Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

"You have spyware/virus" popups


  • Please log in to reply

#1
Teri76

Teri76

    New Member

  • Member
  • Pip
  • 4 posts
I'm always so careful. In two years, never had an issue. I got a bad torrent....now I'm loaded. I run my AVG spyware, it removes a ton of stuff. I go to bed, wake up with popups and run it again to find more...so help me fix it before I go insane!!! I've tried myself and it fixes it for about an hour...had tagasaurus show up on my desktop last night too...


Logfile of HijackThis v1.99.1
Scan saved at 10:32:24 AM, on 10/28/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\Program Files\Common Files\AOL\1156291395\ee\aolsoftware.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Owner.Tink\Desktop\mayer[bleep].exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.gateway.c...h...TB&M=MX6445
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gateway.c...h...TB&M=MX6445
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.gateway.c...h...TB&M=MX6445
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: SSL encrypt - {746455FE-D059-47e7-AF0E-140E03F5A447} - C:\WINDOWS\system32\nsv575.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\Common Files\AOL\Launch\AOLLaunch.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - AppInit_DLLs: BattyRun2.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: Brotaaud - {92BC032C-A567-4ACC-B3CE-BF3413541FDC} - C:\WINDOWS\system32\logonkey.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: Broadcom Wireless LAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe
µTorrent
2Wire Wireless Client
Abexo Free Registry Cleaner
Ad-Aware SE Personal
Adobe Flash Player 9 ActiveX
Adobe Reader 7.0
Adobe Shockwave Player
AOL Uninstaller (Choose which Products to Remove)
ATI - Software Uninstall Utility
ATI Control Panel
ATI Display Driver
Audacity 1.2.4
AVG Anti-Spyware 7.5
AVG Free Edition
BigFix
Broadcom 802.11 Network Adapter
CleanUp!
Comcast High-Speed Internet Install Wizard
Conexant AC-Link Audio
DivX Codec
DivX Content Uploader
DivX Converter
DivX Player
DivX Web Player
DVD Solution
FLAC Installer 1.1.2a (remove only)
HijackThis 1.99.1
Hotfix for Windows Media Player 10 (KB903157)
Hotfix for Windows Media Player 10 (KB910393)
Hotfix for Windows XP (KB888795)
Hotfix for Windows XP (KB891593)
Hotfix for Windows XP (KB895961)
Hotfix for Windows XP (KB896256)
Hotfix for Windows XP (KB899337)
Hotfix for Windows XP (KB899510)
Hotfix for Windows XP (KB902841)
Hotfix for Windows XP (KB910728)
Hotfix for Windows XP (KB912024)
Hotfix for Windows XP (KB914906)
iTunes
J2SE Runtime Environment 5.0 Update 2
LimeWire 4.12.6
Messenger Plus! Live
Microsoft .NET Framework 1.0 Hotfix (KB887998)
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB886903)
Microsoft .NET Framework 2.0
Microsoft Digital Image Starter Edition 2006
Microsoft Money 2006
Microsoft Office Standard Edition 2003
Microsoft Works
Mozilla Firefox (2.0)
MSN
On2 VP7 Personal Edition
Power2Go 4.0
PowerDVD
QuickTime
RealPlayer
Riva FLV Encoder 2.0
SBC Yahoo! DSL Home Networking Installer
Security Update for Microsoft .NET Framework 2.0 (KB917283)
Security Update for Microsoft .NET Framework 2.0 (KB922770)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB899589)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB905915)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB908531)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911567)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912812)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB917159)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917422)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB918899)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920214)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921398)
Security Update for Windows XP (KB921883)
Security Update for Windows XP (KB922616)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB924191)
Security Update for Windows XP (KB924496)
Security Update for Windows XP (KB925486)
Soft Data Fax Modem with SmartCP
Sonic Encoders
Spybot - Search & Destroy 1.4
Synaptics Pointing Device Driver
Texas Instruments PCIxx21/x515/xx12 drivers.
Update for Windows Media Player 10 (KB913800)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB910437)
Update for Windows XP (KB911280)
Update for Windows XP (KB912945)
Update for Windows XP (KB916595)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Update Rollup 2 for Windows XP Media Center Edition 2005
Windows Installer 3.1 (KB893803)
Windows Live Messenger
Windows Media Format Runtime
Windows XP Hotfix - KB886185
Windows XP Media Center Edition 2005 KB912067
Windows XP Media Center Edition 2005 KB915381
WinRAR archiver
XviD 1.1 final uninstall
Yahoo! Messenger
ZoneAlarm

Edited by Teri76, 28 October 2006 - 08:37 AM.

