Fighting Spy Strike and spyware popup

**ccpc** · 01-07-2006, 10:18 AM

Cleaning a friend's computer and having trouble.

The problem he noticed was with SpyAxe (pop-up notices in system tray), though I've found lots of other nasties too.
He routinely updates/runs Ad-Aware and AVG, less routinely SpyBot S&D, has Kerio Personal Firewall (cable connection), but he has a roommate who does not surf safely! (sigh) In fact, this is the same computer I was cleaning when I first came upon your forum over a year ago and got so much help from Kevin aka greyknight17. Thanks many times over for all I've found and learned here!! And of course TIA for help today...

I have done your "Five-Step Process" and then some:

-I have scanned (multiple times, Safe Mode and Normal) with SpyBot S&D, Ad-Aware (settings per Kevin at greyknight17.com), and AVG. Find and fix things every time.
-Removed SpyAxe and others via Add/Remove Programs
-Checked for and removed other folders via Windows Explorer
-Also used CWShredder, CleanUp, SmitRem, Ewido
-##Panda (still finding things), and TrendMicro HouseCall (found/fixed multiple problems)
-Still getting a pop-up in system tray saying "System Intrusion Detected"

Most recently:
(in Safe Mode logged in as Administrator)
-re-ran SmitRem and scanned w/ Ewido -> only SpywareStrike (SpyAxe) found - removed
-rescanned w/ SpyBot S&D -> WindowsActiveDesktop (removed)
-Ad-Aware -> nothing
-restart in Normal Mode -> system tray pop-up "System Intrusion Detected"

(Safe Mode logged in as user):
-re-ran SmitRem
-scanned w/ Ewido - **pop-up is present when logged in as user in Safe Mode (not when logged in as Admin), Ewido did not find spyaxe or similar (despite the pop-up being directly over the scan window! ;-)
-SpyBot S&D -> WindowsActiveDesktop (removed)
-AVG-> nothing

I am reluctant to do any more online scans as I just get more junk every time I go online. I have this computer at my home and am using a usb wireless adapter to my dsl router - have gone online only to get updates and try the Panda and TrendMicro scans as above. I have another computer here I have been downloading the programs to, burning them on a CD, and then transferring to the oh-so-sick computer to install.

I'm normally a Win98se user (don't laugh, it works) so not necessarily XP-proficient - should I be running these programs as the user as well as Admin? I started with logging into Safe Mode as Admin, but as noted above also tried logging in as the user...???

At latest Reboot Normal, the icon and pop-up "System Intrusion Detected" continues (also in Safe Mode logged on as User, or in Normal Mode, but not in Safe Mode logged on as Administrator) and Spyware Strike is back - shortcut on the Desktop, program folder, and listed in Add/Remove Programs.

(Not using selective startup)

Below are
--Panda scan see ## above for when it was done)
--smitfiles
--Ewido Log (same)

--HJT - done at this last normal boot *after* again removing SpyStrike via Add/Remove Programs and being sure program folder/ desktop icon are gone

HJT:
Logfile of HijackThis v1.99.1
Scan saved at 8:55:05 AM, on 1/7/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\SS Tools\ewido anti-malware\ewidoctrl.exe
C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe
C:\Program Files\802.11 Wireless LAN\802.11g Pen Size Wireless USB 2.0 Adapter HW.32 V1.10\SiSWLSvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\WINDOWS\BCMSMMSG.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Dell\Support\Alert\bin\DAMon.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\802.11 Wireless LAN\802.11g Pen Size Wireless USB 2.0 Adapter HW.32 V1.10\WlanCU.exe
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.redsox.com/
O2 - BHO: HomepageBHO - {27150f81-0877-42e9-af13-55e5a3439a26} - C:\WINDOWS\system32\hp4948.tmp (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [AHQInit] C:\Program Files\Creative\SBLive\Program\AHQInit.exe
O4 - HKLM\..\Run: [Dell|Alert] C:\Program Files\Dell\Support\Alert\bin\DAMon.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SY4u] C:\documents and settings\will\local settings\temp\SY4u.exe
O4 - HKLM\..\Run: [Tn] C:\documents and settings\will\local settings\temp\Tn.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Tsa2] C:\PROGRA~1\COMMON~1\tsa\tsm2.exe
O4 - HKCU\..\Run: [Aida] C:\Documents and Settings\Will\Application Data\eetu.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O4 - Global Startup: Wireless Configuration Utility HW.32.lnk = ?
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/...eInstaller.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: ewido security suite control - ewido networks - C:\SS Tools\ewido anti-malware\ewidoctrl.exe
O23 - Service: Kerio Personal Firewall 4 (KPF4) - Kerio Technologies - C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe
O23 - Service: SiS WirelessLan Service (SiSWLSvc) - Unknown owner - C:\Program Files\802.11 Wireless LAN\802.11g Pen Size Wireless USB 2.0 Adapter HW.32 V1.10\SiSWLSvc.exe

*************************
SMITFILES:

smitRem © log file
version 2.8

by noahdfear

Microsoft Windows XP [Version 5.1.2600]
The current date is: Fri 01/06/2006
The current time is: 16:41:00.51

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

checking for ShudderLTD key

ShudderLTD key not present!

checking for PSGuard.com key

PSGuard.com key not present!

checking for WinHound.com key

WinHound.com key not present!

spyaxe uninstaller NOT present
Winhound uninstaller NOT present
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Existing Pre-run Files

~~~ Program Files ~~~

Security Toolbar

~~~ Shortcuts ~~~

Online Security Guide.url
Online Security Guide.url
Security Troubleshooting.url
Security Troubleshooting.url

~~~ Favorites ~~~

~~~ system32 folder ~~~

wbeconm.dll
1024 dir
ld****.tmp
mssearchnet.exe
ncompat.tlb
nvctrl.exe
mscornet.exe
hp***.tmp

~~~ Icons in System32 ~~~

ts.ico
ot.ico

~~~ Windows directory ~~~

~~~ Drive root ~~~

~~~ Miscellaneous Files/folders ~~~

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 804 'explorer.exe'
Killing PID 804 'explorer.exe'

