Go Back   Tech Support Forum > Security Center > Virus/Trojan/Spyware Help > Resolved HJT Threads

Winfixer problem...plus?

This is a discussion on Winfixer problem...plus? within the Resolved HJT Threads forums, part of the Tech Support Forum category. Winfixer sucks. You folks helped me before and I made a donation - Thanks. Here's my Hijack log: Logfile of


 
 
Thread Tools Search this Thread
Old 11-21-2005, 05:40 AM   #1
I helped the forums.
 
Join Date: Jun 2005
Posts: 17
OS: XP



Winfixer sucks. You folks helped me before and I made a donation - Thanks. Here's my Hijack log:

Logfile of HijackThis v1.99.1
Scan saved at 4:48:52 PM, on 11/19/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\EarthLink TotalAccess\WENGINE\wmonitor.exe
C:\Program Files\Softex\OmniPass\Omniserv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\Program Files\Softex\OmniPass\OPXPApp.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\Multimedia Card Reader\shwicon2k.exe
C:\WINDOWS\System32\LXSUPMON.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe
C:\windows\system32\wsdxregt.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Registry Cleaner Trial\RegClean.exe
C:\Program Files\WinFixer2005\uwfx5.exe
C:\Program Files\EarthLink TotalAccess\TaskPanl.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
C:\DOCUME~1\Owner\LOCALS~1\Temp\NI.UWFX5\setup.exe
C:\PROGRA~1\SOFTWA~1\soproc.exe
C:\Program Files\ArcSoft\Media Card Companion\MCC Monitor.exe
C:\Program Files\interMute\SpamSubtract\SpamSubtract.exe
C:\WINDOWS\system32\ysysuv6d.exe
C:\Program Files\Common Files\Real\Update_OB\RealOneMessageCenter.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Owner\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://start.earthlink.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.earthlink.net/partner/mor...on/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://start.earthlink.net/AL/Search
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.earthlink.net/partner/mor...on/search.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://start.earthlink.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us9.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://srch-us9.hpwis.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://us9.hpwis.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://start.earthlink.net/AL/Search
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - URLSearchHook: (no name) - - (no file)
R3 - URLSearchHook: (no name) - _{44F9B173-041C-4825-A9B9-D914BD9DCBB3} - (no file)
R3 - URLSearchHook: (no name) - _{EA756889-2338-43DB-8F07-D1CA6FB9C90D} - (no file)
R3 - URLSearchHook: (no name) - _{02EE5B04-F144-47BB-83FB-A60BD91B74A9} - (no file)
R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: EarthLink ScamBlocker V2 - {15F4D456-5BAA-4076-8486-EECB38CD3E57} - C:\Program Files\EarthLink TotalAccess\Toolbar\EScamBlk.dll
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
O2 - BHO: COMMUNICATOR - {4E7BD74F-2B8D-469E-8DBC-A42EB79CB428} - C:\WINDOWS\system32\communicator.dll
O2 - BHO: EarthLink PopUp Blocker V2 - {512ACF1B-64D9-4928-B382-A80556F28DB4} - C:\Program Files\EarthLink TotalAccess\Toolbar\ElnkPuB.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: IE_PopupBlocker Class - {656EC4B7-072B-4698-B504-2A414C1F0037} - C:\Program Files\EarthLink TotalAccess\Accelerator\prpl_IePopupBlocker.dll
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O2 - BHO: Earthlink Protection BHO - {9579D574-D4D8-4335-9560-FE8641A013BD} - C:\Program Files\EarthLink TotalAccess\Toolbar\ProtctIE.dll
O2 - BHO: Web assistant - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: Uninstall Legacy Earthlink Toolbar - {E713904C-DF05-4C79-BBAD-02DB923253BE} - C:\Program Files\EarthLink TotalAccess\Toolbar\uninsttb.dll
O3 - Toolbar: HP View - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\Program Files\HP\Digital Imaging\bin\hpdtlk02.dll
O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: EarthLink Toolbar - {C7768536-96F8-4001-B1A2-90EE21279187} - C:\Program Files\EarthLink TotalAccess\Toolbar\Toolbar.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O3 - Toolbar: COMMUNICATOR - {4E7BD74F-2B8D-469E-8DBC-A42EB79CB428} - C:\WINDOWS\system32\communicator.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\Hewlett-Packard\Digital Imaging\\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [AutoTKit] C:\hp\bin\AUTOTKIT.EXE
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded /nodetect
O4 - HKLM\..\Run: [Sunkist2k] C:\Program Files\Multimedia Card Reader\shwicon2k.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [LXSUPMON] C:\WINDOWS\System32\LXSUPMON.EXE RUN
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe"
O4 - HKLM\..\Run: [k52eOqtZ] C:\WINDOWS\xinvtv.exe
O4 - HKLM\..\Run: [fv6us3ud] C:\WINDOWS\system32\fv6us3ud.exe
O4 - HKLM\..\Run: [NI.UWFX5] "C:\WINDOWS\Downloaded Program Files\CONFLICT.2\UWFX5NetInstaller.exe"
O4 - HKLM\..\Run: [ZStart] C:\windows\system32\wsdxregt.exe DO0605
O4 - HKLM\..\Run: [stb] C:\WINDOWS\system32\stb.exe
O4 - HKLM\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O4 - HKLM\..\Run: [Nsv] C:\WINDOWS\system32\nsvsvc\nsvsvc.exe
O4 - HKLM\..\Run: [BrowserUpdateSched] C:\WINDOWS\system32\ysysuv6d.exe DO0605
O4 - HKLM\..\RunOnce: [InnoSetupRegFile.0000000001] C:\WINDOWS\is-55M9D.exe /REG
O4 - HKLM\..\RunOnce: [AAW] "C:\Program Files\Lavasoft\Ad-Aware SE Personal\Ad-Aware.exe" "+b1"
O4 - HKCU\..\Run: [BackupNotify] c:\Program Files\Hewlett-Packard\Digital Imaging\bin\backupnotify.exe
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [NetZero_uoltray] C:\Program Files\NetZero\exec.exe regrun
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [DW4] "C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe"
O4 - HKCU\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O4 - HKCU\..\Run: [Registry Cleaner] "C:\Program Files\Registry Cleaner Trial\RegClean.exe"
O4 - HKCU\..\Run: [SOProc_RegSoAlertWxLiteNnAj] rundll32 shell32.dll,ShellExec_RunDLL C:\PROGRA~1\SOFTWA~1\soproc.exe -pack RegSoAlertWxLiteNnAj
O4 - HKCU\..\Run: [WinFixer2005] C:\Program Files\WinFixer2005\uwfx5.exe /scan
O4 - HKCU\..\Run: [E6TaskPanel] "C:\Program Files\EarthLink TotalAccess\TaskPanl.exe" -winstart
O4 - Startup: spamsubtract.lnk = C:\Program Files\interMute\SpamSubtract\SpamSubtract.exe
O4 - Startup: Zeno.lnk = C:\WINDOWS\system32\ysysuv6d.exe
O4 - Startup: Zstart.lnk = C:\WINDOWS\system32\cxdxregt.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Media Card Companion Monitor.lnk = C:\Program Files\ArcSoft\Media Card Companion\MCC Monitor.exe
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 2.0\resources\en-US\local\search.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540013} (CInstall Class) - http://adserver.sharewareonline.com/...er/Install.cab
O16 - DPF: {5F3B3060-09E0-44C6-86F7-BC7B02B57BEE} - http://downloads.shopathomeselect.co...ms1002_sp2.cab
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAV...oadManager.ocx
O20 - AppInit_DLLs: repairs.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: OPXPGina - C:\Program Files\Softex\OmniPass\opxpgina.dll
O23 - Service: EarthLink Monitor Service (EarthLinkMonitor) - Boingo Wireless, Inc. - C:\Program Files\EarthLink TotalAccess\WENGINE\wmonitor.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Softex OmniPass Service (omniserv) - Unknown owner - C:\Program Files\Softex\OmniPass\Omniserv.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe

Hope you can help. Thanks.

__________________
el-daddio is offline  
Old 11-21-2005, 10:37 AM   #2
Management Team, Security Center
Expert Analyst, Moderator, Security Team
Rangemaster, Moderator, TSF Academy
 
sUBs's Avatar
 
Join Date: May 2005
Posts: 26,480
OS: N/A


Hello and Welcome to TSF!

Please subscribe to this thread to get immediate notification of fixes as soon as they are posted.


* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


Please download these additional files/programs. Do not run them untill instructed to do so.
Unless otherwise stated, they should be stored in same directory as the HiJackThis program.

CleanUp! - Install.

ssk-xp.zip

Ewido Security Suite
  • Install Ewido Security Suite
  • When installing, under "Additional Options" uncheck..
    • Install background guard
    • Install scan via context menu
  • Double-click the icon on Desktop to launch Ewido
You will need to update Ewido to the latest definition files.
  • On the left hand side of the main screen click update.
  • Then click on Start Update.
The update will start and a progress bar will show the updates being installed.
If you are having problems with the updater, you can use this link to manually update Ewido
When you have finished updating, EXIT Ewido.


'UNPLUG'/DISCONNECT YOUR COMPUTER FROM THE INTERNET WHEN YOU HAVE FINISHED DOWNLOADING


This webpage would not be available when you're carrying out the fix. Please save the following instructions in Notepad. I have customed my instructions on the assumption that you are using Notepad. It may lead to some confusion should you choose to do otherwise.

If there's anything that you don't understand, kindly ask your questions before proceeding with the fixes. There should not be any opened browsers when you are carrying out the procedures below.


IT IS IMPORTANT THAT YOU DON'T MISS A STEP & PERFORM EVERYTHING IN THE RIGHT ORDER.


* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


With HiJackThis & place a check next to these items and select "Fix checked":

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://start.earthlink.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.earthlink.net/partner/mo...ton/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://start.earthlink.net/AL/Search
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.earthlink.net/partner/mo...ton/search.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://start.earthlink.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us9.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://srch-us9.hpwis.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://us9.hpwis.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://start.earthlink.net/AL/Search
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = localhost
R3 - URLSearchHook: (no name) - - (no file)
R3 - URLSearchHook: (no name) - _{44F9B173-041C-4825-A9B9-D914BD9DCBB3} - (no file)
R3 - URLSearchHook: (no name) - _{EA756889-2338-43DB-8F07-D1CA6FB9C90D} - (no file)
R3 - URLSearchHook: (no name) - _{02EE5B04-F144-47BB-83FB-A60BD91B74A9} - (no file)
R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - (no file)
O2 - BHO: COMMUNICATOR - {4E7BD74F-2B8D-469E-8DBC-A42EB79CB428} - C:\WINDOWS\system32\communicator.dll
O3 - Toolbar: COMMUNICATOR - {4E7BD74F-2B8D-469E-8DBC-A42EB79CB428} - C:\WINDOWS\system32\communicator.dll
O4 - HKLM\..\Run: [k52eOqtZ] C:\WINDOWS\xinvtv.exe
O4 - HKLM\..\Run: [fv6us3ud] C:\WINDOWS\system32\fv6us3ud.exe
O4 - HKLM\..\Run: [NI.UWFX5] "C:\WINDOWS\Downloaded Program Files\CONFLICT.2\UWFX5NetInstaller.exe"
O4 - HKLM\..\Run: [ZStart] C:\windows\system32\wsdxregt.exe DO0605
O4 - HKLM\..\Run: [stb] C:\WINDOWS\system32\stb.exe
O4 - HKLM\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O4 - HKLM\..\Run: [Nsv] C:\WINDOWS\system32\nsvsvc\nsvsvc.exe
O4 - HKLM\..\Run: [BrowserUpdateSched] C:\WINDOWS\system32\ysysuv6d.exe DO0605
O4 - HKCU\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O4 - HKCU\..\Run: [SOProc_RegSoAlertWxLiteNnAj] rundll32 shell32.dll,ShellExec_RunDLL C:\PROGRA~1\SOFTWA~1\soproc.exe -pack RegSoAlertWxLiteNnAj
O4 - HKCU\..\Run: [WinFixer2005] C:\Program Files\WinFixer2005\uwfx5.exe /scan
O4 - Startup: Zeno.lnk = C:\WINDOWS\system32\ysysuv6d.exe
O4 - Startup: Zstart.lnk = C:\WINDOWS\system32\cxdxregt.exe
O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540013} (CInstall Class) - http://adserver.sharewareonline.com...ver/Install.cab
O16 - DPF: {5F3B3060-09E0-44C6-86F7-BC7B02B57BEE} - http://downloads.shopathomeselect.c..._ms1002_sp2.cab


* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *

Next, please reboot your computer in SafeMode by doing the following:

1. Restart your computer
2. After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3. Instead of Windows loading as normal, a menu should appear
4. Select the first option, to run Windows in Safe Mode.


* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


Uninstall the following programs, if present, using Control Panel->Add/Remove Programs:
  • Software Online
    Winfixer
Please note any other programs that you dont recognize in that list in your next response


* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


Double click on ssk-xp.zip & Run ssk-xp.bat & follow the prompts


* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


If you have not done so already, please enable the viewing of Hidden files
From Windows Explorer, go to Tools>Folder Options> View tab.
  • Tick - Show hidden files and folder
  • Untick - Hide file extensions for known types
  • Untick - Hide protected operating system files
Click Yes to confirm & then click OK

Locate and delete the following files/folders, if present:
  • C:\PROGRA~1\SOFTWA~1\
    C:\Program Files\WinFixer2005\
    C:\WINDOWS\system32\nsvsvc\
    C:\WINDOWS\system32\communicator.dll
    C:\WINDOWS\xinvtv.exe
    C:\WINDOWS\system32\fv6us3ud.exe
    C:\windows\system32\wsdxregt.exe
    C:\WINDOWS\system32\stb.exe
    C:\WINDOWS\system32\ysysuv6d.exe
    C:\WINDOWS\system32\cxdxregt.exe

* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


Run Ewido with it's updated definitions:(...it's important that all windows must be closed)
  • Click Scanner
  • Click Complete System Scan to begin scanning.
  • Click OK when prompted to clean files
With the first file it prompts to clean, select the option:
  • "Perform action on all infections"
  • .Choose clean and click OK.
Once finished, click the Save report button & save the report to your desktop

** Ewido scan would require at least an hour. I suggest that you go grab a cup of coffee & do something else while you wait for it to complete.


* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


Run Cleanup! using the following configuration:

1. Click Options...
2. Set the slider to Standard CleanUp!
3. Uncheck the following:
  • Delete Newsgroup cache
  • Delete Newsgroup Subscriptions
  • Scan local drives for temporary files
4. Click OK
5. Press the CleanUp! button to start the program. Reboot/logoff when prompted.
* CleanUp! will not create any backups!!


* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


REBOOT TO NORMAL MODE


Perform an online scan with Internet Explorer with Panda ActiveScan
  1. Click Scan your PC & a 'pop up' window shall appear. *ensure that your pop up blocker doesn't block it
  2. Click Scan Now
  3. Enter your e-mail address & click Scan Now ...begins downloading 8 MB Panda's ActiveX controls
Begin the scan by selecting My Computer
  • If it finds any malware, it will offer you a report.
  • Click on see report. Then click Save report
Post the contents of the report in your next reply

*You needn't remain online while it's doing the scan but you have to re-connect after it has finished to see the report.
*Turn off the real time scanner of any existing antivirus program while performing the online scan



* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


Download Trend Micro™ Anti-Spyware (by clicking the "Scan and Clean your PC" button).
  • Double-click the tmas-web-scan.exe icon
  • It will say "Loading TrendMicro definitions".
  • Click "Start Scan"
After it's done scanning, click "Scan Results"
  • Make sure all items found have a check next to them, then click "Clean Threats Now".
  • Click Exit.
Reboot your computer. I then need you to repeat the same procedure above again... using the TrendMicro tool. I need the log from the second scan/clean...NOT the first...as this will contain what’s left in the system.

It would produce a log called "Antispyware.log", please double-click that log and copy the entire contents and paste them here.


* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


In your next post, please include fresh logs from:
  • HiJackThis log
  • Online Scan
  • Ewido
Please provide details of any problems you encountered whilst performing the above steps & update us on how the computer behaves now

__________________

sUBs is offline  
Old 11-22-2005, 11:41 AM   #3
I helped the forums.
 
Join Date: Jun 2005
Posts: 17
OS: XP


got it. will do. I will post new Hijack after Tanxgiving. I have to use my work computer to access Internet, since the one I'm fixing won't do it well.

Merry Turkey Day!
__________________
el-daddio is offline  
Old 11-29-2005, 06:09 AM   #4
I helped the forums.
 
Join Date: Jun 2005
Posts: 17
OS: XP


Here are my posts. Also, I have these things called Registry Cleaner, OmniPass, weather services, surf accuracy that don't seem to want to uninstall. Otherwise, the system seems to be working much better. In addition, that .bat file wouldn't run for some reason. I was going to download it again, but the machine seemed to be working, so I thought I'd wait.

How can I keep this Winfixer thing from showing up again??

Logfile of HijackThis v1.99.1
Scan saved at 8:04:43 PM, on 11/28/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\EarthLink TotalAccess\WENGINE\wmonitor.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\Softex\OmniPass\Omniserv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\Program Files\Softex\OmniPass\OPXPApp.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PccGuide.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\Multimedia Card Reader\shwicon2k.exe
C:\WINDOWS\System32\LXSUPMON.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\windows\system32\rndsrego.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Registry Cleaner Trial\RegClean.exe
C:\Program Files\EarthLink TotalAccess\TaskPanl.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\ArcSoft\Media Card Companion\MCC Monitor.exe
C:\Program Files\interMute\SpamSubtract\SpamSubtract.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\spdevoaw.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmoAgent.exe
C:\Program Files\Trend Micro\Tmas\tmas.exe
C:\Documents and Settings\Owner\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://start.earthlink.net/AL/Search
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://start.earthlink.net
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://us9.hpwis.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://start.earthlink.net/AL/Search
R3 - URLSearchHook: SrchHook Class - {44F9B173-041C-4825-A9B9-D914BD9DCBB3} - C:\Program Files\EarthLink TotalAccess\ElnIE.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: EarthLink ScamBlocker V2 - {15F4D456-5BAA-4076-8486-EECB38CD3E57} - C:\Program Files\EarthLink TotalAccess\Toolbar\EScamBlk.dll
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
O2 - BHO: EarthLink PopUp Blocker V2 - {512ACF1B-64D9-4928-B382-A80556F28DB4} - C:\Program Files\EarthLink TotalAccess\Toolbar\ElnkPuB.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: IE_PopupBlocker Class - {656EC4B7-072B-4698-B504-2A414C1F0037} - C:\Program Files\EarthLink TotalAccess\Accelerator\prpl_IePopupBlocker.dll
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O2 - BHO: Earthlink Protection BHO - {9579D574-D4D8-4335-9560-FE8641A013BD} - C:\Program Files\EarthLink TotalAccess\Toolbar\ProtctIE.dll
O2 - BHO: Web assistant - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: Uninstall Legacy Earthlink Toolbar - {E713904C-DF05-4C79-BBAD-02DB923253BE} - C:\Program Files\EarthLink TotalAccess\Toolbar\uninsttb.dll
O3 - Toolbar: HP View - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\Program Files\HP\Digital Imaging\bin\hpdtlk02.dll
O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: EarthLink Toolbar - {C7768536-96F8-4001-B1A2-90EE21279187} - C:\Program Files\EarthLink TotalAccess\Toolbar\Toolbar.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\Hewlett-Packard\Digital Imaging\\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [AutoTKit] C:\hp\bin\AUTOTKIT.EXE
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded /nodetect
O4 - HKLM\..\Run: [Sunkist2k] C:\Program Files\Multimedia Card Reader\shwicon2k.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [LXSUPMON] C:\WINDOWS\System32\LXSUPMON.EXE RUN
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe"
O4 - HKLM\..\Run: [{4B-B7-70-00-ZN}] C:\windows\system32\rndsrego.exe DO0605
O4 - HKLM\..\Run: [BrowserUpdateSched] C:\WINDOWS\system32\spdevoaw.exe DO0605
O4 - HKCU\..\Run: [BackupNotify] c:\Program Files\Hewlett-Packard\Digital Imaging\bin\backupnotify.exe
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [NetZero_uoltray] C:\Program Files\NetZero\exec.exe regrun
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Registry Cleaner] "C:\Program Files\Registry Cleaner Trial\RegClean.exe"
O4 - HKCU\..\Run: [DW4] "C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe"
O4 - HKCU\..\Run: [E6TaskPanel] "C:\Program Files\EarthLink TotalAccess\TaskPanl.exe" -winstart
O4 - Startup: spamsubtract.lnk = C:\Program Files\interMute\SpamSubtract\SpamSubtract.exe
O4 - Startup: Zeno.lnk = C:\WINDOWS\system32\spdevoaw.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Media Card Companion Monitor.lnk = C:\Program Files\ArcSoft\Media Card Companion\MCC Monitor.exe
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O4 - Global Startup: Trend Micro Anti-Spyware.lnk = C:\Program Files\Trend Micro\Tmas\Tmas.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 2.0\resources\en-US\local\search.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540013} (CInstall Class) - http://adserver.sharewareonline.com/...er/Install.cab
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAV...oadManager.ocx
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: OPXPGina - C:\Program Files\Softex\OmniPass\opxpgina.dll
O23 - Service: EarthLink Monitor Service (EarthLinkMonitor) - Boingo Wireless, Inc. - C:\Program Files\EarthLink TotalAccess\WENGINE\wmonitor.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Softex OmniPass Service (omniserv) - Unknown owner - C:\Program Files\Softex\OmniPass\Omniserv.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 7:08:43 PM, 11/28/2005
+ Report-Checksum: 2760EAA3

+ Scan result:

