• Announcements

    • LS.Andy

      Support for other products than adaware, ad block, web protection and Web Companion   05/05/2017

      Support for the following products is handled by the Lavasoft support team: Lavasoft Tuneup Kit Lavasoft PC Optimizer Lavasoft Driver Updater Lavasoft Registry Tuner Lavasoft Privacy Toolbox Lavasoft File Shredder Lavasoft Digital Lock

      For help with these products, contact the support team here: http://www.lavasoft.com/support/supportcenter/
       
Sign in to follow this  
Followers 0
JHarborough

Spyware has hijacked my browser

5 posts in this topic

Even after running a full complete scan of my system with SE, I still have a spysheriff that loads my quicklaunch at startup, and flashes in red "your computer is infected! there is a critical system error". Then an annoying balloon pops up every 30 seconds witha yellow caution sign, "Urgent system message: Virus!.

 

Of Course then when i open up my web browser it redirects my Home Page to the their site to purchase Malwear etc......

 

How do i get rid of this malicious spyware, without a defrag. Please help out.

 

Below I have listed my scan results:

 

 

Ad-Aware SE Build 1.06r1

Logfile Created on:Wednesday, May 31, 2006 11:03:10 AM

Using definitions file:SE1R109 22.05.2006

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

 

References detected during the scan:

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

MRU List(TAC index:0):7 total references

Tracking Cookie(TAC index:3):2 total references

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

 

Ad-Aware SE Settings

===========================

Set : Search for negligible risk entries

Set : Search for low-risk threats

Set : Safe mode (always request confirmation)

Set : Skip non-executable files

Set : Scan active processes

Set : Scan registry

Set : Deep-scan registry

Set : Scan my IE Favorites for banned URLs

Set : Scan within archives

Set : Scan my Hosts file

 

Extended Ad-Aware SE Settings

===========================

Set : Unload recognized processes & modules during scan

Set : Ignore spanned files when scanning cab archives

Set : Scan registry for all users instead of current user only

Set : Always try to unload modules before deletion

Set : During removal, unload Explorer and IE if necessary

Set : Let Windows remove files in use at next reboot

Set : Delete quarantined objects after restoring

Set : Block pop-ups aggressively

Set : Automatically select problematic objects in results lists

Set : Include basic Ad-Aware settings in log file

Set : Include additional Ad-Aware settings in log file

Set : Include reference summary in log file

Set : Include alternate data stream details in log file

Set : Show splash screen

Set : Backup current definitions file before updating

Set : Play sound at scan completion if scan locates critical objects

 

 

5-31-2006 11:03:10 AM - Scan started. (Custom mode)

 

Listing running processes

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

 

#:1 [smss.exe]

FilePath : \SystemRoot\System32\

ProcessID : 928

ThreadCreationTime : 5-31-2006 5:15:32 PM

BasePriority : Normal

 

 

#:2 [csrss.exe]

FilePath : \??\C:\WINDOWS\system32\

ProcessID : 1048

ThreadCreationTime : 5-31-2006 5:15:41 PM

BasePriority : Normal

 

 

#:3 [winlogon.exe]

FilePath : \??\C:\WINDOWS\system32\

ProcessID : 1080

ThreadCreationTime : 5-31-2006 5:15:52 PM

BasePriority : High

 

 

#:4 [services.exe]

FilePath : C:\WINDOWS\system32\

ProcessID : 1124

ThreadCreationTime : 5-31-2006 5:15:53 PM

BasePriority : Normal

FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)

ProductVersion : 5.1.2600.2180

ProductName : Microsoft® Windows® Operating System

CompanyName : Microsoft Corporation

FileDescription : Services and Controller app

InternalName : services.exe

LegalCopyright : © Microsoft Corporation. All rights reserved.

OriginalFilename : services.exe

 

#:5 [lsass.exe]

FilePath : C:\WINDOWS\system32\

ProcessID : 1136

ThreadCreationTime : 5-31-2006 5:15:53 PM

BasePriority : Normal

FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)

ProductVersion : 5.1.2600.2180

ProductName : Microsoft® Windows® Operating System

CompanyName : Microsoft Corporation

FileDescription : LSA Shell (Export Version)

InternalName : lsass.exe

LegalCopyright : © Microsoft Corporation. All rights reserved.

OriginalFilename : lsass.exe

 

#:6 [svchost.exe]

FilePath : C:\WINDOWS\system32\

ProcessID : 1280

ThreadCreationTime : 5-31-2006 5:15:54 PM

BasePriority : Normal

FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)

ProductVersion : 5.1.2600.2180

ProductName : Microsoft® Windows® Operating System

CompanyName : Microsoft Corporation

FileDescription : Generic Host Process for Win32 Services

InternalName : svchost.exe

LegalCopyright : © Microsoft Corporation. All rights reserved.

OriginalFilename : svchost.exe

 

#:7 [svchost.exe]

FilePath : C:\WINDOWS\system32\

ProcessID : 1340

ThreadCreationTime : 5-31-2006 5:15:54 PM

BasePriority : Normal

FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)

ProductVersion : 5.1.2600.2180

ProductName : Microsoft® Windows® Operating System

CompanyName : Microsoft Corporation

FileDescription : Generic Host Process for Win32 Services

InternalName : svchost.exe

LegalCopyright : © Microsoft Corporation. All rights reserved.