Starting registry repairs

Deleting files

Remaining Post-run Files

~~~ Program Files ~~~

~~~ Shortcuts ~~~

Online Security Guide.url
Online Security Guide.url

~~~ Favorites ~~~

~~~ system32 folder ~~~

~~~ Icons in System32 ~~~

~~~ Windows directory ~~~

~~~ Drive root ~~~

~~~ Miscellaneous Files/folders ~~~

~~~ Wininet.dll ~~~

CLEAN! :)

***************************

2nd Ewido log - safe mode, logged in as admin:

ÿþ- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

e w i d o a n t i - m a l w a r e - S c a n r e p o r t

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

+ C r e a t e d o n : 8 : 3 6 : 3 7 P M , 1 / 6 / 2 0 0 6

+ R e p o r t - C h e c k s u m : B 6 4 1 A E 7 1

+ S c a n r e s u l t :

C : \ P r o g r a m F i l e s \ S p y w a r e S t r i k e \ S p y w a r e S t r i k e . e x e - > A d w a r e . S p y a x e : C l e a n e d w i t h b a c k u p

: : R e p o r t E n d

3rd Ewido log- safe mode, logged in as User:

ÿþ- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

e w i d o a n t i - m a l w a r e - S c a n r e p o r t

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

+ C r e a t e d o n : 1 0 : 1 1 : 1 0 P M , 1 / 6 / 2 0 0 6

+ R e p o r t - C h e c k s u m : 9 D 7 7 6 2 9 3

+ S c a n r e s u l t :

H K U \ S - 1 - 5 - 2 1 - 2 6 9 5 0 7 2 6 4 2 - 2 5 0 1 9 5 4 5 3 5 - 3 6 4 6 1 8 1 6 5 6 - 1 0 0 6 \ S o f t w a r e \ M i c r o s o f t \ W i n d o w s \ C u r r e n t V e r s i o n \ E x t \ S t a t s \ { 1 2 0 E 0 9 0 D - 9 1 3 6 - 4 B 7 8 - 8 2 5 8 - F 0 B 4 4 B 4 B D 2 A C } - > S p y w a r e . M a x s p e e d : C l e a n e d w i t h b a c k u p

C : \ D o c u m e n t s a n d S e t t i n g s \ W i l l \ e z S t u b \ e z S t u b . e x e - > A d w a r e . e Z u l a : C l e a n e d w i t h b a c k u p

: : R e p o r t E n d

*****************

Panda Active Scan:

Incident Status Location

Adware:adware/ezula Not disinfected C:\WINDOWS\SYSTEM32\ezStub3.dll
Spyware:spyware/whazit Not disinfected C:\WINDOWS\SYSTEM32\fiz1
Adware:adware/keenvalue Not disinfected C:\WINDOWS\SYSTEM32\setup_incred_7.exe
Spyware:spyware/commonname Not disinfected C:\WINDOWS\SYSTEM32\winnet.ini
Dialer:dialer.b Not disinfected C:\WINDOWS\DOWNLOADED PROGRAM FILES\EGAUTH.inf
Adware:adware/statblaster Not disinfected C:\WINDOWS\DOWNLOADED PROGRAM FILES\WildApp.inf
Adware:adware/securityerror Not disinfected C:\Documents and Settings\Will\Favorites\Antivirus Test Online.url
Spyware:spyware/betterinet Not disinfected C:\WINDOWS\INF\biini.inf
Adware:adware/sidesearch Not disinfected C:\WINDOWS\sepsd.bin
Adware:adware/ncase Not disinfected C:\PROGRAM FILES\nCase
Adware:adware/wupd Not disinfected C:\PROGRAM FILES\Windows TaskAd
Spyware:spyware/apropos Not disinfected C:\Documents and Settings\Will\Application Data\POP!
Adware:adware/dyfuca Not disinfected C:\WINDOWS\STWSI
Spyware:spyware/searchcentrix Not disinfected Windows Registry
Spyware:Cookie/2o7.net Not disinfected C:\Documents and Settings\Will\Cookies\will@2o7[1].txt
Spyware:Cookie/PointRoll Not disinfected C:\Documents and Settings\Will\Cookies\will@ads.pointroll[2].txt
Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\Will\Cookies\will@tribalfusion[1].txt
Spyware:Spyware/Apropos Not disinfected C:\Documents and Settings\Administrator\My Documents\Data\Data\popinstlite.exe
Spyware:Spyware/Apropos Not disinfected C:\Documents and Settings\Administrator\My Documents\Data\popinstlite.exe
Spyware:Spyware/Apropos Not disinfected C:\Documents and Settings\Default User\My Documents\Data\Data\popinstlite.exe
Spyware:Spyware/Apropos Not disinfected C:\Documents and Settings\Default User\My Documents\Data\popinstlite.exe
Spyware:Cookie/2o7.net Not disinfected C:\Documents and Settings\Will\Cookies\will@2o7[1].txt
Spyware:Cookie/PointRoll Not disinfected C:\Documents and Settings\Will\Cookies\will@ads.pointroll[2].txt
Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\Will\Cookies\will@tribalfusion[1].txt
Adware:Adware/eZula Not disinfected C:\Documents and Settings\Will\ezStub\ezStub.exe
Adware:Adware/EliteBar Not disinfected C:\EliteBar version 49.dll
Adware:Adware/EliteBar Not disinfected C:\EliteBar version 51.dll
Adware:Adware/WUpd Not disinfected C:\Program Files\Windows TaskAd\WinSched.exe
Adware:Adware/WUpd Not disinfected C:\RECYCLER\S-1-5-21-2695072642-2501954535-3646181656-500\Dc12\backup-20041008-115126-602.inf
Potentially unwanted tool:Application/Processor Not disinfected C:\SS Tools\SmitRem\Process.exe
Potentially unwanted tool:Application/Processor Not disinfected C:\SS Tools\Will 1-6-06\smitRem.exe[Process.exe]
Adware:Adware/EliteBar Not disinfected C:\WINDOWS\blocklist.reg
Spyware:Spyware/BetterInet Not disinfected C:\WINDOWS\Downloaded Program Files\ashton.inf
Adware:Adware/IST.ISTBar Not disinfected C:\WINDOWS\Downloaded Program Files\CONFLICT.1\istactivex.inf
Spyware:Spyware/BetterInet Not disinfected C:\WINDOWS\Downloaded Program Files\turbo.inf
Adware:Adware Program Not disinfected C:\WINDOWS\Downloaded Program Files\WildApp.inf
Adware:Adware/TopRebates Not disinfected C:\WINDOWS\iNetPal\ezTSetup.exe
Adware:Adware/SAHAgent Not disinfected C:\WINDOWS\INF\biF.inf
Spyware:Spyware/BetterInet Not disinfected C:\WINDOWS\INF\biini.inf
Spyware:Spyware/BetterInet Not disinfected C:\WINDOWS\INF\biO.inf
Adware:Adware/EliteBar Not disinfected C:\WINDOWS\silent48.exe