  • 0

Advertisements


#2
rambro

rambro

    Member 1K

  • Member
  • PipPipPipPip
  • 1,383 posts
Dear Teri76, :whistling:

Welcome to the Geeks to Go forums.

We are currently studying your log. :blink:
*************************************

You are currently running HijackThis from your desktop. Since HijackThis makes backups of any entries you fix, you should create a folder just to hold the HijackThis program and its backups, so the backups and the program are not accidentally deleted. Go to "My Computer", click on c:\ and then go to the "File" menu, choose New -> Folder. Name the folder "HJT" or "HijackThis" and then please move the "HijackThis.exe" executable there.

In fact, I cannot find the HijackThis.exe file in your HijackThis log.

Can you tell me in detail if you renamed the "HijackThis.exe" file?

***************************

Dear Teri76, can you tell me in detail (if you know) what this line is:

C:\Documents and Settings\Owner.Tink\Desktop\mayer[bleep].exe


rambro :help:
  • 0

#3
rambro

rambro

    Member 1K

  • Member
  • PipPipPipPip
  • 1,383 posts
Dear Teri76, :whistling:

(Note: Please read through these instructions a couple of times before executing the steps in this post.)

You may want to print out these instructions or save them as a text file with "Notepad" to your desktop.
******************************

Make sure your PC is configured to show hidden files. Here is how to do this:

Windows XP

* Click "Start".
* Open "My Computer".
* Select the "Tools" menu and click "Folder Options".
* Select the "View" Tab.
* Under the "Hidden files and folders" heading select "Show hidden files and folders".
* Make sure "Hide extensions for known file types" is unchecked
* Uncheck the "Hide protected operating system files (recommended)" option.
* Click "Yes" to confirm.
* Click "OK".

Here is a link for further explanation: http://www.xtra.co.n...1916458,00.html
****************************************

Submit the file "C:\WINDOWS\System32\logonkey.dll" for an online scan at: http://virusscan.jotti.org/. Post the results of the scan in a reply to this post.

Double-click on My Computer and locate the file "logonkey.dll" (this should be located in the C:\WINDOWS\System32 directory). Right-click on it and choose "Properties", then click on the "Version" tab at the top. Click on "Company", "File Version", "Internal Name", "Language", "Original File name", "Product Name", and "Product Version", and please post whatever the text in the box immediately to the right says for each, in a reply to this post. Also on the "Version" tab, post back to me, what it says for "File Version", "Description" and "Copyright".

Please post the jotti online scan for the "logonkey.dll" file, along with the "properties" of the "logonkey.dll" file. :blink:
********************************

Can you tell me in detail who is your Internet Service Provider?

Can you tell me how you are connecting through the Internet (e.g. dialup, dsl or cable)?

Can you tell me in detail if you are you still using the following application:

Comcast High-Speed Internet Install Wizard


  • 0

#4
Teri76

Teri76

    New Member

  • Topic Starter
  • Member
  • Pip
  • 4 posts
Thanks for getting back to me!

Yes I renamed it...I am aware some things hide fro HJT so I renamed it. I have but it in its onw folder as you asked.

I use two providers. Sometimes I use SBC Wireless...Currently using Comcast highspeed Cable Connected through an eternet cable (not-wireless). So the answer is yes, I suppose that I am using the wizard thing.

The "Properties" for that program:
It has no version tab. Under the Summary tab, there is nothing next to any of those lines. It was created November 2005, I've only had the laptop Since the end of august. so I am assuming it is a file that came with the laptop.

The Jotti scan told me that the file I uploaded:
The file you uploaded is 0 bytes. It is very likely a firewall or a piece of malware is prohibiting you from uploading this file

I turned the firewall off, tried again

The file you uploaded is 0 bytes. It is very likely a firewall or a piece of malware is prohibiting you from uploading this file
  • 0

#5
rambro

rambro

    Member 1K

  • Member
  • PipPipPipPip
  • 1,383 posts
Dear Teri76, :whistling:

I was looking at your "Add/Remove Software list" log from your previous post.

The following are optional uninstalls

Note - as with all P2P sharing programs they are susceptible to various forms of malware". That is, a Peer to Peer (P2P) file-sharing client program can be used as a vehicle for downloading spyware on to your computer system.

Uninstall the following program/programs through Add/Remove programs (if they exist):

µTorrent
LimeWire 4.12.6


See the following link as a reference: http://p2p.malwarere....com/index.html - You decide.