OriginalFilename : svchost.exe

 

#:8 [msmpeng.exe]

FilePath : C:\Program Files\Windows Defender\

ProcessID : 1384

ThreadCreationTime : 5-31-2006 5:15:54 PM

BasePriority : Normal

FileVersion : 1.1.1347.0

ProductVersion : 1.1.1347.0

ProductName : Windows Defender

CompanyName : Microsoft Corporation

FileDescription : Service Executable

InternalName : MsMpEng.exe

LegalCopyright : © Microsoft Corporation. All rights reserved.

OriginalFilename : MsMpEng.exe

 

#:9 [svchost.exe]

FilePath : C:\WINDOWS\System32\

ProcessID : 1428

ThreadCreationTime : 5-31-2006 5:15:54 PM

BasePriority : Normal

FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)

ProductVersion : 5.1.2600.2180

ProductName : Microsoft® Windows® Operating System

CompanyName : Microsoft Corporation

FileDescription : Generic Host Process for Win32 Services

InternalName : svchost.exe

LegalCopyright : © Microsoft Corporation. All rights reserved.

OriginalFilename : svchost.exe

 

#:10 [svchost.exe]

FilePath : C:\WINDOWS\System32\

ProcessID : 1484

ThreadCreationTime : 5-31-2006 5:15:54 PM

BasePriority : Normal

FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)

ProductVersion : 5.1.2600.2180

ProductName : Microsoft® Windows® Operating System

CompanyName : Microsoft Corporation

FileDescription : Generic Host Process for Win32 Services

InternalName : svchost.exe

LegalCopyright : © Microsoft Corporation. All rights reserved.

OriginalFilename : svchost.exe

 

#:11 [svchost.exe]

FilePath : C:\WINDOWS\System32\

ProcessID : 1624

ThreadCreationTime : 5-31-2006 5:15:56 PM

BasePriority : Normal

FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)

ProductVersion : 5.1.2600.2180

ProductName : Microsoft® Windows® Operating System

CompanyName : Microsoft Corporation

FileDescription : Generic Host Process for Win32 Services

InternalName : svchost.exe

LegalCopyright : © Microsoft Corporation. All rights reserved.

OriginalFilename : svchost.exe

 

#:12 [ccproxy.exe]

FilePath : C:\Program Files\Common Files\Symantec Shared\

ProcessID : 1820

ThreadCreationTime : 5-31-2006 5:15:59 PM

BasePriority : Normal

FileVersion : 103.0.7.2

ProductVersion : 103.0.7.2

ProductName : Client and Host Security Platform

CompanyName : Symantec Corporation

FileDescription : Symantec Network Proxy Service

InternalName : ccProxy

LegalCopyright : Copyright © 2000-2004 Symantec Corporation. All rights reserved.

OriginalFilename : ccProxy.exe

 

#:13 [ccsetmgr.exe]

FilePath : C:\Program Files\Common Files\Symantec Shared\

ProcessID : 1836

ThreadCreationTime : 5-31-2006 5:15:59 PM

BasePriority : Normal

FileVersion : 103.0.5.2

ProductVersion : 103.0.5.2

ProductName : Client and Host Security Platform

CompanyName : Symantec Corporation

FileDescription : Symantec Settings Manager Service

InternalName : ccSetMgr

LegalCopyright : Copyright © 2000-2004 Symantec Corporation. All rights reserved.

OriginalFilename : ccSetMgr.exe

 

#:14 [sndsrvc.exe]

FilePath : C:\Program Files\Common Files\Symantec Shared\

ProcessID : 1848

ThreadCreationTime : 5-31-2006 5:15:59 PM

BasePriority : Normal

FileVersion : 5.5.1.6

ProductVersion : 5.5

ProductName : Symantec Security Drivers

CompanyName : Symantec Corporation

FileDescription : Network Driver Service

InternalName : SndSrvc

LegalCopyright : Copyright 2002, 2003, 2004 Symantec Corporation

OriginalFilename : SndSrvc.exe

 

#:15 [spbbcsvc.exe]

FilePath : C:\Program Files\Common Files\Symantec Shared\SPBBC\

ProcessID : 1860

ThreadCreationTime : 5-31-2006 5:15:59 PM

BasePriority : Normal

FileVersion : 1,0,1,47

ProductVersion : 1,0,1,47

ProductName : SPBBC

CompanyName : Symantec Corporation

FileDescription : SPBBC Service

InternalName : SPBBCSvc

LegalCopyright : Copyright © 2004 Symantec Corporation. All rights reserved.

OriginalFilename : SPBBCSvc.exe

 

#:16 [ccevtmgr.exe]

FilePath : C:\Program Files\Common Files\Symantec Shared\

ProcessID : 1976

ThreadCreationTime : 5-31-2006 5:16:02 PM

BasePriority : Normal

FileVersion : 103.0.5.2

ProductVersion : 103.0.5.2

ProductName : Client and Host Security Platform

CompanyName : Symantec Corporation

FileDescription : Symantec Event Manager Service

InternalName : ccEvtMgr

LegalCopyright : Copyright © 2000-2004 Symantec Corporation. All rights reserved.