Adware:Adware/nCase Not disinfected C:\WINDOWS\SYSTEM32\ezStub3.dll
Adware:Adware/InstaFinder Not disinfected C:\WINDOWS\SYSTEM32\InstaFinder_inst245.exe
Adware:Adware/KeenValue Not disinfected C:\WINDOWS\SYSTEM32\setup_incred_7.exe
Virus:Trj/Downloader.GKO Disinfected C:\WINDOWS\uniwebassist.exe
**********************

alba · 01-07-2006, 10:30 AM

Hi there and welcome to TSF.

I am currently reviewing your log. Please note that this is under the supervision of an expert analyst, and I will be back with a fix for your problem a.s.a.p

Please be patient with me during this time.

We also suggest that you Subscribe to this thread to be notified of fixes as soon as they are posted by our Team. You can do this simply by clicking the "Thread Tools" button located in the original thread line and selecting "Subscribe to this Thread".

regards
alba

**ccpc** · 01-07-2006, 10:49 AM

Thanks, Alba - I'll keep checking in, and I'm subscribed to the thread. Wow, Ireland to Southern California, ain't the Internet wonderful!! http://www.techsupportforum.com/imag...es/1-laugh.gif

**ccpc** · 01-07-2006, 12:13 PM

FYI, looks like this is new clone of SpyAxe, more recent info here:

http://www.spywarewarrior.com/viewto...006&highlight=

http://blogs.zdnet.com/Spyware/?p=742

**ccpc** · 01-07-2006, 01:51 PM

nothing like answering my own thread... talking to myself! ;-)

found more here:
http://pcpitstop.invisionzone.com/lo...p/t107892.html

and am in the final step of using the fix posted by LDTate - doing a full Ewido scan, will let you know how this fix goes... fingers crossed and all that good stuff.

alba · 01-07-2006, 02:07 PM

Hi ccpc

please be patient i will have your fix posted soon

Regards

alba

**ccpc** · 01-07-2006, 02:43 PM

OK, the fix above seems to have worked.

go to http://pcpitstop.invisionzone.com/in...c=107892&st=15
see post by LDTate on his fix

I am booted in Normal mode and have no pop-ups. Truly a lovely sight. Especially if it stays that way. Will try surfing next.

Here is my HJT now:

Logfile of HijackThis v1.99.1
Scan saved at 1:40:12 PM, on 1/7/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\SS Tools\ewido anti-malware\ewidoctrl.exe
C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe
C:\Program Files\802.11 Wireless LAN\802.11g Pen Size Wireless USB 2.0 Adapter HW.32 V1.10\SiSWLSvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Dell\Support\Alert\bin\DAMon.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\802.11 Wireless LAN\802.11g Pen Size Wireless USB 2.0 Adapter HW.32 V1.10\WlanCU.exe
C:\WINDOWS\system32\wuauclt.exe
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.redsox.com/
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [AHQInit] C:\Program Files\Creative\SBLive\Program\AHQInit.exe
O4 - HKLM\..\Run: [Dell|Alert] C:\Program Files\Dell\Support\Alert\bin\DAMon.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SY4u] C:\documents and settings\will\local settings\temp\SY4u.exe
O4 - HKLM\..\Run: [Tn] C:\documents and settings\will\local settings\temp\Tn.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Tsa2] C:\PROGRA~1\COMMON~1\tsa\tsm2.exe
O4 - HKCU\..\Run: [Aida] C:\Documents and Settings\Will\Application Data\eetu.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O4 - Global Startup: Wireless Configuration Utility HW.32.lnk = ?
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/...eInstaller.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: ewido security suite control - ewido networks - C:\SS Tools\ewido anti-malware\ewidoctrl.exe
O23 - Service: Kerio Personal Firewall 4 (KPF4) - Kerio Technologies - C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe
O23 - Service: SiS WirelessLan Service (SiSWLSvc) - Unknown owner - C:\Program Files\802.11 Wireless LAN\802.11g Pen Size Wireless USB 2.0 Adapter HW.32 V1.10\SiSWLSvc.exe

sUBs · 01-07-2006, 03:37 PM

Please download the file attached - smitty.zip

From within it, doubleclick smitty.bat & allow it to run
It shall produce a log for you to post back here

**ccpc** · 01-07-2006, 03:38 PM

LDTate's fix was originally posted here:

http://forums.tomcoyote.org/index.ph...&gopid=246956&

...just to give credit where credit is due...

**ccpc** · 01-07-2006, 03:47 PM

Quote:

Originally Posted by sUBs

Please download the file attached - smitty.zip

From within it, doubleclick smitty.bat & allow it to run
It shall produce a log for you to post back here

do you still want me to do this despite all going ok now?
did you see something remaining on the HJT log?

sUBs · 01-07-2006, 03:49 PM

LDTate's fix does not cover some entries not shown in HijackThis.

These other HJT entries should also be fixed & the files they referenced be removed.

O4 - HKLM\..\Run: [SY4u] C:\documents and settings\will\local settings\temp\SY4u.exe
O4 - HKLM\..\Run: [Tn] C:\documents and settings\will\local settings\temp\Tn.exe
O4 - HKCU\..\Run: [Tsa2] C:\PROGRA~1\COMMON~1\tsa\tsm2.exe
O4 - HKCU\..\Run: [Aida] C:\Documents and Settings\Will\Application Data\eetu.exe

**ccpc** · 01-07-2006, 03:55 PM

Quote:

Originally Posted by sUBs

LDTate's fix does not cover some entries not shown in HijackThis.

These other HJT entries should also be fixed & the files they referenced be removed.

O4 - HKLM\..\Run: [SY4u] C:\documents and settings\will\local settings\temp\SY4u.exe
O4 - HKLM\..\Run: [Tn] C:\documents and settings\will\local settings\temp\Tn.exe