HKLM\SOFTWARE\Classes\CLSID\{2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} -> Spyware.MiniBug : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{508EBE65-E39D-4363-8041-E647B4F6F4E1}\TypeLib\\ -> Spyware.NavExcel : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{AA4939C3-DECA-4A48-A454-97CD587C0EF5} -> Spyware.ISTBar : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{AA4939C3-DECA-4A48-A454-97CD587C0EF5}\TypeLib\\ -> Spyware.SafeSurfing : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{EEE4A2E5-9F56-432F-A6ED-F6F625B551E0} -> Dialer.Generic : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{EEE4A2E5-9F56-432F-A6ED-F6F625B551E0}\TypeLib\\ -> Spyware.SafeSurfing : Cleaned with backup
HKLM\SOFTWARE\Classes\MiniBugTransporter.MiniBugTransporterX\CLSID\\ -> Spyware.MiniBug : Cleaned with backup
HKLM\SOFTWARE\Classes\MiniBugTransporter.MiniBugTransporterX.1\CLSID\\ -> Spyware.MiniBug : Cleaned with backup
HKLM\SOFTWARE\Classes\Updater.BHO\CLSID\\ -> Spyware.BlazeFind : Cleaned with backup
HKLM\SOFTWARE\Classes\YSBactivex.Installer -> Spyware.YourSiteBar : Cleaned with backup
HKLM\SOFTWARE\Classes\YSBactivex.Installer\CLSID -> Spyware.YourSiteBar : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Internet Explorer\Main\ins -> Spyware.WebRebates : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/istactivex.dll -> Spyware.ISTBar : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/istactivex.dll\\.Owner -> Spyware.ISTBar : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/istactivex.dll\\{7C559105-9ECF-42B8-B3F7-832E75EDD959} -> Spyware.ISTBar : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/SyncroAdX.dll\\.Owner -> Spyware.WinFavorites : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/SyncroAdX.dll\\{15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} -> Spyware.WinFavorites : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DisplayUtility -> Spyware.Delfin : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\unebmm350 -> Spyware.MoneyMaker : Cleaned with backup
HKLM\SOFTWARE\Mvu -> Spyware.Delfin : Cleaned with backup
HKU\S-1-5-21-3438501309-1197074531-951288122-1003\Software\Microsoft\Internet Explorer\Extensions\CmdMapping\\{6685509E-B47B-4f47-8E16-9A5F3A62F683} -> Spyware.MoneyMaker : Cleaned with backup
HKU\S-1-5-21-3438501309-1197074531-951288122-1003\Software\Microsoft\Internet Explorer\Extensions\CmdMapping\\{10E42047-DEB9-4535-A118-B3F6EC39B807} -> Spyware.SideFind : Cleaned with backup
HKU\S-1-5-21-3438501309-1197074531-951288122-1003\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{5AA06644-BC46-4220-A460-47A6EB47C96D} -> Spyware.NavExcel : Cleaned with backup
HKU\S-1-5-21-3438501309-1197074531-951288122-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{00000010-6F7D-442C-93E3-4A4827C2E4C8} -> Spyware.InternetOptimizer : Cleaned with backup
HKU\S-1-5-21-3438501309-1197074531-951288122-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{00320615-B6C2-40A6-8F99-F1C52D674FAD} -> Spyware.Transponder : Cleaned with backup
HKU\S-1-5-21-3438501309-1197074531-951288122-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{01F44A8A-8C97-4325-A378-76E68DC4AB2E} -> Spyware.IEPlugin : Cleaned with backup
HKU\S-1-5-21-3438501309-1197074531-951288122-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{10E42047-DEB9-4535-A118-B3F6EC39B807} -> Spyware.SideFind : Cleaned with backup
HKU\S-1-5-21-3438501309-1197074531-951288122-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} -> Spyware.WinFavorites : Cleaned with backup
HKU\S-1-5-21-3438501309-1197074531-951288122-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{1D7E3B41-23CE-469B-BE1B-A64B877923E1} -> Spyware.BlazeFind : Cleaned with backup
HKU\S-1-5-21-3438501309-1197074531-951288122-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{205FF73B-CA67-11D5-99DD-444553540006} -> Spyware.CnsMin : Cleaned with backup
HKU\S-1-5-21-3438501309-1197074531-951288122-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{36A59337-6EEF-40AE-94B1-ED443A0C4740} -> Spyware.BetterInternet : Cleaned with backup
HKU\S-1-5-21-3438501309-1197074531-951288122-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{5AA06644-BC46-4220-A460-47A6EB47C96D} -> Spyware.NavExcel : Cleaned with backup
HKU\S-1-5-21-3438501309-1197074531-951288122-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{6685509E-B47B-4F47-8E16-9A5F3A62F683} -> Spyware.MoneyMaker : Cleaned with backup
HKU\S-1-5-21-3438501309-1197074531-951288122-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{7C559105-9ECF-42B8-B3F7-832E75EDD959} -> Spyware.ISTBar : Cleaned with backup
HKU\S-1-5-21-3438501309-1197074531-951288122-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{87067F04-DE4C-4688-BC3C-4FCF39D609E7} -> Spyware.WebSearch : Cleaned with backup
HKU\S-1-5-21-3438501309-1197074531-951288122-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{8F4E5661-F99E-4B3E-8D85-0EA71C0748E4} -> Spyware.MoneyTree : Cleaned with backup
HKU\S-1-5-21-3438501309-1197074531-951288122-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{D80C4E21-C346-4E21-8E64-20746AA20AEB} -> Spyware.NavExcel : Cleaned with backup
HKU\S-1-5-21-3438501309-1197074531-951288122-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{DDFFA75A-E81D-4454-89FC-B9FD0631E726} -> Spyware.VX2 : Cleaned with backup
HKU\S-1-5-21-3438501309-1197074531-951288122-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{F4E04583-354E-4076-BE7D-ED6A80FD66DA} -> Spyware.BargainBuddy : Cleaned with backup
HKU\S-1-5-21-3438501309-1197074531-951288122-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{FAA356E4-D317-42A6-AB41-A3021C6E7D52} -> Spyware.ISTBar : Cleaned with backup
HKU\S-1-5-21-3438501309-1197074531-951288122-1003\Software\Mvu -> Spyware.Delfin : Cleaned with backup
C:\criticals.exe -> Backdoor.Rbot : Cleaned with backup
C:\Program Files\Common Files\Uninstall Information\RemoveDisplayUtility.exe -> Spyware.Delfin : Cleaned with backup
C:\Program Files\SoftwareOnline\soproc.exe -> Spyware.MyWebSearch : Cleaned with backup
C:\Program Files\SurfAccuracy -> Adware.SurfAccuracy : Cleaned with backup
C:\Program Files\SurfAccuracy\SAcc.cfg -> Adware.SurfAccuracy : Cleaned with backup
C:\Program Files\WinFixer 2005 -> Spyware.WinFixer : Cleaned with backup
C:\Tsk-mger-bkn.exeN88836563870222 -> Backdoor.Rbot : Cleaned with backup
C:\Tsk-mger-bkn.exeN88836563870222236257 -> Backdoor.Rbot : Cleaned with backup
C:\WINDOWS\Downloaded Program Files\CONFLICT.2\UWFX5NetInstaller.exe -> Not-A-Virus.Downloader.Agent.d : Cleaned with backup
C:\WINDOWS\Downloaded Program Files\UWFX5_0001_LPNetInstaller.exe -> Not-A-Virus.Downloader.Agent.d : Cleaned with backup
C:\WINDOWS\system32\cxdxregt.exe -> Trojan.Zx.12 : Cleaned with backup
C:\WINDOWS\system32\drivers\df_kmd.sys -> Trojan.Rootkit.Agent.af : Cleaned with backup
C:\WINDOWS\system32\nsvsvc\nsv.ocx -> Spyware.Delfin : Cleaned with backup
C:\WINDOWS\system32\nsvsvc\nsvs.dll -> Spyware.Delfin : Cleaned with backup
C:\WINDOWS\system32\qlink32.dll -> TrojanDownloader.Small : Cleaned with backup
C:\WINDOWS\system32\wsdxregt.exe -> Trojan.Zx.12 : Cleaned with backup
C:\WINDOWS\system32\ysysuv2d.exe -> Spyware.ZenoSearch : Cleaned with backup
C:\WINDOWS\wt\wtupdates\Webd\4.1.1\files\wtvh.dll -> Spyware.WildTangent : Cleaned with backup
C:\WINDOWS\wt\wtvh.dll -> Spyware.WildTangent : Cleaned with backup


::Report End
__________________
el-daddio is offline  
Old 11-29-2005, 06:27 AM   #5
Management Team, Security Center
Expert Analyst, Moderator, Security Team
Rangemaster, Moderator, TSF Academy
 
sUBs's Avatar
 
Join Date: May 2005
Posts: 26,480
OS: N/A


Please post the report created by Panda Activescan.
__________________

sUBs is offline  
Old 12-02-2005, 06:29 AM   #6
I helped the forums.
 
Join Date: Jun 2005
Posts: 17
OS: XP


Okay, I got lots of stuff for you. I don't know if the Panda stuff is here, though. I might have forgotten to include it (I'm working on two machines because the broke one wouldn't load pages).:

ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 6:14:50 PM, 12/1/2005
+ Report-Checksum: 78019E7F

+ Scan result:

C:\Documents and Settings\Owner\Cookies\owner@2o7[1].txt -> Spyware.Cookie.2o7 : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\owner@ad.yieldmanager[1].txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\owner@adopt.specificclick[2].txt -> Spyware.Cookie.Specificclick : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\owner@advertising[2].txt -> Spyware.Cookie.Advertising : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\owner@atdmt[1].txt -> Spyware.Cookie.Atdmt : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\owner@commission-junction[2].txt -> Spyware.Cookie.Commission-junction : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\owner@doubleclick[1].txt -> Spyware.Cookie.Doubleclick : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\owner@edge.ru4[2].txt -> Spyware.Cookie.Ru4 : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\owner@msnportal.112.2o7[1].txt -> Spyware.Cookie.2o7 : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\owner@perf.overture[1].txt -> Spyware.Cookie.Overture : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\owner@pro-market[2].txt -> Spyware.Cookie.Pro-market : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\owner@trafficmp[1].txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\owner@z1.adserver[1].txt -> Spyware.Cookie.Adserver : Cleaned with backup
C:\WINDOWS\system32\esysihiz.exe -> Spyware.ZenoSearch : Cleaned with backup
C:\WINDOWS\system32\ysysuviz.exe -> Spyware.ZenoSearch : Cleaned with backup