OriginalFilename : ccEvtMgr.exe

 

#:17 [spoolsv.exe]

FilePath : C:\WINDOWS\system32\

ProcessID : 596

ThreadCreationTime : 5-31-2006 5:16:04 PM

BasePriority : Normal

FileVersion : 5.1.2600.2696 (xpsp_sp2_gdr.050610-1519)

ProductVersion : 5.1.2600.2696

ProductName : Microsoft® Windows® Operating System

CompanyName : Microsoft Corporation

FileDescription : Spooler SubSystem App

InternalName : spoolsv.exe

LegalCopyright : © Microsoft Corporation. All rights reserved.

OriginalFilename : spoolsv.exe

 

#:18 [aluschedulersvc.exe]

FilePath : C:\Program Files\Symantec\LiveUpdate\

ProcessID : 820

ThreadCreationTime : 5-31-2006 5:16:12 PM

BasePriority : Normal

FileVersion : 3.0.0.160

ProductVersion : 3.0.0.160

ProductName : LiveUpdate

CompanyName : Symantec Corporation

FileDescription : Automatic LiveUpdate Scheduler Service

InternalName : Automatic LiveUpdate Scheduler Service

LegalCopyright : Copyright © 1996-2005 Symantec Corporation

OriginalFilename : ALUSchedulerSvc.exe

 

#:19 [inetinfo.exe]

FilePath : C:\WINDOWS\system32\inetsrv\

ProcessID : 864

ThreadCreationTime : 5-31-2006 5:16:12 PM

BasePriority : Normal

FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)

ProductVersion : 5.1.2600.2180

ProductName : Internet Information Services

CompanyName : Microsoft Corporation

FileDescription : Internet Information Services

InternalName : INETINFO.EXE

LegalCopyright : © Microsoft Corporation. All rights reserved.

OriginalFilename : INETINFO.EXE

 

#:20 [msdtc.exe]

FilePath : C:\WINDOWS\System32\

ProcessID : 884

ThreadCreationTime : 5-31-2006 5:16:12 PM

BasePriority : Normal

FileVersion : 2001.12.4414.258

ProductVersion : 03.01.00.4414

ProductName : Microsoft Distributed Transaction Coordinator

CompanyName : Microsoft Corporation

FileDescription : MS DTC console program

InternalName : MSDTC.EXE

LegalCopyright : Copyright © Microsoft Corp. 1995-1998

LegalTrademarks : Microsoft® is a registered trademark of Microsoft Corporation. Windows is a trademark of Microsoft Corporation

 

#:21 [navapsvc.exe]

FilePath : C:\Program Files\Norton SystemWorks\Norton AntiVirus\

ProcessID : 1028

ThreadCreationTime : 5-31-2006 5:16:12 PM

BasePriority : Normal

FileVersion : 11.0.16.2

ProductVersion : 11.0.16

ProductName : Norton AntiVirus

CompanyName : Symantec Corporation

FileDescription : Norton AntiVirus Auto-Protect Service

InternalName : NAVAPSVC

LegalCopyright : Norton AntiVirus 2005 for Windows 98/ME/2000/XP Copyright © 2004 Symantec Corporation. All rights reserved.

OriginalFilename : NAVAPSVC.EXE

 

#:22 [pqv2isvc.exe]

FilePath : C:\Program Files\Norton SystemWorks\Norton Ghost\Agent\

ProcessID : 1052

ThreadCreationTime : 5-31-2006 5:16:14 PM

BasePriority : Normal

FileVersion : 9.0.2.3981

ProductVersion : 9.0.2.3981

ProductName : Norton Ghost

CompanyName : Symantec Corporation

FileDescription : Service Module

InternalName : PQV2iSvc

LegalCopyright : Copyright © 1994-2004 Symantec Corporation. All rights reserved.

OriginalFilename : PQV2iSvc.exe

 

#:23 [npfmntor.exe]

FilePath : C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\

ProcessID : 1744

ThreadCreationTime : 5-31-2006 5:16:18 PM

BasePriority : Normal

FileVersion : 11.0.16.2

ProductVersion : 11.0.16

ProductName : Norton AntiVirus

CompanyName : Symantec Corporation

FileDescription : Norton AntiVirus Firewall Install Monitor

InternalName : NPFMonitor

LegalCopyright : Norton AntiVirus 2005 for Windows 98/ME/2000/XP Copyright © 2004 Symantec Corporation. All rights reserved.

OriginalFilename : NPFMonitor.EXE

 

#:24 [nprotect.exe]

FilePath : C:\PROGRA~1\NORTON~1\NORTON~1\

ProcessID : 1920

ThreadCreationTime : 5-31-2006 5:16:18 PM

BasePriority : Normal

FileVersion : 18.0.0.62

ProductVersion : 18.0.0.62

ProductName : Norton Utilities

CompanyName : Symantec Corporation

FileDescription : Norton Protection Status

InternalName : NPROTECT

LegalCopyright : Copyright © 1997-2004 Symantec Corporation

LegalTrademarks : Norton Utilities® and UnErase® are registered trademarks of Symantec Corporation.

OriginalFilename : NPROTECT.EXE

 

#:25 [nvsvc32.exe]

FilePath : C:\WINDOWS\system32\

ProcessID : 1996

ThreadCreationTime : 5-31-2006 5:16:19 PM

BasePriority : Normal

FileVersion : 6.13.10.2835

ProductVersion : 6.13.10.2835

ProductName : NVIDIA Driver Helper Service, Version 28.35

CompanyName : NVIDIA Corporation

FileDescription : NVIDIA Driver Helper Service, Version 28.35

InternalName : NVSVC

LegalCopyright : © NVIDIA Corporation. All rights reserved.