O4 - HKCU\..\Run: [Tsa2] C:\PROGRA~1\COMMON~1\tsa\tsm2.exe
O4 - HKCU\..\Run: [Aida] C:\Documents and Settings\Will\Application Data\eetu.exe

Thanks! Shall I do these fixes before I run the smitty program and post the log or after? (and thank you for your help!)

sUBs · 01-07-2006, 03:57 PM

The script merely identifies the entries. It can be run anytime.

**ccpc** · 01-07-2006, 04:08 PM

Quote:

Originally Posted by sUBs

The script merely identifies the entries. It can be run anytime.

deleted the HJT entries you listed - here is the latest HJT log.

please let me know if you still want me to run the smitty program.
Thanks!

Logfile of HijackThis v1.99.1
Scan saved at 3:05:34 PM, on 1/7/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\SS Tools\ewido anti-malware\ewidoctrl.exe
C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe
C:\Program Files\802.11 Wireless LAN\802.11g Pen Size Wireless USB 2.0 Adapter HW.32 V1.10\SiSWLSvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Dell\Support\Alert\bin\DAMon.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\802.11 Wireless LAN\802.11g Pen Size Wireless USB 2.0 Adapter HW.32 V1.10\WlanCU.exe
C:\WINDOWS\system32\wuauclt.exe
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.redsox.com/
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [AHQInit] C:\Program Files\Creative\SBLive\Program\AHQInit.exe
O4 - HKLM\..\Run: [Dell|Alert] C:\Program Files\Dell\Support\Alert\bin\DAMon.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O4 - Global Startup: Wireless Configuration Utility HW.32.lnk = ?
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/...eInstaller.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: ewido security suite control - ewido networks - C:\SS Tools\ewido anti-malware\ewidoctrl.exe
O23 - Service: Kerio Personal Firewall 4 (KPF4) - Kerio Technologies - C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe
O23 - Service: SiS WirelessLan Service (SiSWLSvc) - Unknown owner - C:\Program Files\802.11 Wireless LAN\802.11g Pen Size Wireless USB 2.0 Adapter HW.32 V1.10\SiSWLSvc.exe

sUBs · 01-07-2006, 04:09 PM

Please runsmitty now. It only takes mere seconds to run.

**ccpc** · 01-07-2006, 04:15 PM

Quote:

Originally Posted by sUBs

Please runsmitty now. It only takes mere seconds to run.

tried to run it (this is an XP SP@ machine I'm cleaning) and get the message:

16 Bit MS-DOS subsystem
c:\windows\system32\cmd.exe
c:\windows\system32\autoexec.nt
The system file is not suitable for running MS-DOS and Microsoft Windows applications. Choose "close" to terminate the application

(close and ignore buttons available)...???

sUBs · 01-07-2006, 04:20 PM

To fix that error message, you need to visit this website to download additional files.

sUBs · 01-07-2006, 04:27 PM

ccpc,

Signing off now. It's 7:20am inmy timezone & I'm dead tired.

Please do an online scan to see if it uncovers any hidden infections. I'll catch up with you when I logon again

Establish an internet connection & perform an online scan with Internet Explorer at Kaspersky Online Scanner

Answer Yes, when prompted to install an ActiveX component.

The program will then begin downloading the latest definition files.
Once the files have been downloaded click on NEXT
Locate the Scan Settings button & configure to:
- Scan using the following Anti-Virus database:
  - Extended
- Scan Options:
  - Scan Archives
  - Scan Mail Bases
Click OK & have it scan My Computer
Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
Click the Save as Text button to save the file to your desktop so that you may post it in your next reply

* Turn off the real time scanner of any existing antivirus program while performing the online scan

**ccpc** · 01-07-2006, 04:31 PM

For when you come online again...

ran the smitty program and here is the log:

Running from:
C:\SS Tools\smitty\smitty\smitty

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"
"{C1A2FDA2-1A5B-2A8F-F3A2-B22DA1A3C41D}"="NetWrap for Windows"

C:\WINDOWS\SYSTEM32\
asfiles.txt Fri Jan 6 2006 6:12:16p A.... 0 0.00 K
help.ico Fri Jan 6 2006 6:09:18p A.... 1,406 1.37 K
jupdat~1.log Fri Jan 6 2006 6:51:58p A.... 6,675 6.52 K
pavas.ico Fri Jan 6 2006 6:09:18p A.... 30,590 29.87 K
perfc009.dat Sat Jan 7 2006 2:00:28p A.... 40,196 39.25 K
perfh009.dat Sat Jan 7 2006 2:00:28p A.... 311,934 304.62 K
perfst~1.ini Sat Jan 7 2006 2:00:28p A.... 355,944 347.60 K
swunilog.ini Fri Jan 6 2006 9:27:10a A.... 0 0.00 K
uninst~1.ico Fri Jan 6 2006 6:09:18p A.... 2,550 2.49 K
wpa.dbl Fri Jan 6 2006 9:14:18a A.... 1,170 1.14 K

10 items found: 10 files, 0 directories.
Total of file sizes: 750,465 bytes 732.88 K

sUBs · 01-07-2006, 04:34 PM

Quote:

"{C1A2FDA2-1A5B-2A8F-F3A2-B22DA1A3C41D}"="NetWrap for Windows"

I'm sure netwrap sounds familiar to you.

Please download & Save on desktop - regdel.zip.
From within regdel.zip, doubleclick regdel.reg & allow it to merge with the Registry

Will look at the online scan results later

01-07-2006, 10:18 AM	#1 (permalink)