If you uninstalled LimeWire you need to remove the next folder also (marked in blue):

C:\Program Files\LimeWire
******************************

This what I found from google:

Messenger Plus includes with it a particularly insidious form of adware called "Lop." Lop falls under the category of PC "hijacker" and makes changes to a user's Web browser in addition to popping up advertisements. The adware additionally places icons on the desktop and attempts to trick users into running a fake virus scan that installs even more malware.

Uninstall the following program/programs through Add/Remove programs:

Messenger Plus! Live

See the following links as a reference:

http://fileforum.bet...ve/1151240522/1
http://www.msgweb.nl...ithout_sponsor/
*****************************************

The QuickTime Player is a legitimate program, but may interfere with your Real time player, WinAmp player and Windows media player. I suggest you uninstall the following program:

QuickTime

rambro :blink:
  • 0

#6
rambro

rambro

    Member 1K

  • Member
  • PipPipPipPip
  • 1,383 posts
Dear Teri76, :whistling:

(Note: Please read through these instructions a couple of times before executing the steps in this post.)

You may want to print out these instructions or save them as a text file with "Notepad" to your desktop.
******************************

Run HijackThis and click "Scan." Place checks next to the following entry/entries (if they exist):

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

O2 - BHO: SSL encrypt - {746455FE-D059-47e7-AF0E-140E03F5A447} - C:\WINDOWS\system32\nsv575.dll

O20 - AppInit_DLLs: BattyRun2.dll

O21 - SSODL: Brotaaud - {92BC032C-A567-4ACC-B3CE-BF3413541FDC} - C:\WINDOWS\system32\logonkey.dll

Close all browser and other windows except for HijackThis, and click "Fix Checked" button to finish the repair. Close the HijackThis application.

Next, make sure your PC is configured to show hidden files. Here is how to do this:

Windows XP

* Click "Start".
* Open "My Computer".
* Select the "Tools" menu and click "Folder Options".
* Select the "View" Tab.
* Under the "Hidden files and folders" heading select "Show hidden files and folders".
* Make sure "Hide extensions for known file types" is unchecked
* Uncheck the "Hide protected operating system files (recommended)" option.
* Click "Yes" to confirm.
* Click "OK".

Here is a link for further explanation: http://www.xtra.co.n...1916458,00.html

Delete the following file/files marked in blue (if they exist):

C:\WINDOWS\system32\nsv575.dll
BattyRun2.dll <-- (Do a search for this file and then delete it)
C:\WINDOWS\system32\logonkey.dll

Delete the following folder/folders marked in blue (if they exist):

Finally, clean out temporary and Temporary Internet files. Go to Start -> Run and type in the box: cleanmgr. Let it scan your system for files to remove. Make sure these 3 are checked and then press *ok* to remove:

Temporary Files
Temporary Internet Files
Recycle Bin

Restart your computer.
****************************************************

Please download and run a Free Trial of Trojan Hunter at http://www.misec.net...rojanHunter.exe. Please restart your computer.
***********************************

TrendMicro™ HouseCall ActiveX Scan
  • Please go HERE to run the Trend Micro™ HouseCall Scan.
  • Click Scan now. It's free!
  • Read and put a Check next to Yes I accept the terms of use.
  • Click the Launching HouseCall>> button.
  • Under "Browser plug-in" Installing and using Housecall kernel, click the Starting HouseCall>> button.
  • You may receive a prompt to install the ActiveX, click install.
  • If you are taken back to the main page, click Launching HouseCall>> button again.
  • Under Scan complete computer for malware, grayware, and vulnerabilities click the Next>> button.
  • Please be patient while it installs, updates, and scans your system.
  • Once the scan is complete, it will take you to the summary page.
  • Under Cleanup options, choose clean all detected infections automatically.
  • Click the Clean now>> button.
  • If anything was found you may be prompted to run the scan again, you can just close the browser window.
When the scan is finished, please restart your computer.
*******************************

Download, install, update, configure and run a scan with Ad-Aware SE at the following link: http://rstones12.gee...areSE_setup.htm

Restart your computer.
************************************

Restart your computer and then please post a new HijackThis log.

In addition, let me know in detail how your computer system is running after performing the above steps. :blink:
  • 0

#7
Teri76

Teri76

    New Member

  • Topic Starter
  • Member
  • Pip
  • 4 posts
Hey Rambro

I unistalled Limewire and Plus...but I left UTorrent for now. Also reluctantly dicthed Plus after reading the documentation...heck I loved that plugin.