OriginalFilename : nvsvc32.exe

 

#:26 [snmp.exe]

FilePath : C:\WINDOWS\System32\

ProcessID : 2208

ThreadCreationTime : 5-31-2006 5:16:20 PM

BasePriority : Normal

FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)

ProductVersion : 5.1.2600.2180

ProductName : Microsoft® Windows® Operating System

CompanyName : Microsoft Corporation

FileDescription : SNMP Service

InternalName : snmp.exe

LegalCopyright : © Microsoft Corporation. All rights reserved.

OriginalFilename : snmp.exe

 

#:27 [nopdb.exe]

FilePath : C:\PROGRA~1\NORTON~1\NORTON~1\SPEEDD~1\

ProcessID : 2264

ThreadCreationTime : 5-31-2006 5:16:20 PM

BasePriority : Normal

FileVersion : 7.00.0.24

ProductVersion : 7.00.0.24

ProductName : Norton Speed Disk

CompanyName : Symantec Corporation

FileDescription : NOPDB

InternalName : NOPDB

LegalCopyright : Copyright © 1997-2004 Symantec Corporation

OriginalFilename : NOPDB.dll

 

#:28 [svchost.exe]

FilePath : C:\WINDOWS\System32\

ProcessID : 2316

ThreadCreationTime : 5-31-2006 5:16:20 PM

BasePriority : Normal

FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)

ProductVersion : 5.1.2600.2180

ProductName : Microsoft® Windows® Operating System

CompanyName : Microsoft Corporation

FileDescription : Generic Host Process for Win32 Services

InternalName : svchost.exe

LegalCopyright : © Microsoft Corporation. All rights reserved.

OriginalFilename : svchost.exe

 

#:29 [symlcsvc.exe]

FilePath : C:\Program Files\Common Files\Symantec Shared\CCPD-LC\

ProcessID : 2364

ThreadCreationTime : 5-31-2006 5:16:20 PM

BasePriority : Normal

FileVersion : 1, 8, 54, 478

ProductVersion : 1, 8, 54, 478

ProductName : Symantec Core Component

CompanyName : Symantec Corporation

FileDescription : Symantec Core Component

InternalName : symlcsvc

LegalCopyright : Copyright © 2003

OriginalFilename : symlcsvc.exe

 

#:30 [wdfmgr.exe]

FilePath : C:\WINDOWS\system32\

ProcessID : 2396

ThreadCreationTime : 5-31-2006 5:16:20 PM

BasePriority : Normal

FileVersion : 5.2.3790.1230 built by: dnsrv(bld4act)

ProductVersion : 5.2.3790.1230

ProductName : Microsoft® Windows® Operating System

CompanyName : Microsoft Corporation

FileDescription : Windows User Mode Driver Manager

InternalName : WdfMgr

LegalCopyright : © Microsoft Corporation. All rights reserved.

OriginalFilename : WdfMgr.exe

 

#:31 [mqsvc.exe]

FilePath : C:\WINDOWS\system32\

ProcessID : 2560

ThreadCreationTime : 5-31-2006 5:16:21 PM

BasePriority : Normal

FileVersion : 5.01.1108

ProductVersion : 5.01.1108

ProductName : Microsoft Message Queue

CompanyName : Microsoft Corporation

FileDescription : Message Queuing Service

LegalCopyright : Copyright © Microsoft Corporation. 1981-2000

LegalTrademarks : Microsoft® is a registered trademark of Microsoft Corporation. Windows NT is a trademark of Microsoft Corporation

OriginalFilename : MQSVC.EXE

 

#:32 [mqtgsvc.exe]

FilePath : C:\WINDOWS\system32\

ProcessID : 3160

ThreadCreationTime : 5-31-2006 5:16:28 PM

BasePriority : Normal

FileVersion : 5.01.1108

ProductVersion : 5.01.1108

ProductName : Microsoft Message Queue

CompanyName : Microsoft Corporation

FileDescription : Windows NT MSMQ Trigger Service

LegalCopyright : Copyright © Microsoft Corporation. 1981-2000

LegalTrademarks : Microsoft® is a registered trademark of Microsoft Corporation. Windows NT is a trademark of Microsoft Corporation

OriginalFilename : QMTGSVC.EXE

 

#:33 [alg.exe]

FilePath : C:\WINDOWS\System32\

ProcessID : 3460

ThreadCreationTime : 5-31-2006 5:16:37 PM

BasePriority : Normal

FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)

ProductVersion : 5.1.2600.2180

ProductName : Microsoft® Windows® Operating System

CompanyName : Microsoft Corporation

FileDescription : Application Layer Gateway Service

InternalName : ALG.exe

LegalCopyright : © Microsoft Corporation. All rights reserved.

OriginalFilename : ALG.exe

 

#:34 [explorer.exe]

FilePath : C:\WINDOWS\

ProcessID : 1324

ThreadCreationTime : 5-31-2006 6:01:06 PM

BasePriority : Normal

FileVersion : 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)

ProductVersion : 6.00.2900.2180

ProductName : Microsoft® Windows® Operating System

CompanyName : Microsoft Corporation

FileDescription : Windows Explorer

InternalName : explorer

LegalCopyright : © Microsoft Corporation. All rights reserved.