ccpc I helped the forums. Join Date: Oct 2004 Posts: 33 OS: Win98SE	Fighting Spy Strike and spyware popup Cleaning a friend's computer and having trouble. The problem he noticed was with SpyAxe (pop-up notices in system tray), though I've found lots of other nasties too. He routinely updates/runs Ad-Aware and AVG, less routinely SpyBot S&D, has Kerio Personal Firewall (cable connection), but he has a roommate who does not surf safely! (sigh) In fact, this is the same computer I was cleaning when I first came upon your forum over a year ago and got so much help from Kevin aka greyknight17. Thanks many times over for all I've found and learned here!! And of course TIA for help today... I have done your "Five-Step Process" and then some: -I have scanned (multiple times, Safe Mode and Normal) with SpyBot S&D, Ad-Aware (settings per Kevin at greyknight17.com), and AVG. Find and fix things every time. -Removed SpyAxe and others via Add/Remove Programs -Checked for and removed other folders via Windows Explorer -Also used CWShredder, CleanUp, SmitRem, Ewido -##Panda (still finding things), and TrendMicro HouseCall (found/fixed multiple problems) -Still getting a pop-up in system tray saying "System Intrusion Detected" Most recently: (in Safe Mode logged in as Administrator) -re-ran SmitRem and scanned w/ Ewido -> only SpywareStrike (SpyAxe) found - removed -rescanned w/ SpyBot S&D -> WindowsActiveDesktop (removed) -Ad-Aware -> nothing -restart in Normal Mode -> system tray pop-up "System Intrusion Detected" (Safe Mode logged in as user): -re-ran SmitRem -scanned w/ Ewido - *pop-up is present when logged in as user in Safe Mode (not when logged in as Admin), Ewido did not find spyaxe or similar (despite the pop-up being directly over the scan window! ;-) -SpyBot S&D -> WindowsActiveDesktop (removed) -AVG-> nothing I am reluctant to do any more online scans as I just get more junk every time I go online. I have this computer at my home and am using a usb wireless adapter to my dsl router - have gone online only to get updates and try the Panda and TrendMicro scans as above. I have another computer here I have been downloading the programs to, burning them on a CD, and then transferring to the oh-so-sick computer to install. I'm normally a Win98se user (don't laugh, it works) so not necessarily XP-proficient - should I be running these programs as the user as well as Admin? I started with logging into Safe Mode as Admin, but as noted above also tried logging in as the user...??? At latest Reboot Normal, the icon and pop-up "System Intrusion Detected" continues (also in Safe Mode logged on as User, or in Normal Mode, but not in Safe Mode logged on as Administrator) and Spyware Strike is back - shortcut on the Desktop, program folder, and listed in Add/Remove Programs. (Not using selective startup) Below are --Panda scan see ## above for when it was done) --smitfiles --Ewido Log (same) --HJT - done at this last normal boot after* again removing SpyStrike via Add/Remove Programs and being sure program folder/ desktop icon are gone HJT: Logfile of HijackThis v1.99.1 Scan saved at 8:55:05 AM, on 1/7/2006 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe C:\WINDOWS\System32\CTsvcCDA.EXE C:\SS Tools\ewido anti-malware\ewidoctrl.exe C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe C:\Program Files\802.11 Wireless LAN\802.11g Pen Size Wireless USB 2.0 Adapter HW.32 V1.10\SiSWLSvc.exe C:\WINDOWS\System32\MsPMSPSv.exe C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe C:\WINDOWS\system32\devldr32.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe C:\WINDOWS\BCMSMMSG.exe C:\WINDOWS\system32\wuauclt.exe C:\Program Files\Dell\Support\Alert\bin\DAMon.exe C:\Program Files\QuickTime\qttask.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe C:\Program Files\Digital Line Detect\DLG.exe C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe C:\Program Files\802.11 Wireless LAN\802.11g Pen Size Wireless USB 2.0 Adapter HW.32 V1.10\WlanCU.exe C:\HJT\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.redsox.com/ O2 - BHO: HomepageBHO - {27150f81-0877-42e9-af13-55e5a3439a26} - C:\WINDOWS\system32\hp4948.tmp (file missing) O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe O4 - HKLM\..\Run: [AHQInit] C:\Program Files\Creative\SBLive\Program\AHQInit.exe O4 - HKLM\..\Run: [Dell\|Alert] C:\Program Files\Dell\Support\Alert\bin\DAMon.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [SY4u] C:\documents and settings\will\local settings\temp\SY4u.exe O4 - HKLM\..\Run: [Tn] C:\documents and settings\will\local settings\temp\Tn.exe O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [Tsa2] C:\PROGRA~1\COMMON~1\tsa\tsm2.exe O4 - HKCU\..\Run: [Aida] C:\Documents and Settings\Will\Application Data\eetu.exe O4 - Global Startup: Digital Line Detect.lnk = ? O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ? O4 - Global Startup: Wireless Configuration Utility HW.32.lnk = ? O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/...eInstaller.exe O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE O23 - Service: ewido security suite control - ewido networks - C:\SS Tools\ewido anti-malware\ewidoctrl.exe O23 - Service: Kerio Personal Firewall 4 (KPF4) - Kerio Technologies - C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe O23 - Service: SiS WirelessLan Service (SiSWLSvc) - Unknown owner - C:\Program Files\802.11 Wireless LAN\802.11g Pen Size Wireless USB 2.0 Adapter HW.32 V1.10\SiSWLSvc.exe *********************** SMITFILES: smitRem © log file version 2.8 by noahdfear Microsoft Windows XP [Version 5.1.2600] The current date is: Fri 01/06/2006 The current time is: 16:41:00.51 