::Report End

Anti Spyware:--------------------------------- Anti-Spyware session started ---------------------------------
Machine=HPA320N
Time=Mon Nov 28 19:47:01 2005
Product Version=3, 0, 1, 23
OS Version=Microsoft Windows XP Home Edition Service Pack 2 (Build 2600)
Started Scanning
Programs in Memory
Finished Scanning
Started Scanning
Internet Cookies
Internet Cookies: Found '2o7.net' in 'Internet Explorer Cache'
Internet Cookies: Found 'advertising.com' in 'Internet Explorer Cache'
Internet Cookies: Found 'atdmt.com' in 'Internet Explorer Cache'
Internet Cookies: Found 'bannerspace.com' in 'Internet Explorer Cache'
Internet Cookies: Found 'doubleclick.net' in 'Internet Explorer Cache'
Internet Cookies: Found 'pro-market.net' in 'Internet Explorer Cache'
CoolWebSearch Variants (CWShredder)
Programs in Memory
Windows Registry
Windows Registry: Found '' in 'SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Zeno Search Assistant'
Windows Registry: Found '' in 'SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Enhanced Ads by Zeno'
Internet URL Shortcuts
Files and Directories
Files and Directories: Found '' in 'C:\Documents and Settings\All Users\Application Data\nsv\cache'
Finished Scanning
Started Backup
Finished Backup
Started Cleaning
Internet Cookies: Cleaned '2o7.net' in 'Internet Explorer Cache'
Internet Cookies: Cleaned 'advertising.com' in 'Internet Explorer Cache'
Internet Cookies: Cleaned 'atdmt.com' in 'Internet Explorer Cache'
Internet Cookies: Cleaned 'bannerspace.com' in 'Internet Explorer Cache'
Internet Cookies: Cleaned 'doubleclick.net' in 'Internet Explorer Cache'
Internet Cookies: Cleaned 'pro-market.net' in 'Internet Explorer Cache'
Windows Registry: Cleaned '' in 'SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Zeno Search Assistant'
Windows Registry: Cleaned '' in 'SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Enhanced Ads by Zeno'
Files and Directories: Cleaned '436.dfn' in 'C:\Documents and Settings\All Users\Application Data\nsv\cache'
Files and Directories: Cleaned '538.dfn' in 'C:\Documents and Settings\All Users\Application Data\nsv\cache'
Files and Directories: Cleaned '' in 'C:\Documents and Settings\All Users\Application Data\nsv\cache'
Finished Cleaning
IE Plugins: Found '{15F4D456-5BAA-4076-8486-EECB38CD3E57}' in 'SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects'
IE Plugins: Found '{512ACF1B-64D9-4928-B382-A80556F28DB4}' in 'SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects'
IE Plugins: Found '{53707962-6F74-2D53-2644-206D7942484F}' in 'SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects'
IE Plugins: Found '{656EC4B7-072B-4698-B504-2A414C1F0037}' in 'SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects'
IE Plugins: Found '{7C554162-8CB7-45A4-B8F4-8EA1C75885F9}' in 'SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects'
IE Plugins: Found '{9579D574-D4D8-4335-9560-FE8641A013BD}' in 'SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects'
IE Plugins: Found '{E713904C-DF05-4C79-BBAD-02DB923253BE}' in 'SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects'
IE Plugins: Found '{C7768536-96F8-4001-B1A2-90EE21279187}' in 'SOFTWARE\Microsoft\Internet Explorer\Toolbar'
IE Plugins: Found '{DE9C389F-3316-41A7-809B-AA305ED9D922}' in 'SOFTWARE\Microsoft\Internet Explorer\Toolbar'
IE Plugins: Found '{44F9B173-041C-4825-A9B9-D914BD9DCBB3}' in 'Software\Microsoft\Internet Explorer\URLSearchHooks'
Web Browser Security Settings: Found 'Start Page' in 'SOFTWARE\Microsoft\Internet Explorer\Main'
Web Browser Security Settings: Found 'Search Bar' in 'SOFTWARE\Microsoft\Internet Explorer\Main'
Web Browser Security Settings: Found 'Search Bar' in 'SOFTWARE\Microsoft\Internet Explorer\Main'
Web Browser Security Settings: Found 'SearchAssistant' in 'SOFTWARE\Microsoft\Internet Explorer\Search'
Web Browser Security Settings: Found 'DefaultSearchURL' in 'SOFTWARE\Microsoft\Search Assistant'
Web Browser Security Settings: Found 'DisableCachingOfSSLPages' in 'Software\Microsoft\Windows\CurrentVersion\Internet Settings'
Web Browser Security Settings: Found 'WarnOnZoneCrossing' in 'Software\Microsoft\Windows\CurrentVersion\Internet Settings'
Web Browser Security Settings: Found 'Persistent' in 'Software\Microsoft\Windows\CurrentVersion\Internet Settings\Cache'
Web Browser Security Settings: Found 'msn' in 'Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ '
Web Browser Security Settings: Found 'aim' in 'Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ '
Web Browser Security Settings: Found 'AIM Search' in 'Software\Microsoft\Internet Explorer\MenuExt\&AIM Search'
Web Browser Security Settings: Found 'AOL Toolbar Search' in 'Software\Microsoft\Internet Explorer\MenuExt\&AOL Toolbar Search'
IE Downloaded Program Files: Found 'CInstall Class' in 'C:\WINDOWS\Downloaded Program Files\Install.dll,C:\WINDOWS\Downloaded Program Files\Install.inf'
Layered Service Providers (LSP's): Found 'PropelLSP over [MSAFD Tcpip [TCP/IP]]' in 'C:\Program Files\EarthLink TotalAccess\Accelerator\prplsf.dll'
Layered Service Providers (LSP's): Found 'PropelLSP over [MSAFD Tcpip [UDP/IP]]' in 'C:\Program Files\EarthLink TotalAccess\Accelerator\prplsf.dll'
Layered Service Providers (LSP's): Found 'PropelLSP over [MSAFD Tcpip [RAW/IP]]' in 'C:\Program Files\EarthLink TotalAccess\Accelerator\prplsf.dll'
Layered Service Providers (LSP's): Found 'PropelLSP' in 'C:\Program Files\EarthLink TotalAccess\Accelerator\prplsf.dll'
Windows Policy Settings: Found 'forceguest' in 'SYSTEM\CurrentControlSet\Control\Lsa'
Windows Policy Settings: Found 'limitblankpassworduse' in 'SYSTEM\CurrentControlSet\Control\Lsa'
Windows Policy Settings: Found 'forceunlocklogon' in 'SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon'
Services: Found 'ewido security suite control' in ''
Services: Found 'ewido security suite guard' in ''
Services: Found 'LexBce Server' in ''
Services: Found 'Softex OmniPass Service' in ''
Windows Shell Settings: Found '{54D9498B-CF93-414F-8984-8CE7FDE0D391}' in 'SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks'
Windows Shell Settings: Found 'ewido' in 'SOFTWARE\Classes\Drive\shellex\ContextMenuHandlers\ewido'
Windows Shell Settings: Found 'TDS-3' in 'SOFTWARE\Classes\Drive\shellex\ContextMenuHandlers\TDS-3'
Windows Shell Settings: Found '{48F45200-91E6-11CE-8A4F-0080C81A28D4}' in 'SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\{48F45200-91E6-11CE-8A4F-0080C81A28D4}'
Windows Shell Settings: Found '{CCFE56EE-C7DE-44EE-A160-4553A5A912C9}' in 'SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved'
Windows Shell Settings: Found '{19CC43A1-6925-4B48-B292-830291F393A6}' in 'SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved'
Windows Shell Settings: Found '{48F45200-91E6-11CE-8A4F-0080C81A28D4}' in 'SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved'
Windows Shell Settings: Found '{771A9DA0-731A-11CE-993C-00AA004ADB6C}' in 'SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved'
Windows Shell Settings: Found 'Favorites' in 'Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders'
Program Startup Areas: Found 'HotKeysCmds' in 'SOFTWARE\Microsoft\Windows\CurrentVersion\Run'
Program Startup Areas: Found 'CamMonitor' in 'SOFTWARE\Microsoft\Windows\CurrentVersion\Run'
Program Startup Areas: Found 'AutoTKit' in 'SOFTWARE\Microsoft\Windows\CurrentVersion\Run'
Program Startup Areas: Found 'Recguard' in 'SOFTWARE\Microsoft\Windows\CurrentVersion\Run'
Program Startup Areas: Found 'Sunkist2k' in 'SOFTWARE\Microsoft\Windows\CurrentVersion\Run'
Program Startup Areas: Found 'LXSUPMON' in 'SOFTWARE\Microsoft\Windows\CurrentVersion\Run'
Program Startup Areas: Found 'IgfxTray' in 'SOFTWARE\Microsoft\Windows\CurrentVersion\Run'
Program Startup Areas: Found 'TkBellExe' in 'SOFTWARE\Microsoft\Windows\CurrentVersion\Run'
Program Startup Areas: Found '{4B-B7-70-00-ZN}' in 'SOFTWARE\Microsoft\Windows\CurrentVersion\Run'
Program Startup Areas: Found 'BrowserUpdateSched' in 'SOFTWARE\Microsoft\Windows\CurrentVersion\Run'
Program Startup Areas: Found 'BackupNotify' in 'S-1-5-21-3438501309-1197074531-951288122-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\Run'
Program Startup Areas: Found 'msnmsgr' in 'S-1-5-21-3438501309-1197074531-951288122-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\Run'
Program Startup Areas: Found 'NetZero_uoltray' in 'S-1-5-21-3438501309-1197074531-951288122-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\Run'
Program Startup Areas: Found 'SpySweeper' in 'S-1-5-21-3438501309-1197074531-951288122-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\Run'
Program Startup Areas: Found 'AIM' in 'S-1-5-21-3438501309-1197074531-951288122-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\Run'
Program Startup Areas: Found 'Registry Cleaner' in 'S-1-5-21-3438501309-1197074531-951288122-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\Run'
Program Startup Areas: Found 'DW4' in 'S-1-5-21-3438501309-1197074531-951288122-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\Run'
Program Startup Areas: Found 'E6TaskPanel' in 'S-1-5-21-3438501309-1197074531-951288122-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\Run'
Program Startup Areas: Found 'C:\hp\bin\cloaker.exe c:\hp\bin\commands /ww /c c:\hp\bin\mod_sm.cmd' in 'C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\mod_sm.lnk'
Program Startup Areas: Found 'C:\hp\bin\cloaker.exe c:\hp\bin\commands /ww /c c:\hp\bin\mod_sm.cmd' in 'C:\Documents and Settings\Administrator.HPA320N\Start Menu\Programs\Startup\mod_sm.lnk'
Program Startup Areas: Found 'C:\Program Files\ArcSoft\Media Card Companion\MCC Monitor.exe' in 'C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Media Card Companion Monitor.lnk'
Program Startup Areas: Found 'C:\hp\bin\cloaker.exe c:\hp\bin\commands /ww /c c:\hp\bin\mod_sm.cmd' in 'C:\Documents and Settings\Default User\Start Menu\Programs\Startup\mod_sm.lnk'
Program Startup Areas: Found 'C:\Documents and Settings\Owner\Application Data\DownloadPlus.exe' in 'C:\Documents and Settings\jberger\Start Menu\Programs\Startup\Download Plus.lnk'
Program Startup Areas: Found 'C:\WINDOWS\system32\spdevoaw.exe DO0605' in 'C:\Documents and Settings\Owner\Start Menu\Programs\Startup\Zeno.lnk'
IE Downloaded Program Files: Found 'ActiveScan Installer Class' in 'C:\WINDOWS\Downloaded Program Files\asinst.inf'
IE Plugins: Found '{02478D38-C3F9-4EFB-9B51-7695ECA05670}' in 'SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects'
IE Plugins: Found '{EF99BD32-C1FB-11D2-892F-0090271D4F88}' in 'SOFTWARE\Microsoft\Internet Explorer\Toolbar'
Windows Shell Settings: Found '{EB4D3CFE-E2AA-4C6E-B2FE-2A749F95D208}' in 'SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\{EB4D3CFE-E2AA-4C6E-B2FE-2A749F95D208}'
Windows Shell Settings: Found '{B327765E-D724-4347-8B16-78AE18552FC3}' in 'SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved'
Windows Shell Settings: Found '{7F1CF152-04F8-453A-B34C-E609530A9DC8}' in 'SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved'
Program Startup Areas: Found 'NeroHomeFirstStart' in 'S-1-5-21-3438501309-1197074531-951288122-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce'
Program Startup Areas: Found 'LexPPS.exe' in 'SOFTWARE\Microsoft\Windows\CurrentVersion\Run'
--------------------------------- Anti-Spyware session started ---------------------------------
Machine=HPA320N
Time=Thu Dec 01 16:14:51 2005
Product Version=3, 0, 1, 23
OS Version=Microsoft Windows XP Home Edition Service Pack 2 (Build 2600)
Started Scanning
Programs in Memory
Finished Scanning
Program Startup Areas: Found 'BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}' in 'S-1-5-21-3438501309-1197074531-951288122-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\Run'
Started Backup
Finished Backup
Started Cleaning
Program Startup Areas: Cleaned 'BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}' in 'S-1-5-21-3438501309-1197074531-951288122-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\Run'
Finished Cleaning
--------------------------------- Anti-Spyware session ended ---------------------------------
--------------------------------- Anti-Spyware session started ---------------------------------
Machine=HPA320N
Time=Thu Dec 01 16:26:54 2005
Product Version=3, 0, 1, 23
OS Version=Microsoft Windows XP Home Edition Service Pack 2 (Build 2600)
Started Scanning
Programs in Memory
Finished Scanning
--------------------------------- Anti-Spyware session started ---------------------------------
Machine=HPA320N
Time=Thu Dec 01 16:45:38 2005
Product Version=3, 0, 1, 23
OS Version=Microsoft Windows XP Home Edition Service Pack 2 (Build 2600)
Started Scanning
Programs in Memory
Finished Scanning
Program Startup Areas: Found 'BackupNotify' in 'bc559b7d-d195-4265-85a3-09eba9161989_00000D74_DefaultUserProfile\SOFTWARE\Microsoft\Windows\CurrentVersion\Run'
Program Startup Areas: Found 'NeroHomeFirstStart' in 'bc559b7d-d195-4265-85a3-09eba9161989_00000D74_DefaultUserProfile\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce'
Program Startup Areas: Found 'BackupNotify' in 'bc559b7d-d195-4265-85a3-09eba9161989_00000D74_S-1-5-21-3438501309-1197074531-951288122-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Run'
Program Startup Areas: Found 'SurfSideKick 3' in 'bc559b7d-d195-4265-85a3-09eba9161989_00000D74_S-1-5-21-3438501309-1197074531-951288122-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Run'
Program Startup Areas: Found 'NeroHomeFirstStart' in 'bc559b7d-d195-4265-85a3-09eba9161989_00000D74_S-1-5-21-3438501309-1197074531-951288122-500\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce'
Started Backup
Finished Backup
Started Cleaning
Program Startup Areas: Cleaned 'BackupNotify' in 'bc559b7d-d195-4265-85a3-09eba9161989_00000D74_DefaultUserProfile\SOFTWARE\Microsoft\Windows\CurrentVersion\Run'
Program Startup Areas: Cleaned 'NeroHomeFirstStart' in 'bc559b7d-d195-4265-85a3-09eba9161989_00000D74_DefaultUserProfile\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce'
Program Startup Areas: Cleaned 'BackupNotify' in 'bc559b7d-d195-4265-85a3-09eba9161989_00000D74_S-1-5-21-3438501309-1197074531-951288122-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Run'
Program Startup Areas: Cleaned 'SurfSideKick 3' in 'bc559b7d-d195-4265-85a3-09eba9161989_00000D74_S-1-5-21-3438501309-1197074531-951288122-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Run'
Program Startup Areas: Cleaned 'NeroHomeFirstStart' in 'bc559b7d-d195-4265-85a3-09eba9161989_00000D74_S-1-5-21-3438501309-1197074531-951288122-500\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce'
Finished Cleaning
Program Startup Areas: Found 'OmniPassNeedReboot' in 'SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce'
--------------------------------- Anti-Spyware session started ---------------------------------
Machine=HPA320N
Time=Thu Dec 01 19:19:55 2005
Product Version=3, 0, 1, 23
OS Version=Microsoft Windows XP Home Edition Service Pack 2 (Build 2600)
Started Scanning
Internet Cookies
Internet Cookies: Found '2o7.net' in 'Internet Explorer Cache'
Internet Cookies: Found 'advertising.com' in 'Internet Explorer Cache'
Internet Cookies: Found 'apmebf.com' in 'Internet Explorer Cache'
Internet Cookies: Found 'imrworldwide.com' in 'Internet Explorer Cache'
Internet Cookies: Found 'doubleclick.net' in 'Internet Explorer Cache'
Internet Cookies: Found 'fastclick.net' in 'Internet Explorer Cache'
Internet Cookies: Found 'hits.clickandtrack.net' in 'Internet Explorer Cache'
CoolWebSearch Variants (CWShredder)
Programs in Memory
Windows Registry
Windows Registry: Found 'C:\WINDOWS\Downloaded Program Files\ysbactivex.dll' in 'SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs'
Windows Registry: Found 'BandRest' in 'S-1-5-21-3438501309-1197074531-951288122-1003\Software\Microsoft\Internet Explorer\Main'
Windows Registry: Found 'BandRest' in 'SOFTWARE\Microsoft\Internet Explorer\Main'
Windows Registry: Found '' in 'SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/ysbactivex.dll'
Windows Registry: Found '' in 'PCheck.PCheck.1'
Windows Registry: Found '' in 'TypeLib\{3BFF2EF1-25BA-4342-A1E8-EC1E2CB9F22B}'
Windows Registry: Found '' in 'Interface\{FC0FE3C3-3359-4CF5-A72D-7F361FA0ECEB}'
