"="My Current Home Page"

 

 

»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler

!!!Attention, following keys are not inevitably infected!!!

 

SrchSTS.exe by S!Ri

Search SharedTaskScheduler's .dll

 

»»»»»»»»»»»»»»»»»»»»»»»» Scanning wininet.dll infection

 

 

»»»»»»»»»»»»»»»»»»»»»»»» End

Share this post


Link to post
Share on other sites

Thanks, means we had better do some more cleaning.

 

1. Copy these instructions so you have them handy as the next steps will be done in SAFE MODE so you won't be able to view this window.

 

2. Reboot into Safe Mode

You can usually do this by restarting your computer and continually tapping F8 until a menu appears. Highlight Safe Mode and hit enter.

 

How to start the computer in Safe mode

http://service1.symantec.com/SUPPORT/tsgen...src=sec_doc_nam

 

 

3. Once in Safe mode, open the SmitfraudFix folder and double-click smitfraudfix.cmd

 

Select option #2 - Clean by typing 2 and press Enter.

Wait for the tool to complete and disk cleanup to finish.

You will be prompted : "Registry cleaning - Do you want to clean the registry ?" answer Yes by typing Y and hit Enter.

The tool will also check if wininet.dll is infected. If a clean version is found, you will be prompted to replace wininet.dll. Answer Yes to the question "Replace infected file ?" by typing Y and hit Enter.

 

A reboot may be needed to finish the cleaning process, if you computer does not restart automatically please do it yourself manually.

 

Again copy the results of the report (C:\rapport.txt) back here after cleaning

Share this post


Link to post
Share on other sites

Ok, here is the new rapport.txt file:

 

SmitFraudFix v2.81

 

Scan done at 20:17:17.21, Sun 08/13/2006

Run from C:\Documents and Settings\Matt\Desktop\SmitfraudFix\SmitfraudFix

OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT

Fix ran in safe mode

 

»»»»»»»»»»»»»»»»»»»»»»»» Before SmitFraudFix

!!!Attention, following keys are not inevitably infected!!!

 

SrchSTS.exe by S!Ri

Search SharedTaskScheduler's .dll

 

»»»»»»»»»»»»»»»»»»»»»»»» Killing process

 

 

»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

 

GenericRenosFix by S!Ri

 

 

»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files

 

C:\WINDOWS\bg_bg.gif Deleted

C:\WINDOWS\big_red_x.gif Deleted

C:\WINDOWS\buy_now.gif Deleted

C:\WINDOWS\click_for_free_scan.gif Deleted

C:\WINDOWS\close_ico.gif Deleted

C:\WINDOWS\download.gif Deleted

C:\WINDOWS\download_product.gif Deleted

C:\WINDOWS\free_scan_red_btn.gif Deleted

C:\WINDOWS\icon_warning_big.gif Deleted

C:\WINDOWS\infected_top_bg.gif Deleted

C:\WINDOWS\logo.gif Deleted

C:\WINDOWS\navibar_bg.gif Deleted

C:\WINDOWS\navibar_corner_left.gif Deleted

C:\WINDOWS\navibar_corner_right.gif Deleted

C:\WINDOWS\product_box.gif Deleted

C:\WINDOWS\red_warning_ico.gif Deleted

C:\WINDOWS\remove_spyware_header.gif Deleted

C:\WINDOWS\safe_and_trusted.gif Deleted

C:\WINDOWS\spyware_detected.gif Deleted

C:\WINDOWS\yellow_warning_ico.gif Deleted

C:\WINDOWS\system32\mshtml32.tdb Deleted

C:\WINDOWS\system32\officescan.exe Deleted

C:\WINDOWS\system32\smaexp32.dll Deleted

C:\WINDOWS\system32\smartdrv.exe Deleted

 

»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files

 

 

»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

 

Registry Cleaning done.

 

»»»»»»»»»»»»»»»»»»»»»»»» After SmitFraudFix

!!!Attention, following keys are not inevitably infected!!!

 

SrchSTS.exe by S!Ri

Search SharedTaskScheduler's .dll

 

 

»»»»»»»»»»»»»»»»»»»»»»»» End

 

 

 

 

Hopefully this got everything, but if you want I can post another HJT log or whatever. Thanks for all your help! :D

Share this post


Link to post
Share on other sites
That looks good, Matthew :D

 

Let me know if anything on your end is giving you problems? Have the Symantec warnings stopped?

 

 

Everything seems to be working fine and there have been no more Symantec warnings.

 

I do have one more question though. I thought I had deleted everything from my Symantec quarantine, but I went back and checked and there are two files left. Both were originally located in a Java folder:

(C:\Documents and Settings\Matt\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar)

 

One is named "Java.jar-7e09d0a6-1904dbe3.zip" and the other is "loaderadv499.jar-16b64c18-4000cdf3.zip".

 

I mention this because I think last week I saw another post that said that your computer can be more susceptible to viruses, etc if Java is not updated and I didn't know if maybe these files in quarantine had something to do with that.

 

Anyway, I just want to know if I should delete these files from quarantine and if they suggest any lingering problem. Java is supposed to update automatically on my comp so I think I'm good there.

 

Everything seems to working perfectly though. Thanks!

Share this post


Link to post
Share on other sites

Yes, you want to delete all old versions of Java that are listed in Add/Remove Programs in your Control Panel,

however, what you have listed there is something different. Those are files in the java cache. Just like your TIF (temporary internet files) folder, those are webpages viewed that contained an exploit. It doesn't necessarily mean your computer was infected or that you were even vulnerable to the exploit. Your security software just sees that the webpage contains an exploit and quarantines it. It can't clean it - you just need to empty your Java Cache.