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ checking for ShudderLTD key ShudderLTD key not present! checking for PSGuard.com key PSGuard.com key not present! checking for WinHound.com key WinHound.com key not present! spyaxe uninstaller NOT present Winhound uninstaller NOT present ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Existing Pre-run Files ~~~ Program Files ~~~ Security Toolbar ~~~ Shortcuts ~~~ Online Security Guide.url Online Security Guide.url Security Troubleshooting.url Security Troubleshooting.url ~~~ Favorites ~~~ ~~~ system32 folder ~~~ wbeconm.dll 1024 dir ld.tmp mssearchnet.exe ncompat.tlb nvctrl.exe mscornet.exe hp.tmp ~~~ Icons in System32 ~~~ ts.ico ot.ico ~~~ Windows directory ~~~ ~~~ Drive root ~~~ ~~~ Miscellaneous Files/folders ~~~ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03 Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org Killing PID 804 'explorer.exe' Killing PID 804 'explorer.exe' Starting registry repairs Deleting files Remaining Post-run Files ~~~ Program Files ~~~ ~~~ Shortcuts ~~~ Online Security Guide.url Online Security Guide.url ~~~ Favorites ~~~ ~~~ system32 folder ~~~ ~~~ Icons in System32 ~~~ ~~~ Windows directory ~~~ ~~~ Drive root ~~~ ~~~ Miscellaneous Files/folders ~~~ ~~~ Wininet.dll ~~~ CLEAN! :) ************************ 2nd Ewido log - safe mode, logged in as admin: ÿþ- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - e w i d o a n t i - m a l w a r e - S c a n r e p o r t - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + C r e a t e d o n : 8 : 3 6 : 3 7 P M , 1 / 6 / 2 0 0 6 + R e p o r t - C h e c k s u m : B 6 4 1 A E 7 1 + S c a n r e s u l t : C : \ P r o g r a m F i l e s \ S p y w a r e S t r i k e \ S p y w a r e S t r i k e . e x e - > A d w a r e . S p y a x e : C l e a n e d w i t h b a c k u p : : R e p o r t E n d 3rd Ewido log- safe mode, logged in as User: ÿþ- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - e w i d o a n t i - m a l w a r e - S c a n r e p o r t - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + C r e a t e d o n : 1 0 : 1 1 : 1 0 P M , 1 / 6 / 2 0 0 6 + R e p o r t - C h e c k s u m : 9 D 7 7 6 2 9 3 + S c a n r e s u l t : H K U \ S - 1 - 5 - 2 1 - 2 6 9 5 0 7 2 6 4 2 - 2 5 0 1 9 5 4 5 3 5 - 3 6 4 6 1 8 1 6 5 6 - 1 0 0 6 \ S o f t w a r e \ M i c r o s o f t \ W i n d o w s \ C u r r e n t V e r s i o n \ E x t \ S t a t s \ { 1 2 0 E 0 9 0 D - 9 1 3 6 - 4 B 7 8 - 8 2 5 8 - F 0 B 4 4 B 4 B D 2 A C } - > S p y w a r e . M a x s p e e d : C l e a n e d w i t h b a c k u p C : \ D o c u m e n t s a n d S e t t i n g s \ W i l l \ e z S t u b \ e z S t u b . e x e - > A d w a r e . e Z u l a : C l e a n e d w i t h b a c k u p : : R e p o r t E n d ************* Panda Active Scan: Incident Status Location Adware:adware/ezula Not disinfected C:\WINDOWS\SYSTEM32\ezStub3.dll Spyware:spyware/whazit Not disinfected C:\WINDOWS\SYSTEM32\fiz1 Adware:adware/keenvalue Not disinfected C:\WINDOWS\SYSTEM32\setup_incred_7.exe Spyware:spyware/commonname Not disinfected C:\WINDOWS\SYSTEM32\winnet.ini Dialer:dialer.b Not disinfected C:\WINDOWS\DOWNLOADED PROGRAM FILES\EGAUTH.inf Adware:adware/statblaster Not disinfected C:\WINDOWS\DOWNLOADED PROGRAM FILES\WildApp.inf Adware:adware/securityerror Not disinfected C:\Documents and Settings\Will\Favorites\Antivirus Test Online.url Spyware:spyware/betterinet Not disinfected C:\WINDOWS\INF\biini.inf Adware:adware/sidesearch Not disinfected C:\WINDOWS\sepsd.bin Adware:adware/ncase Not disinfected C:\PROGRAM FILES\nCase Adware:adware/wupd Not disinfected C:\PROGRAM FILES\Windows TaskAd Spyware:spyware/apropos Not disinfected C:\Documents and Settings\Will\Application Data\POP! Adware:adware/dyfuca Not disinfected C:\WINDOWS\STWSI Spyware:spyware/searchcentrix Not disinfected Windows Registry Spyware:Cookie/2o7.net Not disinfected C:\Documents and Settings\Will\Cookies\will@2o7[1].txt Spyware:Cookie/PointRoll Not disinfected C:\Documents and Settings\Will\Cookies\will@ads.pointroll[2].txt Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\Will\Cookies\will@tribalfusion[1].txt Spyware:Spyware/Apropos Not disinfected C:\Documents and Settings\Administrator\My Documents\Data\Data\popinstlite.exe Spyware:Spyware/Apropos Not disinfected C:\Documents and Settings\Administrator\My Documents\Data\popinstlite.exe Spyware:Spyware/Apropos Not disinfected C:\Documents and Settings\Default User\My Documents\Data\Data\popinstlite.exe Spyware:Spyware/Apropos Not disinfected C:\Documents and Settings\Default User\My Documents\Data\popinstlite.exe Spyware:Cookie/2o7.net Not disinfected C:\Documents and Settings\Will\Cookies\will@2o7[1].txt Spyware:Cookie/PointRoll Not disinfected C:\Documents and Settings\Will\Cookies\will@ads.pointroll[2].txt Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\Will\Cookies\will@tribalfusion[1].txt Adware:Adware/eZula Not disinfected C:\Documents and Settings\Will\ezStub\ezStub.exe Adware:Adware/EliteBar Not disinfected C:\EliteBar version 49.dll Adware:Adware/EliteBar Not disinfected C:\EliteBar version 51.dll Adware:Adware/WUpd Not disinfected C:\Program Files\Windows TaskAd\WinSched.exe Adware:Adware/WUpd Not disinfected C:\RECYCLER\S-1-5-21-2695072642-2501954535-3646181656-500\Dc12\backup-20041008-115126-602.inf Potentially unwanted tool:Application/Processor Not disinfected C:\SS Tools\SmitRem\Process.exe