OriginalFilename : EXPLORER.EXE

 

#:35 [wuauclt.exe]

FilePath : C:\WINDOWS\system32\

ProcessID : 2928

ThreadCreationTime : 5-31-2006 6:01:20 PM

BasePriority : Normal

FileVersion : 5.8.0.2469 built by: lab01_n(wmbla)

ProductVersion : 5.8.0.2469

ProductName : Microsoft® Windows® Operating System

CompanyName : Microsoft Corporation

FileDescription : Automatic Updates

InternalName : wuauclt.exe

LegalCopyright : © Microsoft Corporation. All rights reserved.

OriginalFilename : wuauclt.exe

 

#:36 [atmclk.exe]

FilePath : C:\WINDOWS\system32\

ProcessID : 3872

ThreadCreationTime : 5-31-2006 6:01:21 PM

BasePriority : Normal

 

 

#:37 [dcomcfg.exe]

FilePath : C:\WINDOWS\system32\

ProcessID : 3008

ThreadCreationTime : 5-31-2006 6:01:22 PM

BasePriority : Normal

 

 

#:38 [ccapp.exe]

FilePath : C:\Program Files\Common Files\Symantec Shared\

ProcessID : 2760

ThreadCreationTime : 5-31-2006 6:01:22 PM

BasePriority : Normal

FileVersion : 103.0.5.2

ProductVersion : 103.0.5.2

ProductName : Client and Host Security Platform

CompanyName : Symantec Corporation

FileDescription : Symantec User Session

InternalName : ccApp

LegalCopyright : Copyright © 2000-2004 Symantec Corporation. All rights reserved.

OriginalFilename : ccApp.exe

 

#:39 [qttask.exe]

FilePath : C:\Program Files\QuickTime\

ProcessID : 4044

ThreadCreationTime : 5-31-2006 6:01:22 PM

BasePriority : Normal

FileVersion : 6.4

ProductVersion : QuickTime 6.4

ProductName : QuickTime

CompanyName : Apple Computer, Inc.

InternalName : QuickTime Task

LegalCopyright : © Apple Computer, Inc. 2001-2003

OriginalFilename : QTTask.exe

 

#:40 [ctfmon.exe]

FilePath : C:\WINDOWS\system32\

ProcessID : 1176

ThreadCreationTime : 5-31-2006 6:01:22 PM

BasePriority : Normal

FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)

ProductVersion : 5.1.2600.2180

ProductName : Microsoft® Windows® Operating System

CompanyName : Microsoft Corporation

FileDescription : CTF Loader

InternalName : CTFMON

LegalCopyright : © Microsoft Corporation. All rights reserved.

OriginalFilename : CTFMON.EXE

 

#:41 [msmsgs.exe]

FilePath : C:\Program Files\Messenger\

ProcessID : 3016

ThreadCreationTime : 5-31-2006 6:01:25 PM

BasePriority : Normal

FileVersion : 4.7.3001

ProductVersion : Version 4.7.3001

ProductName : Messenger

CompanyName : Microsoft Corporation

FileDescription : Windows Messenger

InternalName : msmsgs

LegalCopyright : Copyright © Microsoft Corporation 2004

LegalTrademarks : Microsoft® is a registered trademark of Microsoft Corporation in the U.S. and/or other countries.

OriginalFilename : msmsgs.exe

 

#:42 [ad-aware.exe]

FilePath : C:\Program Files\Lavasoft\Ad-Aware SE Plus\

ProcessID : 512

ThreadCreationTime : 5-31-2006 6:01:42 PM

BasePriority : Normal

FileVersion : 6.2.0.237

ProductVersion : SE 106

ProductName : Lavasoft Ad-Aware SE

CompanyName : Lavasoft Sweden

FileDescription : Ad-Aware SE Core application

InternalName : Ad-Aware.exe

LegalCopyright : Copyright © Lavasoft AB Sweden

OriginalFilename : Ad-Aware.exe

Comments : All Rights Reserved

 

Memory scan result:

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

New critical objects: 0

Objects found so far: 0

 

 

Started registry scan

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

 

Registry Scan result:

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

New critical objects: 0

Objects found so far: 0

 

 

Started deep registry scan

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

 

Deep registry scan result:

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

New critical objects: 0

Objects found so far: 0

 

MRU List Object Recognized!

Location: : C:\Documents and Settings\John\recent

Description : list of recently opened documents

 

 

MRU List Object Recognized!

Location: : software\microsoft\directdraw\mostrecentapplication

Description : most recent application to use microsoft directdraw

 

 

MRU List Object Recognized!

Location: : S-1-5-21-796845957-813497703-1343024091-1003\software\microsoft\internet explorer\main

Description : last save directory used in microsoft internet explorer

 

 

MRU List Object Recognized!

Location: : S-1-5-21-796845957-813497703-1343024091-1003\software\microsoft\internet explorer\typedurls

Description : list of recently entered addresses in microsoft internet explorer

 

 

MRU List Object Recognized!