Windows Registry: Found '' in 'CLSID\{FD1A9E6B-05DA-4ca2-830D-654DA1DDBD9E}'
Windows Registry: Found 'C:\WINDOWS\Downloaded Program Files\istactivex.dll' in 'SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs'
Windows Registry: Found 'C:\WINDOWS\Downloaded Program Files\ysbactivex.dll' in 'SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs'
Windows Registry: Found '' in 'SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/ysbactivex.dll'
Windows Registry: Found '' in 'SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Enhanced Ads by Zeno'
Windows Registry: Found 'C:\WINDOWS\Downloaded Program Files\ISTactivex.dll' in 'SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs'
Windows Registry: Found 'C:\Program Files\Common Files\WinSoftware\FCrXML.dll' in 'SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs'
Windows Registry: Found 'C:\Program Files\Common Files\WinSoftware\PrCheck.dll' in 'SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs'
Windows Registry: Found '' in 'PCheck.PCheck'
Windows Registry: Found '' in 'SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SAcc'
Windows Registry: Found '' in 'S-1-5-21-3438501309-1197074531-951288122-1003\Software\Local AppWizard-Generated Applications\Popup'
Windows Registry: Found '' in 'communicator.COMMUNICATORMenu Button'
Windows Registry: Found '' in 'communicator.COMMUNICATORToggle Button'
Windows Registry: Found '' in 'communicator.COMMUNICATOR'
Windows Registry: Found '' in 'AppID\{8C65AEF6-E413-4314-815B-82717A3F1603}'
Windows Registry: Found '' in 'SOFTWARE\Classes\AppID\{8C65AEF6-E413-4314-815B-82717A3F1603}'
Windows Registry: Found '' in 'S-1-5-21-3438501309-1197074531-951288122-1003\Software\COMMUNICATOR TOOLBAR'
Windows Registry: Found '' in 'CLSID\{4E7BD74F-2B8D-469E-8DBC-A42EB79CB42A}'
Windows Registry: Found '' in 'CLSID\{4E7BD74F-2B8D-469E-8DBC-A42EB79CB429}'
Windows Registry: Found 'C:\WINDOWS\Downloaded Program Files\ISTactivex.dll' in 'SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs'
Windows Registry: Found '' in 'SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Quick Links'
Windows Registry: Found '' in 'Software\Microsoft\Windows\CurrentVersion\Uninstall\Related Sites Toolbar'
Internet URL Shortcuts
Files and Directories
Files and Directories: Found '' in 'C:\Documents and Settings\All Users\Application Data\nsv'
Files and Directories: Found '' in 'C:\Documents and Settings\All Users\Application Data\vidctrl'
Files and Directories: Found 'backup-20051123-152111-432.inf' in 'C:\Documents and Settings\Owner\Desktop\backups'
Files and Directories: Found 'backup-20051123-152111-594.dll' in 'C:\Documents and Settings\Owner\Desktop\backups'
Files and Directories: Found '' in 'C:\Program Files\Common Files\WinSoftware'
Files and Directories: Found '' in 'C:\Program Files\COMMUNICATOR Toolbar'
Files and Directories: Found '' in 'C:\Program Files\Quick Links'
Files and Directories: Found 'uninst.exe' in 'C:\Program Files\Quick Links'
Files and Directories: Found '' in 'C:\Program Files\Related Sites Toolbar'
Files and Directories: Found 'uninst.exe' in 'C:\Program Files\Related Sites Toolbar'
Files and Directories: Found '' in 'C:\Program Files\WinFixer2005'
Files and Directories: Found 'GRInstall6.dll' in 'C:\WINDOWS\Downloaded Program Files'
Files and Directories: Found 'YSBactivex.dll' in 'C:\WINDOWS\Downloaded Program Files'
Files and Directories: Found '' in 'C:\WINDOWS\system32\nsvsvc'
Files and Directories: Found 'PreUninstallCOM.exe' in 'C:\WINDOWS\system32'
Files and Directories: Found 'PreUninstallQL.exe' in 'C:\WINDOWS\system32'
Files and Directories: Found 'stb.exe' in 'C:\WINDOWS\system32'
Files and Directories: Found '' in 'C:\WINDOWS\system32\vidctrl'
Files and Directories: Found 'ysysuv6d.exe' in 'C:\WINDOWS\system32'
Finished Scanning
Started Backup
Finished Backup
Started Cleaning
Internet Cookies: Cleaned '2o7.net' in 'Internet Explorer Cache'
Internet Cookies: Cleaned 'advertising.com' in 'Internet Explorer Cache'
Internet Cookies: Cleaned 'apmebf.com' in 'Internet Explorer Cache'
Internet Cookies: Cleaned 'imrworldwide.com' in 'Internet Explorer Cache'
Internet Cookies: Cleaned 'doubleclick.net' in 'Internet Explorer Cache'
Internet Cookies: Cleaned 'fastclick.net' in 'Internet Explorer Cache'
Internet Cookies: Cleaned 'hits.clickandtrack.net' in 'Internet Explorer Cache'
Windows Registry: Cleaned 'C:\WINDOWS\Downloaded Program Files\ysbactivex.dll' in 'SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs'
Windows Registry: Cleaned 'BandRest' in 'S-1-5-21-3438501309-1197074531-951288122-1003\Software\Microsoft\Internet Explorer\Main'
Windows Registry: Cleaned 'BandRest' in 'SOFTWARE\Microsoft\Internet Explorer\Main'
Windows Registry: Cleaned '' in 'SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/ysbactivex.dll'
Windows Registry: Cleaned '' in 'PCheck.PCheck.1'
Windows Registry: Cleaned '' in 'TypeLib\{3BFF2EF1-25BA-4342-A1E8-EC1E2CB9F22B}'
Windows Registry: Cleaned '' in 'Interface\{FC0FE3C3-3359-4CF5-A72D-7F361FA0ECEB}'
Windows Registry: Cleaned '' in 'CLSID\{FD1A9E6B-05DA-4ca2-830D-654DA1DDBD9E}'
Windows Registry: Cleaned 'C:\WINDOWS\Downloaded Program Files\istactivex.dll' in 'SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs'
Unable to delete registry value 'SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs\C:\WINDOWS\Downloaded Program Files\ysbactivex.dll'. Error=2.
Windows Registry: Cleaned '' in 'SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/ysbactivex.dll'
Windows Registry: Cleaned '' in 'SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Enhanced Ads by Zeno'
Unable to delete registry value 'SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs\C:\WINDOWS\Downloaded Program Files\ISTactivex.dll'. Error=2.
Windows Registry: Cleaned 'C:\Program Files\Common Files\WinSoftware\FCrXML.dll' in 'SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs'
Windows Registry: Cleaned 'C:\Program Files\Common Files\WinSoftware\PrCheck.dll' in 'SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs'
Windows Registry: Cleaned '' in 'PCheck.PCheck'
Windows Registry: Cleaned '' in 'SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SAcc'
Windows Registry: Cleaned '' in 'S-1-5-21-3438501309-1197074531-951288122-1003\Software\Local AppWizard-Generated Applications\Popup'
Windows Registry: Cleaned '' in 'communicator.COMMUNICATORMenu Button'
Windows Registry: Cleaned '' in 'communicator.COMMUNICATORToggle Button'
Windows Registry: Cleaned '' in 'communicator.COMMUNICATOR'
Windows Registry: Cleaned '' in 'AppID\{8C65AEF6-E413-4314-815B-82717A3F1603}'
Windows Registry: Cleaned '' in 'SOFTWARE\Classes\AppID\{8C65AEF6-E413-4314-815B-82717A3F1603}'
Windows Registry: Cleaned '' in 'S-1-5-21-3438501309-1197074531-951288122-1003\Software\COMMUNICATOR TOOLBAR'
Windows Registry: Cleaned '' in 'CLSID\{4E7BD74F-2B8D-469E-8DBC-A42EB79CB42A}'
Windows Registry: Cleaned '' in 'CLSID\{4E7BD74F-2B8D-469E-8DBC-A42EB79CB429}'
Unable to delete registry value 'SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs\C:\WINDOWS\Downloaded Program Files\ISTactivex.dll'. Error=2.
Windows Registry: Cleaned '' in 'SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Quick Links'
Windows Registry: Cleaned '' in 'Software\Microsoft\Windows\CurrentVersion\Uninstall\Related Sites Toolbar'
Files and Directories: Cleaned 'keys.dat' in 'C:\Documents and Settings\All Users\Application Data\nsv'
Files and Directories: Cleaned '' in 'C:\Documents and Settings\All Users\Application Data\nsv'
Files and Directories: Cleaned '' in 'C:\Documents and Settings\All Users\Application Data\vidctrl'
Files and Directories: Cleaned 'backup-20051123-152111-432.inf' in 'C:\Documents and Settings\Owner\Desktop\backups'
Files and Directories: Cleaned 'backup-20051123-152111-594.dll' in 'C:\Documents and Settings\Owner\Desktop\backups'
Files and Directories: Cleaned 'FCrXML.dll' in 'C:\Program Files\Common Files\WinSoftware'
Files and Directories: Cleaned 'PrCheck.dll' in 'C:\Program Files\Common Files\WinSoftware'
Files and Directories: Cleaned '' in 'C:\Program Files\Common Files\WinSoftware'
Files and Directories: Cleaned 'communicatortb0300.cfg' in 'C:\Program Files\COMMUNICATOR Toolbar\Cache'
Files and Directories: Cleaned 'default.ico' in 'C:\Program Files\COMMUNICATOR Toolbar\Cache'
Files and Directories: Cleaned 'domain.txt' in 'C:\Program Files\COMMUNICATOR Toolbar\Cache'
Files and Directories: Cleaned 'ErrorLog.txt' in 'C:\Program Files\COMMUNICATOR Toolbar\Cache'
Files and Directories: Cleaned '116.234.205.not' in 'C:\Program Files\COMMUNICATOR Toolbar\Cache\favicons'
Files and Directories: Cleaned '2020search.com.not' in 'C:\Program Files\COMMUNICATOR Toolbar\Cache\favicons'
Files and Directories: Cleaned '24ktgoldcasino.com.ico' in 'C:\Program Files\COMMUNICATOR Toolbar\Cache\favicons'
Files and Directories: Cleaned '30topcasinos.com.not' in 'C:\Program Files\COMMUNICATOR Toolbar\Cache\favicons'
Files and Directories: Cleaned '3web.com.ico' in 'C:\Program Files\COMMUNICATOR Toolbar\Cache\favicons'
Files and Directories: Cleaned '5starsupport.com.not' in 'C:\Program Files\COMMUNICATOR Toolbar\Cache\favicons'
Files and Directories: Cleaned 'about.com.not' in 'C:\Program Files\COMMUNICATOR Toolbar\Cache\favicons'
Files and Directories: Cleaned 'aboutmylife.net.ico' in 'C:\Program Files\COMMUNICATOR Toolbar\Cache\favicons'
Files and Directories: Cleaned 'address.com.not' in 'C:\Program Files\COMMUNICATOR Toolbar\Cache\favicons'
Files and Directories: Cleaned 'adinf.com.not' in 'C:\Program Files\COMMUNICATOR Toolbar\Cache\favicons'
Files and Directories: Cleaned 'adserver.com.not' in 'C:\Program Files\COMMUNICATOR Toolbar\Cache\favicons'
Files and Directories: Cleaned 'adultfriendfinder.com.not' in 'C:\Program Files\COMMUNICATOR Toolbar\Cache\favicons'
Files and Directories: Cleaned 'advance.net.ico' in 'C:\Program Files\COMMUNICATOR Toolbar\Cache\favicons'
Files and Directories: Cleaned 'aetheri.com.not' in 'C:\Program Files\COMMUNICATOR Toolbar\Cache\favicons'
Files and Directories: Cleaned 'altavista.com.ico' in 'C:\Program Files\COMMUNICATOR Toolbar\Cache\favicons'
Files and Directories: Cleaned 'alwil.com.not' in 'C:\Program Files\COMMUNICATOR Toolbar\Cache\favicons'
Files and Directories: Cleaned 'am-latino.com.not' in 'C:\Program Files\COMMUNICATOR Toolbar\Cache\favicons'
Files and Directories: Cleaned 'amazingtechs.com.not' in 'C:\Program Files\COMMUNICATOR Toolbar\Cache\favicons'
Files and Directories: Cleaned 'amazon.com.ico' in 'C:\Program Files\COMMUNICATOR Toolbar\Cache\favicons'
Files and Directories: Cleaned 'americansingles.com.not' in 'C:\Program Files\COMMUNICATOR Toolbar\Cache\favicons'
Files and Directories: Cleaned 'amrecords.com.not' in 'C:\Program Files\COMMUNICATOR Toolbar\Cache\favicons'
Files and Directories: Cleaned 'anykindjob.com.not' in 'C:\Program Files\COMMUNICATOR Toolbar\Cache\favicons'
Files and Directories: Cleaned 'aolserver.com.ico' in 'C:\Program Files\COMMUNICATOR Toolbar\Cache\favicons'
Files and Directories: Cleaned 'aoltimewarner.com.ico' in 'C:\Program Files\COMMUNICATOR Toolbar\Cache\favicons'
Files and Directories: Cleaned 'apple.com.ico' in 'C:\Program Files\COMMUNICATOR Toolbar\Cache\favicons'
Files and Directories: Cleaned 'arcademachine.com.not' in 'C:\Program Files\COMMUNICATOR Toolbar\Cache\favicons'
Files and Directories: Cleaned 'arcadevillage.com.not' in 'C:\Program Files\COMMUNICATOR Toolbar\Cache\favicons'
Files and Directories: Cleaned 'askbobrankin.com.ico' in 'C:\Program Files\COMMUNICATOR Toolbar\Cache\favicons'
Files and Directories: Cleaned 'askdavetaylor.com.ico' in 'C:\Program Files\COMMUNICATOR Toolbar\Cache\favicons'
Files and Directories: Cleaned 'askj.co.jp.not' in 'C:\Program Files\COMMUNICATOR Toolbar\Cache\favicons'
Files and Directories: Cleaned 'atdmt.com.not' in 'C:\Program Files\COMMUNICATOR Toolbar\Cache\favicons'
Files and Directories: Cleaned 'atlantic-coast.com.not' in 'C:\Program Files\COMMUNICATOR Toolbar\Cache\favicons'
Files and Directories: Cleaned 'atomicteen.com.not' in 'C:\Program Files\COMMUNICATOR Toolbar\Cache\favicons'
Files and Directories: Cleaned 'atri.curtin.edu.au.not' in 'C:\Program Files\COMMUNICATOR Toolbar\Cache\favicons'
Files and Directories: Cleaned 'av.ibm.com.ico' in 'C:\Program Files\COMMUNICATOR Toolbar\Cache\favicons'
Files and Directories: Cleaned 'avertlabs.com.not' in 'C:\Program Files\COMMUNICATOR Toolbar\Cache\favicons'
Files and Directories: Cleaned 'avicom.net.not' in 'C:\Program Files\COMMUNICATOR Toolbar\Cache\favicons'
Files and Directories: Cleaned 'baidu.com.ico' in 'C:\Program Files\COMMUNICATOR Toolbar\Cache\favicons'
Files and Directories: Cleaned 'bangbus.com.ico' in 'C:\Program Files\COMMUNICATOR Toolbar\Cache\favicons'
Files and Directories: Cleaned 'bankofamerica.com.ico' in 'C:\Program Files\COMMUNICATOR Toolbar\Cache\favicons'
Files and Directories: Cleaned 'barnesandnoble.com.not' in 'C:\Program Files\COMMUNICATOR Toolbar\Cache\favicons'
Files and Directories: Cleaned 'bazaar.com.not' in 'C:\Program Files\COMMUNICATOR Toolbar\Cache\favicons'
Files and Directories: Cleaned 'bbc.co.uk.ico' in 'C:\Program Files\COMMUNICATOR Toolbar\Cache\favicons'
Files and Directories: Cleaned 'bcentral.com.not' in 'C:\Program Files\COMMUNICATOR Toolbar\Cache\favicons'
Files and Directories: Cleaned 'bellsouth.net.not' in 'C:\Program Files\COMMUNICATOR Toolbar\Cache\favicons'
Files and Directories: Cleaned 'bestcelebritysites.com.ico' in 'C:\Program Files\COMMUNICATOR Toolbar\Cache\favicons'
Files and Directories: Cleaned 'bigbetpoker.com.not' in 'C:\Program Files\COMMUNICATOR Toolbar\Cache\favicons'
Files and Directories: Cleaned 'biosbrain.com.not' in 'C:\Program Files\COMMUNICATOR Toolbar\Cache\favicons'
Files and Directories: Cleaned 'bizrate.com.ico' in 'C:\Program Files\COMMUNICATOR Toolbar\Cache\favicons'
Files and Directories: Cleaned 'blackdog.net.ico' in 'C:\Program Files\COMMUNICATOR Toolbar\Cache\favicons'
Files and Directories: Cleaned 'blackjack-strategycard.com.not' in 'C:\Program Files\COMMUNICATOR Toolbar\Cache\favicons'
Files and Directories: Cleaned 'bluesoft.co.uk.not' in 'C:\Program Files\COMMUNICATOR Toolbar\Cache\favicons'
Files and Directories: Cleaned 'blurty.com.not' in 'C:\Program Files\COMMUNICATOR Toolbar\Cache\favicons'
Files and Directories: Cleaned 'bmg.com.not' in 'C:\Program Files\COMMUNICATOR Toolbar\Cache\favicons'
Files and Directories: Cleaned 'bmgentertainment.com.not' in 'C:\Program Files\COMMUNICATOR Toolbar\Cache\favicons'
Files and Directories: Cleaned 'bmgmusicservice.com.ico' in 'C:\Program Files\COMMUNICATOR Toolbar\Cache\favicons'
Files and Directories: Cleaned 'bollywoodmusic.com.not' in 'C:\Program Files\COMMUNICATOR Toolbar\Cache\favicons'
Files and Directories: Cleaned 'bollywoodworld.com.not' in 'C:\Program Files\COMMUNICATOR Toolbar\Cache\favicons'
Files and Directories: Cleaned 'buycheapadvertising.com.not' in 'C:\Program Files\COMMUNICATOR Toolbar\Cache\favicons'
Files and Directories: Cleaned 'cai.com.ico' in 'C:\Program Files\COMMUNICATOR Toolbar\Cache\favicons'
Files and Directories: Cleaned 'caleida.com.ico' in 'C:\Program Files\COMMUNICATOR Toolbar\Cache\favicons'
Files and Directories: Cleaned 'captainstabbin.com.not' in 'C:\Program Files\COMMUNICATOR Toolbar\Cache\favicons'
Files and Directories: Cleaned 'casalemedia.com.ico' in 'C:\Program Files\COMMUNICATOR Toolbar\Cache\favicons'
Files and Directories: Cleaned 'casinofortune.com.not' in 'C:\Program Files\COMMUNICATOR Toolbar\Cache\favicons'
Files and Directories: Cleaned 'casinoonnet.com.ico' in 'C:\Program Files\COMMUNICATOR Toolbar\Cache\favicons'
Files and Directories: Cleaned 'casinos-online.ws.not' in 'C:\Program Files\COMMUNICATOR Toolbar\Cache\favicons'
Files and Directories: Cleaned 'casinosfordummies.com.not' in 'C:\Program Files\COMMUNICATOR Toolbar\Cache\favicons'
Files and Directories: Cleaned 'cccpoker.com.not' in 'C:\Program Files\COMMUNICATOR Toolbar\Cache\favicons'
Files and Directories: Cleaned 'celebhoo.com.ico' in 'C:\Program Files\COMMUNICATOR Toolbar\Cache\favicons'
Files and Directories: Cleaned 'celebrity-search.com.not' in 'C:\Program Files\COMMUNICATOR Toolbar\Cache\favicons'
Files and Directories: Cleaned 'certifiedmale.org.not' in 'C:\Program Files\COMMUNICATOR Too