Potentially unwanted tool:Application/Processor Not disinfected C:\SS Tools\Will 1-6-06\smitRem.exe[Process.exe] Adware:Adware/EliteBar Not disinfected C:\WINDOWS\blocklist.reg Spyware:Spyware/BetterInet Not disinfected C:\WINDOWS\Downloaded Program Files\ashton.inf Adware:Adware/IST.ISTBar Not disinfected C:\WINDOWS\Downloaded Program Files\CONFLICT.1\istactivex.inf Spyware:Spyware/BetterInet Not disinfected C:\WINDOWS\Downloaded Program Files\turbo.inf Adware:Adware Program Not disinfected C:\WINDOWS\Downloaded Program Files\WildApp.inf Adware:Adware/TopRebates Not disinfected C:\WINDOWS\iNetPal\ezTSetup.exe Adware:Adware/SAHAgent Not disinfected C:\WINDOWS\INF\biF.inf Spyware:Spyware/BetterInet Not disinfected C:\WINDOWS\INF\biini.inf Spyware:Spyware/BetterInet Not disinfected C:\WINDOWS\INF\biO.inf Adware:Adware/EliteBar Not disinfected C:\WINDOWS\silent48.exe Adware:Adware/nCase Not disinfected C:\WINDOWS\SYSTEM32\ezStub3.dll Adware:Adware/InstaFinder Not disinfected C:\WINDOWS\SYSTEM32\InstaFinder_inst245.exe Adware:Adware/KeenValue Not disinfected C:\WINDOWS\SYSTEM32\setup_incred_7.exe Virus:Trj/Downloader.GKO Disinfected C:\WINDOWS\uniwebassist.exe ********************

01-07-2006, 10:30 AM	#2 (permalink)
alba Analyst, Security Team Join Date: Feb 2005 Location: Eire Posts: 2,006 OS: Vista, Ubuntu 8.04	Hi there and welcome to TSF. I am currently reviewing your log. Please note that this is under the supervision of an expert analyst, and I will be back with a fix for your problem a.s.a.p Please be patient with me during this time. We also suggest that you Subscribe to this thread to be notified of fixes as soon as they are posted by our Team. You can do this simply by clicking the "Thread Tools" button located in the original thread line and selecting "Subscribe to this Thread". regards alba __________________ Member of UNITE If I have helped you in anyway, please DONATE to TSF Go raibh maith agat

01-07-2006, 02:07 PM	#6 (permalink)
alba Analyst, Security Team Join Date: Feb 2005 Location: Eire Posts: 2,006 OS: Vista, Ubuntu 8.04	Hi ccpc please be patient i will have your fix posted soon Regards alba __________________ Member of UNITE If I have helped you in anyway, please DONATE to TSF Go raibh maith agat

01-07-2006, 03:37 PM	#8 (permalink)
sUBs Asst Manager Security, Expert Analyst, Moderator, Security Team; Rangemaster, Moderator, TSF Academy Join Date: May 2005 Posts: 24,353 OS: N/A	Please download the file attached - smitty.zip From within it, doubleclick smitty.bat & allow it to run It shall produce a log for you to post back here __________________ Question - what have you done for the community today? Last edited by sUBs; 01-16-2006 at 04:05 PM.

01-07-2006, 03:49 PM	#11 (permalink)
sUBs Asst Manager Security, Expert Analyst, Moderator, Security Team; Rangemaster, Moderator, TSF Academy Join Date: May 2005 Posts: 24,353 OS: N/A	LDTate's fix does not cover some entries not shown in HijackThis. These other HJT entries should also be fixed & the files they referenced be removed. O4 - HKLM\..\Run: [SY4u] C:\documents and settings\will\local settings\temp\SY4u.exe O4 - HKLM\..\Run: [Tn] C:\documents and settings\will\local settings\temp\Tn.exe O4 - HKCU\..\Run: [Tsa2] C:\PROGRA~1\COMMON~1\tsa\tsm2.exe O4 - HKCU\..\Run: [Aida] C:\Documents and Settings\Will\Application Data\eetu.exe __________________ Question - what have you done for the community today? Last edited by sUBs; 01-07-2006 at 03:53 PM.

01-07-2006, 10:49 AM	#3 (permalink)
ccpc I helped the forums. Join Date: Oct 2004 Posts: 33 OS: Win98SE	Thanks, Alba - I'll keep checking in, and I'm subscribed to the thread. Wow, Ireland to Southern California, ain't the Internet wonderful!! http://www.techsupportforum.com/imag...es/1-laugh.gif

01-07-2006, 12:13 PM	#4 (permalink)
ccpc I helped the forums. Join Date: Oct 2004 Posts: 33 OS: Win98SE	FYI, looks like this is new clone of SpyAxe, more recent info here: http://www.spywarewarrior.com/viewto...006&highlight= http://blogs.zdnet.com/Spyware/?p=742

01-07-2006, 01:51 PM	#5 (permalink)
ccpc I helped the forums. Join Date: Oct 2004 Posts: 33 OS: Win98SE	nothing like answering my own thread... talking to myself! ;-) found more here: http://pcpitstop.invisionzone.com/lo...p/t107892.html and am in the final step of using the fix posted by LDTate - doing a full Ewido scan, will let you know how this fix goes... fingers crossed and all that good stuff.

01-07-2006, 02:43 PM	#7 (permalink)
ccpc I helped the forums. Join Date: Oct 2004 Posts: 33 OS: Win98SE	OK, the fix above seems to have worked. go to http://pcpitstop.invisionzone.com/in...c=107892&st=15 see post by LDTate on his fix I am booted in Normal mode and have no pop-ups. Truly a lovely sight. Especially if it stays that way. Will try surfing next. Here is my HJT now: Logfile of HijackThis v1.99.1 Scan saved at 1:40:12 PM, on 1/7/2006 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe C:\WINDOWS\System32\CTsvcCDA.EXE C:\SS Tools\ewido anti-malware\ewidoctrl.exe C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe C:\Program Files\802.11 Wireless LAN\802.11g Pen Size Wireless USB 2.0 Adapter HW.32 V1.10\SiSWLSvc.exe C:\WINDOWS\System32\MsPMSPSv.exe C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe C:\WINDOWS\system32\devldr32.