Location: : S-1-5-21-796845957-813497703-1343024091-1003\software\microsoft\windows\currentversion\explorer\comdlg32\lastvisitedmru

Description : list of recent programs opened

 

 

MRU List Object Recognized!

Location: : S-1-5-21-796845957-813497703-1343024091-1003\software\microsoft\windows\currentversion\explorer\comdlg32\opensavemru

Description : list of recently saved files, stored according to file extension

 

 

MRU List Object Recognized!

Location: : S-1-5-21-796845957-813497703-1343024091-1003\software\microsoft\windows\currentversion\explorer\recentdocs

Description : list of recent documents opened

 

 

 

Started Tracking Cookie scan

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

 

 

Tracking Cookie Object Recognized!

Type : IECache Entry

Data : [email protected][1].txt

TAC Rating : 3

Category : Data Miner

Comment : Hits:2

Value : Cookie:[email protected]/

Expires : 12-31-2037 5:00:00 PM

LastSync : Hits:2

UseCount : 0

Hits : 2

 

Tracking Cookie Object Recognized!

Type : IECache Entry

Data : [email protected][2].txt

TAC Rating : 3

Category : Data Miner

Comment : Hits:4

Value : Cookie:[email protected]/

Expires : 5-30-2011 8:26:56 AM

LastSync : Hits:4

UseCount : 0

Hits : 4

 

Tracking cookie scan result:

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

New critical objects: 2

Objects found so far: 9

 

 

 

Deep scanning and examining files (C:)

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

 

Disk Scan Result for C:\

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

New critical objects: 0

Objects found so far: 9

 

 

Deep scanning and examining files (E:)

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

 

Disk Scan Result for E:\

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

New critical objects: 0

Objects found so far: 9

 

 

Scanning Hosts file......

Hosts file location:"C:\WINDOWS\system32\drivers\etc\hosts".

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

 

Hosts file scan result:

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

1 entries scanned.

New critical objects:0

Objects found so far: 9

 

 

 

 

Performing conditional scans...

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

 

Conditional scan result:

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

New critical objects: 0

Objects found so far: 9

 

11:26:51 AM Scan Complete

 

Summary Of This Scan

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Total scanning time:00:23:40.633

Objects scanned:255719

Objects identified:2

Objects ignored:0

New critical objects:2

Share this post


Link to post
Share on other sites

Hi, JHarborough. Don't worry, we can help without defrag. There will be some other tools needed though. Let's start with an initial log.

 

Please download SmitfraudFix (© S!Ri) to your Desktop from http://siri.urz.free.fr/Fix/SmitfraudFix.zip . Extract all the files to your Desktop and a folder named SmitfraudFix will be created on your Desktop.

 

Open the SmitfraudFix folder

  1. Double-click smitfraudfix.cmd
  2. Select option #1 - Search by

    1. typing 1
    2. pressing "Enter"

[*]A text file will appear which lists infected files (if present).

[*]Please copy/paste the content of that report into your reply to this thread.

:unsure:Note :)

process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool". It is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user. (See http://www.beyondlogic.org/consulting/proc...processutil.htm )

Share this post


Link to post
Share on other sites
Hi, JHarborough. Don't worry, we can help without defrag. There will be some other tools needed though. Let's start with an initial log.

 

Please download SmitfraudFix (© S!Ri) to your Desktop from http://siri.urz.free.fr/Fix/SmitfraudFix.zip . Extract all the files to your Desktop and a folder named SmitfraudFix will be created on your Desktop.

 

Open the SmitfraudFix folder

  1. Double-click smitfraudfix.cmd
  2. Select option #1 - Search by

    1. typing 1
    2. pressing "Enter"

[*]A text file will appear which lists infected files (if present).

[*]Please copy/paste the content of that report into your reply to this thread.

:unsure:Note :)

process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool". It is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user. (See http://www.beyondlogic.org/consulting/proc...processutil.htm )

 

 

Corrine,

 

Thanks for the response. I was able to get some information from another discussion, which as you had said, to download the smitfraud. Here is what i did.

 

Download SmitfraudFix (by S!Ri) to your Desktop (Win2k/WinXP only!).

http://siri.urz.free.fr/Fix/SmitfraudFix.zip

Extract all the files to your Destop. A folder named SmitfraudFix will be created on your Desktop.

 

How to extract (decompress) zipped or compressed files

http://www.lvsonline.com/compresstut/index.shtml

 

Note : process.exe is part of the SmitFraudFix tool and is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky, Panda) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.

http://www.beyondlogic.org/consulting/proc...processutil.htm

 

3. Reboot into Safe Mode

How to start the computer in Safe mode

http://service1.symantec.com/SUPPORT/tsgen...src=sec_doc_nam

 

4. Open the SmitfraudFix folder and double-click smitfraudfix.cmd

 

Select option #2 - Clean by typing 2 and press Enter.

Wait for the tool to complete and disk cleanup to finish.

You will be prompted : "Registry cleaning - Do you want to clean the registry ?" answer Yes by typing Y and hit Enter.

The tool will also check if wininet.dll is infected. If a clean version is found, you will be prompted to replace wininet.dll. Answer Yes to the question "Replace infected file ?" by typing Y and hit Enter.

 

A reboot may be needed to finish the cleaning process, if you computer does not restart automatically please do it yourself manually.

........................