And one last Hijack:
Logfile of HijackThis v1.99.1
Scan saved at 8:38:03 PM, on 12/1/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\EarthLink TotalAccess\WENGINE\wmonitor.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\windows\system\hpsysdrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\HP\KBD\KBD.EXE
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\Program Files\Multimedia Card Reader\shwicon2k.exe
C:\WINDOWS\System32\LXSUPMON.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe
C:\WINDOWS\system32\spdevoaw.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Registry Cleaner Trial\RegClean.exe
C:\Program Files\EarthLink TotalAccess\TaskPanl.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\ArcSoft\Media Card Companion\MCC Monitor.exe
C:\Program Files\Trend Micro\Tmas\Tmas.exe
C:\Program Files\interMute\SpamSubtract\SpamSubtract.exe
C:\Program Files\Windows NT\Accessories\WORDPAD.EXE
C:\Documents and Settings\Owner\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://start.earthlink.net/AL/Search
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://us9.hpwis.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://start.earthlink.net/AL/Search
R3 - URLSearchHook: SrchHook Class - {44F9B173-041C-4825-A9B9-D914BD9DCBB3} - C:\Program Files\EarthLink TotalAccess\ElnIE.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: ElnkScamBHO Class - {15F4D456-5BAA-4076-8486-EECB38CD3E57} - C:\Program Files\EarthLink TotalAccess\Toolbar\EScamBlk.dll
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
O2 - BHO: ElnkPubBHO Class - {512ACF1B-64D9-4928-B382-A80556F28DB4} - C:\Program Files\EarthLink TotalAccess\Toolbar\ElnkPuB.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: IE_PopupBlocker Class - {656EC4B7-072B-4698-B504-2A414C1F0037} - C:\Program Files\EarthLink TotalAccess\Accelerator\prpl_IePopupBlocker.dll
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O2 - BHO: ElnkProtectionBHO Class - {9579D574-D4D8-4335-9560-FE8641A013BD} - C:\Program Files\EarthLink TotalAccess\Toolbar\ProtctIE.dll
O2 - BHO: CNisExtBho Class - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: ElnkLegacyUninstBHO Class - {E713904C-DF05-4C79-BBAD-02DB923253BE} - C:\Program Files\EarthLink TotalAccess\Toolbar\uninsttb.dll
O3 - Toolbar: HP View - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\Program Files\HP\Digital Imaging\bin\hpdtlk02.dll
O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: EarthLink Toolbar - {C7768536-96F8-4001-B1A2-90EE21279187} - C:\Program Files\EarthLink TotalAccess\Toolbar\Toolbar.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\Hewlett-Packard\Digital Imaging\\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [AutoTKit] C:\hp\bin\AUTOTKIT.EXE
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded /nodetect
O4 - HKLM\..\Run: [Sunkist2k] C:\Program Files\Multimedia Card Reader\shwicon2k.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [LXSUPMON] C:\WINDOWS\System32\LXSUPMON.EXE RUN
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe"
O4 - HKLM\..\Run: [BrowserUpdateSched] C:\WINDOWS\system32\spdevoaw.exe DO0605
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [BackupNotify] c:\Program Files\Hewlett-Packard\Digital Imaging\bin\backupnotify.exe
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [NetZero_uoltray] C:\Program Files\NetZero\exec.exe regrun
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Registry Cleaner] "C:\Program Files\Registry Cleaner Trial\RegClean.exe"
O4 - HKCU\..\Run: [DW4] "C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe"
O4 - HKCU\..\Run: [E6TaskPanel] "C:\Program Files\EarthLink TotalAccess\TaskPanl.exe" -winstart
O4 - Startup: spamsubtract.lnk = C:\Program Files\interMute\SpamSubtract\SpamSubtract.exe
O4 - Startup: Zeno.lnk = C:\WINDOWS\system32\spdevoaw.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Media Card Companion Monitor.lnk = C:\Program Files\ArcSoft\Media Card Companion\MCC Monitor.exe
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O4 - Global Startup: Trend Micro Anti-Spyware.lnk = C:\Program Files\Trend Micro\Tmas\Tmas.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 2.0\resources\en-US\local\search.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540013} (CInstall Class) - http://adserver.sharewareonline.com/...er/Install.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAV...oadManager.ocx
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: EarthLink Monitor Service (EarthLinkMonitor) - Boingo Wireless, Inc. - C:\Program Files\EarthLink TotalAccess\WENGINE\wmonitor.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe


I reran most of the fixes yesterday and the computer seems improved, though it was loading pages kinda weird for awhile - really piecemeal with transparent sections - but that seems better, too.

I have this registry cleaner that doesn't want to unistall - I don't know how it got on the machine. And also have a Surf Accuracy that shows on the add/remove screen but says it may have already been removed and would I like to delete it from this screen. I didn't delete it from the screen but I'm suspicious that it's still there and wants me to delete the icon so I'll forget about it.

Thanks for your help.
__________________
el-daddio is offline  
Old 12-02-2005, 06:33 PM   #7
Management Team, Security Center
Expert Analyst, Moderator, Security Team
Rangemaster, Moderator, TSF Academy
 
sUBs's Avatar
 
Join Date: May 2005
Posts: 26,480
OS: N/A


Have Hijackthis fix these entries;

O4 - HKLM\..\Run: [BrowserUpdateSched] C:\WINDOWS\system32\spdevoaw.exe DO0605
O4 - HKCU\..\Run: [Registry Cleaner] "C:\Program Files\Registry Cleaner Trial\RegClean.exe"
O4 - Startup: Zeno.lnk = C:\WINDOWS\system32\spdevoaw.exe
O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540013} (CInstall Class) - http://adserver.sharewareonline.com/...er/Install.cab



Reboot to Safe Mode


* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


Uninstall the following programs, if present, using Control Panel->Add/Remove Programs:
  • Registry Cleaner
    SoftwareOnline
    SurfAccuracy
    WinFixer 2005
    Wild Tangent

* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


If you have not done so already, please enable the viewing of Hidden files
From Windows Explorer, go to Tools>Folder Options> View tab.
  • Tick - Show hidden files and folder
  • Untick - Hide file extensions for known types
  • Untick - Hide protected operating system files
Click Yes to confirm & then click OK

Locate and delete the following files/folders: (let me know if you fail to delete any)
  • C:\Program Files\SoftwareOnline\
    C:\Program Files\SurfAccuracy
    C:\Program Files\WinFixer 2005
    C:\WINDOWS\system32\nsvsvc\
    C:\WINDOWS\wt\
    C:\WINDOWS\system32\spdevoaw.exe
    C:\Program Files\Registry Cleaner Trial\

* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


Run Cleanup! using the following configuration:

1. Click Options...
2. Set the slider to Standard CleanUp!
3. Uncheck the following:
  • Delete Newsgroup cache
  • Delete Newsgroup Subscriptions
  • Scan local drives for temporary files
4. Click OK
5. Press the CleanUp! button to start the program. Reboot/logoff when prompted.
* CleanUp! will not create any backups!!


* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


REBOOT TO NORMAL MODE


Perform an online scan with Internet Explorer with Panda ActiveScan
  1. Click Scan your PC & a 'pop up' window shall appear. *ensure that your pop up blocker doesn't block it
  2. Click Scan Now
  3. Enter your e-mail address & click Scan Now ...begins downloading 8 MB Panda's ActiveX controls
Begin the scan by selecting My Computer
  • If it finds any malware, it will offer you a report.
  • Click on see report. Then click Save report
Post the contents of the report in your next reply

*You needn't remain online while it's doing the scan but you have to re-connect after it has finished to see the report.
*Turn off the real time scanner of any existing antivirus program while performing the online scan



* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


In your next post, please include fresh logs from:
  • HiJackThis log
  • Online Scan
Please update us on how the computer behaves now
__________________

sUBs is offline  
Old 12-08-2005, 05:42 AM   #8
I helped the forums.
 
Join Date: Jun 2005
Posts: 17
OS: XP


sorry for the delay, I'm just now back in town. I'll perform the fixes and post the logs, hopefully tomorrow. Thanks for your help.
__________________
el-daddio is offline  
Old 12-12-2005, 05:38 AM   #9
I helped the forums.
 
Join Date: Jun 2005
Posts: 17
OS: XP


I could not find software online, surf accuracy or winfixer in add/remove. Registry cleaner won't uninstall - I get an error message Invalid INSTALL.LOG. Wild tangent says it may have already been uninstalled.

Here are my posts. Also, Winfixer popped up again, before I did the latest fixes, and I carefully ended it using the delete tasks function. How does this popup keep getting in? Thanks again for the help.

Hijack log: Logfile of HijackThis v1.99.1
Scan saved at 1:08:06 PM, on 12/11/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\EarthLink TotalAccess\WENGINE\wmonitor.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\Program Files\Multimedia Card Reader\shwicon2k.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\WINDOWS\System32\LXSUPMON.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\EarthLink TotalAccess\TaskPanl.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\ArcSoft\Media Card Companion\MCC Monitor.exe
C:\Program Files\interMute\SpamSubtract\SpamSubtract.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\Program Files\Trend Micro\Tmas\tmas.exe
C:\Documents and Settings\All Users\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://start.earthlink.net/AL/Search
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://start.earthlink.net
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://us9.hpwis.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://start.earthlink.net/AL/Search
R3 - URLSearchHook: SrchHook Class - {44F9B173-041C-4825-A9B9-D914BD9DCBB3} - C:\Program Files\EarthLink TotalAccess\ElnIE.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: ElnkScamBHO Class - {15F4D456-5BAA-4076-8486-EECB38CD3E57} - C:\Program Files\EarthLink TotalAccess\Toolbar\EScamBlk.dll
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
O2 - BHO: ElnkPubBHO Class - {512ACF1B-64D9-4928-B382-A80556F28DB4} - C:\Program Files\EarthLink TotalAccess\Toolbar\ElnkPuB.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: IE_PopupBlocker Class - {656EC4B7-072B-4698-B504-2A414C1F0037} - C:\Program Files\EarthLink TotalAccess\Accelerator\prpl_IePopupBlocker.dll
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O2 - BHO: ElnkProtectionBHO Class - {9579D574-D4D8-4335-9560-FE8641A013BD} - C:\Program Files\EarthLink TotalAccess\Toolbar\ProtctIE.dll
O2 - BHO: CNisExtBho Class - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: ElnkLegacyUninstBHO Class - {E713904C-DF05-4C79-BBAD-02DB923253BE} - C:\Program Files\EarthLink TotalAccess\Toolbar\uninsttb.dll
O3 - Toolbar: HP View - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\Program Files\HP\Digital Imaging\bin\hpdtlk02.dll
O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: EarthLink Toolbar - {C7768536-96F8-4001-B1A2-90EE21279187} - C:\Program Files\EarthLink TotalAccess\Toolbar\Toolbar.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\Hewlett-Packard\Digital Imaging\\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [AutoTKit] C:\hp\bin\AUTOTKIT.EXE
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded /nodetect
O4 - HKLM\..\Run: [Sunkist2k] C:\Program Files\Multimedia Card Reader\shwicon2k.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [LXSUPMON] C:\WINDOWS\System32\LXSUPMON.EXE RUN
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [BackupNotify] c:\Program Files\Hewlett-Packard\Digital Imaging\bin\backupnotify.exe
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [NetZero_uoltray] C:\Program Files\NetZero\exec.exe regrun
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [DW4] "C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe"
O4 - HKCU\..\Run: [E6TaskPanel] "C:\Program Files\EarthLink TotalAccess\TaskPanl.exe" -winstart
O4 - Startup: spamsubtract.lnk = C:\Program Files\interMute\SpamSubtract\SpamSubtract.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Media Card Companion Monitor.lnk = C:\Program Files\ArcSoft\Media Card Companion\MCC Monitor.exe
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O4 - Global Startup: Trend Micro Anti-Spyware.lnk = C:\Program Files\Trend Micro\Tmas\Tmas.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 2.0\resources\en-US\local\search.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAV...oadManager.ocx
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: EarthLink Monitor Service (EarthLinkMonitor) - Boingo Wireless, Inc. - C:\Program Files\EarthLink TotalAccess\WENGINE\wmonitor.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe

PANDA scan log:

Incident Status Location

Spyware:spyware/betterinet Not disinfected C:\WINDOWS\INF\satmat.inf
Adware:adware/searchrelevancy Not disinfected C:\PROGRAM FILES\SearchRelevant
Adware:adware/wupd Not disinfected C:\PROGRAM FILES\Windows TaskAd
Spyware:spyware/surfsidekick Not disinfected Windows Registry
Virus:BAT/KillAv.CJ Not disinfected
C:\a.bat
Spyware:Spyware/BetterInet Not disinfected C:\WINDOWS\inf\satmat.inf
__________________
el-daddio is offline  
Old 12-12-2005, 05:44 PM   #10
TSF Team, Emeritus
 
greyknight17's Avatar
 
Join Date: Jul 2004
Location: New York
Posts: 14,312
OS: Windows 98 & Windows XP Home/Pro

My System

Delete these if found:

C:\WINDOWS\INF\satmat.inf
C:\PROGRAM FILES\SearchRelevant
C:\PROGRAM FILES\Windows TaskAd
C:\a.bat


Run a virus scan using Kapersky Online Scanner. Just click on the Kapersky Online Scanner button and read what's posted there - hit Accept once you're done. Download the ActiveX file when prompted. Scanning will begin shortly. When it's done post the log here.

Also run a new Panda scan and post that log here as well.
__________________
Please do NOT PM me. Post whatever questions you may have in the forum and we will take a look at it when we get to it. If you have waited for more than 3 days, you may then and ONLY then PM me for assistance. I will take a look at it.
greyknight17 is offline  
Old 12-14-2005, 05:37 AM   #11
I helped the forums.
 
Join Date: Jun 2005
Posts: 17
OS: XP


here's the Kaspersky log, Panda Scan hadn't finished last night and I forgot to get it this morning:

KASPERSKY ON-LINE SCANNER REPORT
Tuesday, December 13, 2005 20:01:27
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky On-line Scanner version: 5.0.67.0
Kaspersky Anti-Virus database last update: 14/12/2005
Kaspersky Anti-Virus database records: 155031


Scan Settings
Scan using the following antivirus databasestandard
Scan Archivestrue
Scan Mail Basestrue

Scan TargetMy Computer
A:\
C:\
D:\
E:\
F:\
G:\
H:\
I:\
J:\

Scan Statistics
Total number of scanned objects82391
Number of viruses found8
Number of infected objects10
Number of suspicious objects2
Duration of the scan process4890 sec

Infected Object NameVirus Name
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\DyFuCAInternetOptimizer.zip/install.exe Suspicious: Password-protected-EXE

C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\DyFuCAInternetOptimizer.zip Suspicious: Password-protected-EXE

C:\Documents and Settings\Owner\.jpi_cache\jar\1.0\ar3.jar-77402a30-152c9f40.zip/Beyond.class Infected: Trojan.Java.ClassLoader.k

C:\Documents and Settings\Owner\.jpi_cache\jar\1.0\ar3.jar-77402a30-152c9f40.zip Infected: Trojan.Java.ClassLoader.k

C:\System Volume Information\_restore{F2681A7D-91E5-401A-AC8B-015335799DC0}\RP107\A0005271.dll Infected: Trojan-Downloader.Win32.IstBar.kg

C:\System Volume Information\_restore{F2681A7D-91E5-401A-AC8B-015335799DC0}\RP107\A0005274.exe Infected: Trojan-Downloader.Win32.IstBar.jm

C:\System Volume Information\_restore{F2681A7D-91E5-401A-AC8B-015335799DC0}\RP112\A0007364.exe Infected: Backdoor.Win32.Rbot.aeu

C:\System Volume Information\_restore{F2681A7D-91E5-401A-AC8B-015335799DC0}\RP112\A0007368.exe Infected: Trojan-Downloader.Win32.Agent.tq

C:\System Volume Information\_restore{F2681A7D-91E5-401A-AC8B-015335799DC0}\RP112\A0007373.exe Infected: Trojan-Downloader.Win32.Agent.tq

C:\System Volume Information\_restore{F2681A7D-91E5-401A-AC8B-015335799DC0}\RP74\A0003804.exe Infected: Trojan-Downloader.Win32.Dyfuca.ei

C:\System Volume Information\_restore{F2681A7D-91E5-401A-AC8B-015335799DC0}\RP74\A0003865.exe Infected: Trojan-Downloader.Win32.Dyfuca.dp

C:\System Volume Information\_restore{F2681A7D-91E5-401A-AC8B-015335799DC0}\RP74\A0003866.exe Infected: Trojan-Downloader.Win32.Dyfuca.dp

Scan process completed.
__________________
el-daddio is offline  
Old 12-14-2005, 10:01 AM   #12
Management Team, Security Center
Expert Analyst, Moderator, Security Team
Rangemaster, Moderator, TSF Academy
 
sUBs's Avatar
 
Join Date: May 2005
Posts: 26,480
OS: N/A


You appear to be clean. Just delete this file -

C:\Documents and Settings\Owner\.jpi_cache\jar\1.0\ar3.jar-77402a30-152c9f40.zip

I suggest that you upgrade to the latest version of Sun Java, available here.

Kindly follow these simple steps in order to keep your computer clean and secure:

  1. CLEAR & RESET SYSTEM RESTORE'S CACHE
    Go to Start >> Run - type control sysdm.cpl,,4 & press Enter
    • Tick on the checkbox - Turn off System Restore on all drives
    • Click Apply
    Turn it back 'On' by unticking the same checkbox & click OK


  2. DISABLE THE VIEWING OF SYSTEM FILES
    From Windows Explorer, go to Tools>Folder Options> View tab.
    • Untick - Show hidden files and folder
    • Tick - Hide file extensions for known types
    • Tick - Hide protected operating system files
    Click Yes to confirm & then click OK


  3. SECURING INTERNET EXPLORER
    From within Internet Explorer click on the Tools menu and then click on Internet Options.
    • Select the Security tab
      • Click once on the Internet icon so it becomes highlighted.
      • Select Custom Level .
        • Change 'Download signed ActiveX controls' to Prompt
        • Change 'Download unsigned ActiveX controls' to Disable
        • Change 'Initialize and script ActiveX controls not marked as safe' to Disable
        • Change 'Installation of desktop items' to Prompt
        • Change 'Launching programs and files in an IFRAME' to Prompt
        • Change 'Navigate sub-frames across different domains' to Prompt
        • When all these changes have been made, click on the OK button.
      • If it prompts you as to whether or not you want to save the settings, press the Yes button.
    • Select OK to exit the Internet Properties page.


  4. ANTIVIRUS SOFTWARE
    It is very important that you have anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future.

    See this link for a listing of some online & their stand-alone antivirus programs:

    Virus, Spyware, and Malware Protection and Removal Resources

    It is imperative that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.


  5. FIREWALL
    Without a firewall your computer is succeptible to being hacked and taken over. Simply using a Firewall in its default configuration can lower your risk greatly. A tutorial on Firewalls and a listing of some available ones can be found here.


  6. Microsoft Windows Update
    Visit windowsupdate.com regularly. This will ensure your computer always has the latest security updates. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.


  7. SPYBOT - SEARCH & DESTROY
    Download and install Spybot - Search & Destroy with its TeaTimer option. This will provide realtime spyware & hijacker protection on your computer alongside your virus protection. You should also scan your computer with the program on a regular basis just as you would an antivirus software. A tutorial on installing & using this product can be found here


  8. AD-AWARE
    Download and install Ad-Aware. You should use this program to scan your computer on a regular basis just as you would an antivirus software in conjunction with Spybot. A tutorial on installing & using this product can be found here


  9. SPYWAREBLASTER
    SpywareBlaster prevents the installation of malicious ActiveX, adware, browser hijackers, dialers, and other potentially unwanted software. Blocks spyware/tracking cookies & restricts the actions of potentially unwanted sites.

    Unlike other programs, SpywareBlaster does not have to remain running in the background. A tutorial on installing & using this product can be found here


  10. IE-SPYAD
    IE/Spyad places more than 4000 dubious websites and domains in the IE Restricted list. This severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites. A tutorial on installing this product can be found here


  11. MVPS HOST FILE
    The MVPS Hosts file replaces your current HOSTS file with one that will restrict known ad sites form serving you unsolicited advertisements. Basically, this prevents your coputer from connecting to those sites by redirecting them to 127.0.0.1 which is the IP of your local computer. It can be downloaded here - MVPS Hosts file

Update all these programs regularly. Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.

Follow this list and your potential for being infected again will reduce dramatically. Here are some additional utilities that will further enhance your safety.
  • Trillian or Miranda-IM - These are Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program! (AOL, Yahoo, ICQ, IRC, MSN)

  • Firefox - Use this alternate browser. Whilst Internet Explorer is not a bad browser, almost every exploit crafted is targeted to take advantage of an IE weakness.

  • Sun's Java - It's much more secure than Microsoft's Java Virtual Machine.

  • Google Toolbar - Get the free google toolbar to help stop pop up windows.

  • CleanUP! - Cleans temporary files from IE and Windows, empties the recycle bin and more. Great tool to help speed up your computer and knock out those nasties that like to reside in the temp folders.

  • ERUNT - A useful freeware utility for users of Windows 2000/XP. It's made up of two parts - ERUNT & NTREGOPT.

    ERUNT will create daily complete backups of your computer's Registry. Whilst System Restore does the same thing, a corrupt registry file may prevent Windows from booting & this effectively renders disables System Restore. With ERUNT, you're able to restore the damaged Registry.

    NTREGOPT works by recreating each registry hive "from scratch", thus removing any slack space that may be left from previously modified or deleted keys. In other words, it compacts the Registry to a small size which allows Windows to load & perform faster.

  • Winpatrol - Download and install the free version of Winpatrol.
    A tutorial for this product is located here:
    Using Winpatrol to protect your computer from malicious software

To find out more information about how you got infected in the first place and some great guidelines to follow to prevent future infections you can read this article by Tony Klein

After doing all these, your system will be optimised against future threats.

It's okay to delete the Hijack This folder in a couple weeks if everything is working okay.
Have a safe & happy computing day.

Please respond to this thread one more time so we can mark this thread as resolved.
__________________

sUBs is offline  
Old 12-14-2005, 10:14 AM   #13
I helped the forums.
 
Join Date: Jun 2005
Posts: 17
OS: XP


Thanks, I'll make the final changes tonight. And make my small contribution now.

__________________
el-daddio is offline  
 

Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is on
Smilies are on
[IMG] code is on
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are Off


Post a Question


» Site Navigation
 > FAQ
  > 10.0.0.2


All times are GMT -7. The time now is 08:55 AM.


Copyright 2001 - 2014, Tech Support Forum

Windows 7 - Windows XP - Windows Vista - Trojan Removal - Spyware Removal - Virus Removal - Networking - Security - Top Web Hosts