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe C:\WINDOWS\system32\wuauclt.exe C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe C:\WINDOWS\BCMSMMSG.exe C:\Program Files\Dell\Support\Alert\bin\DAMon.exe C:\Program Files\QuickTime\qttask.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe C:\Program Files\Digital Line Detect\DLG.exe C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe C:\Program Files\802.11 Wireless LAN\802.11g Pen Size Wireless USB 2.0 Adapter HW.32 V1.10\WlanCU.exe C:\WINDOWS\system32\wuauclt.exe C:\HJT\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.redsox.com/ O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe O4 - HKLM\..\Run: [AHQInit] C:\Program Files\Creative\SBLive\Program\AHQInit.exe O4 - HKLM\..\Run: [Dell\|Alert] C:\Program Files\Dell\Support\Alert\bin\DAMon.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [SY4u] C:\documents and settings\will\local settings\temp\SY4u.exe O4 - HKLM\..\Run: [Tn] C:\documents and settings\will\local settings\temp\Tn.exe O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [Tsa2] C:\PROGRA~1\COMMON~1\tsa\tsm2.exe O4 - HKCU\..\Run: [Aida] C:\Documents and Settings\Will\Application Data\eetu.exe O4 - Global Startup: Digital Line Detect.lnk = ? O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ? O4 - Global Startup: Wireless Configuration Utility HW.32.lnk = ? O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/...eInstaller.exe O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE O23 - Service: ewido security suite control - ewido networks - C:\SS Tools\ewido anti-malware\ewidoctrl.exe O23 - Service: Kerio Personal Firewall 4 (KPF4) - Kerio Technologies - C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe O23 - Service: SiS WirelessLan Service (SiSWLSvc) - Unknown owner - C:\Program Files\802.11 Wireless LAN\802.11g Pen Size Wireless USB 2.0 Adapter HW.32 V1.10\SiSWLSvc.exe

01-07-2006, 03:38 PM	#9 (permalink)
ccpc I helped the forums. Join Date: Oct 2004 Posts: 33 OS: Win98SE	LDTate's fix was originally posted here: http://forums.tomcoyote.org/index.ph...&gopid=246956& ...just to give credit where credit is due...

01-07-2006, 03:57 PM	#13 (permalink)
sUBs Asst Manager Security, Expert Analyst, Moderator, Security Team; Rangemaster, Moderator, TSF Academy Join Date: May 2005 Posts: 24,353 OS: N/A	The script merely identifies the entries. It can be run anytime. __________________ Question - what have you done for the community today?

01-07-2006, 04:09 PM	#15 (permalink)
sUBs Asst Manager Security, Expert Analyst, Moderator, Security Team; Rangemaster, Moderator, TSF Academy Join Date: May 2005 Posts: 24,353 OS: N/A	Please runsmitty now. It only takes mere seconds to run. __________________ Question - what have you done for the community today?

01-07-2006, 04:20 PM	#17 (permalink)
sUBs Asst Manager Security, Expert Analyst, Moderator, Security Team; Rangemaster, Moderator, TSF Academy Join Date: May 2005 Posts: 24,353 OS: N/A	To fix that error message, you need to visit this website to download additional files. __________________ Question - what have you done for the community today?

01-07-2006, 04:27 PM	#18 (permalink)
sUBs Asst Manager Security, Expert Analyst, Moderator, Security Team; Rangemaster, Moderator, TSF Academy Join Date: May 2005 Posts: 24,353 OS: N/A	ccpc, Signing off now. It's 7:20am inmy timezone & I'm dead tired. Please do an online scan to see if it uncovers any hidden infections. I'll catch up with you when I logon again Establish an internet connection & perform an online scan with Internet Explorer at Kaspersky Online Scanner Answer Yes, when prompted to install an ActiveX component. The program will then begin downloading the latest definition files. Once the files have been downloaded click on NEXT Locate the Scan Settings button & configure to: Scan using the following Anti-Virus database: Extended Scan Options: Scan Archives Scan Mail Bases Click OK & have it scan My Computer Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it. Click the Save as Text button to save the file to your desktop so that you may post it in your next reply * Turn off the real time scanner of any existing antivirus program while performing the online scan __________________ Question - what have you done for the community today?

01-07-2006, 04:31 PM	#19 (permalink)
ccpc I helped the forums. Join Date: Oct 2004 Posts: 33 OS: Win98SE	For when you come online again... ran the smitty program and here is the log: Running from: C:\SS Tools\smitty\smitty\smitty Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler] "{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader" "{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon" "{C1A2FDA2-1A5B-2A8F-F3A2-B22DA1A3C41D}"="NetWrap for Windows" C:\WINDOWS\SYSTEM32\ asfiles.txt Fri Jan 6 2006 6:12:16p A.... 0 0.00 K help.ico Fri Jan 6 2006 6:09:18p A.... 1,406 1.37 K jupdat~1.log Fri Jan 6 2006 6:51:58p A.... 6,675 6.52 K pavas.ico Fri Jan 6 2006 6:09:18p A.... 30,590 29.87 K perfc009.dat Sat Jan 7 2006 2:00:28p A.... 40,196 39.25 K perfh009.dat Sat Jan 7 2006 2:00:28p A.... 311,934 304.62 K perfst~1.ini Sat Jan 7 2006 2:00:28p A.... 355,944 347.60 K swunilog.ini Fri Jan 6 2006 9:27:10a A.... 0 0.00 K uninst~1.ico Fri Jan 6 2006 6:09:18p A.... 2,550 2.49 K wpa.dbl Fri Jan 6 2006 9:14:18a A.... 1,170 1.14 K 10 items found: 10 files, 0 directories. Total of file sizes: 750,465 bytes 732.88 K