5. Get an online scan here:

eTrust Antivirus Web Scanner

http://www3.ca.com/securityadvisor/virusinfo/scan.aspx

(if prompted, please *allow* Active X and the install of software - this is needed to scan your system)

It will take a while to download the updates needed, and then you'll be presented with a screen to scan your system. SAVE the report at the end to copy back here please.

 

(This scan to make sure your Wininet.dll is fixed if infected)

 

6. Start Ewido AntiMalware

 

a. Click on scanner

 

b. Click on *complete system scan*

 

c. Let the program scan the machine.

 

d. While the scan is in progress you will be prompted to clean the first infected file it finds. Choose Remove, then put a check next to Perform action on all infections in the left corner of the box so you don't have to sit and watch Ewido the whole time.

Checkmark the box: *Create encrypted backup in the quarantine* (recommended)

 

Click OK.

 

When the scan finishes, click on "Save Report". This will create a text file. Make sure you know where to find this file again.

 

7. Now please scan with HijackThis to produce a log. Post that log into your topic along with the Ewido log you saved earlier and the eTrust report.

 

Logs needed in your next post are:

 

rapport.txt in the root of your drive, eg: Local Disk C: or partition where your operating system is installed

 

Ewido Scan report

 

Fresh HijackThis log

 

eTrust scan report

 

Now that your PC is clean, make sure all programs are running properly and then you'll need to reset your restore point in Windows XP.......why?

 

One of the best features of Windows ME or XP is the System Restore option, however if a malware infects a computer with this operating system it can be backed up in the System Restore folder. Therefore, clearing the restore points is necessary after malware removal.

 

To reset your restore points, please note that you will need to log into your computer with an account which has full administrator access. You will know if the account has administrator access because you will be able to see the System Restore tab. If the tab is missing, you are logged in under a limited account.

 

(winXP)

 

1. Turn off System Restore.

Go to Start > Run, click on *My Computer*.

Click Properties.

Click the System Restore tab.

Check Turn off System Restore.

Click Apply, and then click OK.

 

2. Reboot.

 

3. Turn ON System Restore.

Go to Start > Run, click on *My Computer*.

Click Properties.

Click the System Restore tab.

UN-Check *Turn off System Restore*.

Click Apply, and then click OK.

 

How to Turn On and Turn Off System Restore in Windows XP

http://support.microsoft.com/default.aspx?...kb;en-us;310405

 

Next, I highly recommend you get some extra protection to prevent future infections. Here are some things you can do and some free programs to help .

How do I prevent Browser Hijacks and Spyware?

http://www.dslreports.com/faq/13620

 

I'm happy to see you have SP2 installed. That will address numerous security issues in your Operating System and IE

Make sure that you keep your Operating System and IE updated with the latest Critical Security Updates from Microsoft...they usually come out once a month, on the 2nd Tuesday of each month. This is the first step in malware prevention, as many nasties now take advantage of new exploits and if not patched, you are vulnerable!

Windows Update

http://update.microsoft.com/microsoftupdate/

 

And see this link for instructions on how to configure the enhanced security features in SP2:

http://www.microsoft.com/technet/security/...xp/iesecxp.mspx

 

I also highly recommend to get the free tool, Microsoft Baseline Security Analyzer (MBSA) from Microsoft to analyze your PC security for prevention purposes.

 

MBSA Version 2.0 will scan for common system misconfigurations on Windows 2000, Windows XP, and Windows Server 2003 systems. This program will identify the system security weaknesses in your browser and operating system and provides easy instructions to correct them. This includes any missing critical Windows security updates, system vulnerabilities and your IE Browser security settings. Get the download here:

Microsoft Baseline Security Analyzer

http://www.microsoft.com/technet/security/...s/mbsahome.mspx

Choose MBSAsetup-EN.msi = (English Version) or the language appropriate for you.

 

 

 

It seemed to work. I did save my Ewido scan. I quess it was a trojan.muel or something like that. I think I got it by downloading a corrupted version of Mozilla, firefox. Not sure.

 

 

BTW, why are supposed to do a "Highjack this" file for support??? Just curious

Share this post


Link to post
Share on other sites
Corrine,

 

Thanks for the response. I was able to get some information from another discussion, which as you had said, to download the smitfraud. Here is what i did.

 

Download SmitfraudFix (by S!Ri) to your Desktop (Win2k/WinXP only!).

http://siri.urz.free.fr/Fix/SmitfraudFix.zip

Extract all the files to your Destop. A folder named SmitfraudFix will be created on your Desktop.

 

How to extract (decompress) zipped or compressed files

http://www.lvsonline.com/compresstut/index.shtml

 

Note : process.exe is part of the SmitFraudFix tool and is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky, Panda) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.

http://www.beyondlogic.org/consulting/proc...processutil.htm

 

3. Reboot into Safe Mode

How to start the computer in Safe mode

http://service1.symantec.com/SUPPORT/tsgen...src=sec_doc_nam

 

4. Open the SmitfraudFix folder and double-click smitfraudfix.cmd

 

Select option #2 - Clean by typing 2 and press Enter.

Wait for the tool to complete and disk cleanup to finish.

You will be prompted : "Registry cleaning - Do you want to clean the registry ?" answer Yes by typing Y and hit Enter.