 

See further details here on what it's about and how to clear your Java cache when you see those:

Virus found in the Javaâ„¢ Runtime Environment, Standard Edition (JRE) cache directory

http://java.com/en/download/help/cache_virus.jsp

 

Here are the instructions on how to manually remove these malicious applets from the JRE cache directory:

 

1. From the Start button, click Settings > Control Panel

2. In the Control Panel, open the "Java Plug-in Control Panel"

3. Select the Cache Tab

4. Click the Clear button inside the Cache Tab, which will clear your JRE cache directory

.................

For Later versions of java

 

In the Control Panel, select the Java icon (looks like a coffee cup).

 

Under the General tab at the bottom your will see a section: "Temporary Internet files"

 

choose *delete files* and then *ok*.

Share this post


Link to post
Share on other sites

You're welcome! Glad it was a help :)

 

I'll go ahead and archive this topic in the "Resolved" section (read only). If you should have any further issues, please feel free to start a new topic.

 

Some final cleanup and prevention recomendations follow.

 

You can go ahead and delete any special tools we used (SmitRem, SmitfraudFix, ComboFix, etc). They won't serve a future purpose and are replaced with updated versions frequently, so the copies you have are probably already out of date and no need to keep them.

 

Do a disk cleanup. Go to Start > Run and type in the box: Cleanmgr

Wait while Windows scans your system for files to delete.

Make sure these 3 are checkmarked and press *ok* to delete them.

 

Temporary Files

Temporary Internet Files

Recycle Bin

 

Now that your PC is clean, make sure all programs are running properly and then you'll need to reset your restore point in Windows XP.......why?

 

One of the best features of Windows ME or XP is the System Restore option, however if a malware infects a computer with this operating system it can be backed up in the System Restore folder. Therefore, clearing the restore points is necessary after malware removal.

 

To reset your restore points, please note that you will need to log into your computer with an account which has full administrator access. You will know if the account has administrator access because you will be able to see the System Restore tab. If the tab is missing, you are logged in under a limited account.

 

(winXP)

 

1. Turn off System Restore.

Go to Start and right-click on *My Computer*.

Click Properties.

Click the System Restore tab.

Put a Checkmark in the box next to "Turn off System Restore".

Click Apply, and then click OK.

 

2. Reboot.

 

3. Turn ON System Restore.

Go to Start and right-click on *My Computer*.

Click Properties.

Click the System Restore tab.

Remove the checkmark next to "Turn off System Restore".

Click Apply, and then click OK.

 

How to Turn On and Turn Off System Restore in Windows XP

http://support.microsoft.com/default.aspx?...kb;en-us;310405

......................

I can't stress enough the importance of having your Windows critical Security Updates. Most malware today uses exploits on unpatched systems to creep onto your system without your even doing anything but visiting an infected webpage!!

 

Watch what you download, be careful where you surf, and don't trust attachments or even links in email and Instant messages. Even if they come from a buddy, that buddy could be the one infected and it is the virus sending that link from his account. You click on it thinking he is trusted, and *boom* you're infected.

Many "Phishing" attempts are made by cleverly crafted email to look like it is coming from an "official" source (like Microsoft, or your bank, or some other provider). Don't click on links in those. Go directly to the site instead and navigate the menus - don't trust email you think came from a "safe source" unless you are expecting it! There is more in the link I will provide below, but those are the choice avenues of infection these days.

Stay far AWAY from cracks and warez sites - you're sure to get infected files there, and the same can be said for files downloaded from p2p (more than half are usually infected and probably not detectable by your current security software - the newest nasties are always released in those venues).

 

A word about shared computers and networks.

Share Your PC

http://www.microsoft.com/windowsxp/using/s...hare/intro.mspx

Not all users need to have Admin Accounts. It is much safer to have most of your users on a shared system running as Limited User accounts. That way, if there is "an accident", it will only affect one user's account and not the entire system.

 

 

Next, I highly recommend you get some extra protection to prevent future infections. Here are some things you can do and some free programs to help ;).

How do I prevent Browser Hijacks and Spyware?

http://www.dslreports.com/faq/13620

 

I'm happy to see you have SP2 installed. That will address numerous security issues in your Operating System and IE

Make sure that you keep your Operating System and IE updated with the latest Critical Security Updates from Microsoft...they usually come out once a month, on the 2nd Tuesday of each month. This is the first step in malware prevention, as many nasties now take advantage of new exploits and if not patched, you are vulnerable!

Windows Update

http://update.microsoft.com/microsoftupdate/

 

And see this link for instructions on how to configure the enhanced security features in SP2:

http://www.microsoft.com/technet/security/...xp/iesecxp.mspx

 

I also highly recommend to get the free tool, Microsoft Baseline Security Analyzer (MBSA) from Microsoft to analyze your PC security for prevention purposes.

 

MBSA Version 2.0 will scan for common system misconfigurations on Windows 2000, Windows XP, and Windows Server 2003 systems. This program will identify the system security weaknesses in your browser and operating system and provides easy instructions to correct them. This includes any missing critical Windows security updates, system vulnerabilities and your IE Browser security settings. Get the download here:

Microsoft Baseline Security Analyzer

http://www.microsoft.com/technet/security/...s/mbsahome.mspx

Choose MBSAsetup-EN.msi = (English Version) or the language appropriate for you.

 

Also visit this Free Online Scanner from Microsoft for PC Health and Safety

http://safety.live.com/site/en-US/default.htm

and Microsoft Security At Home

http://www.microsoft.com/athome/security/default.mspx

for tips to Protect your Pc, Protect yourself and Protect your Family.

Share this post


Link to post
Share on other sites
Sign in to follow this