The tool will also check if wininet.dll is infected. If a clean version is found, you will be prompted to replace wininet.dll. Answer Yes to the question "Replace infected file ?" by typing Y and hit Enter.

 

A reboot may be needed to finish the cleaning process, if you computer does not restart automatically please do it yourself manually.

........................

5. Get an online scan here:

eTrust Antivirus Web Scanner

http://www3.ca.com/securityadvisor/virusinfo/scan.aspx

(if prompted, please *allow* Active X and the install of software - this is needed to scan your system)

It will take a while to download the updates needed, and then you'll be presented with a screen to scan your system. SAVE the report at the end to copy back here please.

 

(This scan to make sure your Wininet.dll is fixed if infected)

 

6. Start Ewido AntiMalware

 

a. Click on scanner

 

b. Click on *complete system scan*

 

c. Let the program scan the machine.

 

d. While the scan is in progress you will be prompted to clean the first infected file it finds. Choose Remove, then put a check next to Perform action on all infections in the left corner of the box so you don't have to sit and watch Ewido the whole time.

Checkmark the box: *Create encrypted backup in the quarantine* (recommended)

 

Click OK.

 

When the scan finishes, click on "Save Report". This will create a text file. Make sure you know where to find this file again.

 

7. Now please scan with HijackThis to produce a log. Post that log into your topic along with the Ewido log you saved earlier and the eTrust report.

 

Logs needed in your next post are:

 

rapport.txt in the root of your drive, eg: Local Disk C: or partition where your operating system is installed

 

Ewido Scan report

 

Fresh HijackThis log

 

eTrust scan report

 

Now that your PC is clean, make sure all programs are running properly and then you'll need to reset your restore point in Windows XP.......why?

 

One of the best features of Windows ME or XP is the System Restore option, however if a malware infects a computer with this operating system it can be backed up in the System Restore folder. Therefore, clearing the restore points is necessary after malware removal.

 

To reset your restore points, please note that you will need to log into your computer with an account which has full administrator access. You will know if the account has administrator access because you will be able to see the System Restore tab. If the tab is missing, you are logged in under a limited account.

 

(winXP)

 

1. Turn off System Restore.

Go to Start > Run, click on *My Computer*.

Click Properties.

Click the System Restore tab.

Check Turn off System Restore.

Click Apply, and then click OK.

 

2. Reboot.

 

3. Turn ON System Restore.

Go to Start > Run, click on *My Computer*.

Click Properties.

Click the System Restore tab.

UN-Check *Turn off System Restore*.

Click Apply, and then click OK.

 

How to Turn On and Turn Off System Restore in Windows XP

http://support.microsoft.com/default.aspx?...kb;en-us;310405

 

Next, I highly recommend you get some extra protection to prevent future infections. Here are some things you can do and some free programs to help .

How do I prevent Browser Hijacks and Spyware?

http://www.dslreports.com/faq/13620

 

I'm happy to see you have SP2 installed. That will address numerous security issues in your Operating System and IE

Make sure that you keep your Operating System and IE updated with the latest Critical Security Updates from Microsoft...they usually come out once a month, on the 2nd Tuesday of each month. This is the first step in malware prevention, as many nasties now take advantage of new exploits and if not patched, you are vulnerable!

Windows Update

http://update.microsoft.com/microsoftupdate/

 

And see this link for instructions on how to configure the enhanced security features in SP2:

http://www.microsoft.com/technet/security/...xp/iesecxp.mspx

 

I also highly recommend to get the free tool, Microsoft Baseline Security Analyzer (MBSA) from Microsoft to analyze your PC security for prevention purposes.

 

MBSA Version 2.0 will scan for common system misconfigurations on Windows 2000, Windows XP, and Windows Server 2003 systems. This program will identify the system security weaknesses in your browser and operating system and provides easy instructions to correct them. This includes any missing critical Windows security updates, system vulnerabilities and your IE Browser security settings. Get the download here:

Microsoft Baseline Security Analyzer

http://www.microsoft.com/technet/security/...s/mbsahome.mspx

Choose MBSAsetup-EN.msi = (English Version) or the language appropriate for you.

It seemed to work. I did save my Ewido scan. I quess it was a trojan.muel or something like that. I think I got it by downloading a corrupted version of Mozilla, firefox. Not sure.

BTW, why are supposed to do a "Highjack this" file for support??? Just curious

 

 

One other thing of note. I installed IE 7 Beta 2. I heard that is safer than IE 6???? Not Sure

Also curious how the smitfraud removed components of the malware off of my quick launch tool bar, but the Ewido, still had to go in and completely removing the spyware off of the registry???

Share this post


Link to post
Share on other sites

Hi, JHarborough. Just to make things simpler, when you reply, click on the Add Reply button (not the " Reply) so the prior post won't be quoted. Thanks.

 

Regarding your questions on HijackThis, ewido and SmitfraudFix, they are all different tools designed to perform different functions. SmitfraudFix, for example was developed by a member of the security community specifically for this infection. As new variants are obtained, the fix is updated -- almost daily.

 

As to the infection, it was more likely a drive-by install and certainly not from mozilla.com.

 

IE 7 is still beta software, but has come a long way since it was first released. If you are not having problems with it, just leave it be. However, make sure to get updates as they are released.

 

Is your PC working ok now?

Share this post


Link to post
Share on other sites
Sign in to follow this  
Followers 0