I have a quick question about something. you said WinAmp....does it show that I still have that on here? I thought I ditched that eons ago.

Edited by Teri76, 29 October 2006 - 12:46 AM.

  • 0

#8
Teri76

Teri76

    New Member

  • Topic Starter
  • Member
  • Pip
  • 4 posts
The following problems occured so far

Upon trying to delete from HJT the battyrun2.dll

An unexpected error has occurred at procedure: modBackup_MakeBackup(sItem=O20 - AppInit_DLLs: BattyRun2.dll)
Error #5 - Invalid procedure call or argument

Please email me at [email protected], reporting the following:
* What you were trying to fix when the error occurred, if applicable
* How you can reproduce the error
* A complete HijackThis scan log, if possible

Windows version: Windows NT 5.01.2600
MSIE version: 6.0.2900.2180
HijackThis version: 1.99.1

This message has been copied to your clipboard.
Click OK to continue the rest of the scan.

System32 wouldnt allow me to delete logonkey.dll

Battyrun2.dll was not found on my computer

Trojan Hunter log:
Registry scan
Registry key exists: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CFG32S.Search (matches Adware.BookedSpace.106) (Regedit Jump)
Registry key exists: HKEY_CLASSES_ROOT\CFG32S.Search.1 (matches Adware.BookedSpace.106) (Regedit Jump)
Registry key exists: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{7564B020-44E8-4C9B-A887-C6EC41AC67DA} (matches Adware.BookedSpace.106) (Regedit Jump)
Registry key exists: HKEY_CLASSES_ROOT\Scaggy.Insert (matches Adware.BookedSpace.106) (Regedit Jump)
Registry key exists: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{C68AE9C0-0909-4DDC-B661-C1AFB9F59898} (matches Adware.BookedSpace.106) (Regedit Jump)
Registry key exists: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Scaggy.Insert (matches Adware.BookedSpace.106) (Regedit Jump)
Registry key exists: HKEY_CLASSES_ROOT\CFG32S.Search (matches Adware.BookedSpace.106) (Regedit Jump)
Registry key exists: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CFG32S.Search.1 (matches Adware.BookedSpace.106) (Regedit Jump)
Inifile scan
No suspicious entries found
Port scan
No suspicious open ports found
Memory scan
No trojans found in memory
File scan
Found trojan file: C:\WINDOWS\srvoueuxxh.exe (VB.429)
1 files identified


Removed registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CFG32S.Search\CLSID
Removed registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CFG32S.Search\CurVer
Removed registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CFG32S.Search

Removed registry key HKEY_CLASSES_ROOT\CFG32S.Search.1\CLSID
Removed registry key HKEY_CLASSES_ROOT\CFG32S.Search.1

Removed registry key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{7564B020-44E8-4C9B-A887-C6EC41AC67DA}\iexplore
Removed registry key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{7564B020-44E8-4C9B-A887-C6EC41AC67DA}

Removed registry key HKEY_CLASSES_ROOT\Scaggy.Insert\CLSID
Removed registry key HKEY_CLASSES_ROOT\Scaggy.Insert\CurVer
Removed registry key HKEY_CLASSES_ROOT\Scaggy.Insert

Removed registry key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{C68AE9C0-0909-4DDC-B661-C1AFB9F59898}\iexplore
Removed registry key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{C68AE9C0-0909-4DDC-B661-C1AFB9F59898}

Unable to open key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Scaggy.Insert

Unable to open key HKEY_CLASSES_ROOT\CFG32S.Search

Unable to open key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CFG32S.Search.1

Quarantined file C:\WINDOWS\srvoueuxxh.exe
Trojan cleaning finished.

Ad-Aware scan log

Ad-Aware SE Build 1.06r1
Logfile Created on:Sunday, October 29, 2006 1:50:14 AM
Created with Ad-Aware SE Personal, free for private use.
Using definitions file:SE1R129 26.10.2006
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

References detected during the scan:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Adware.MyToolbar(TAC index:3):1 total references
MRU List(TAC index:0):17 total references
Tracking Cookie(TAC index:3):1 total references
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Ad-Aware SE Settings
===========================
Set : Search for negligible risk entries
Set : Safe mode (always request confirmation)
Set : Scan active processes
Set : Scan registry
Set : Deep-scan registry
Set : Scan my IE Favorites for banned URLs
Set : Scan my Hosts file

Extended Ad-Aware SE Settings
===========================
Set : Unload recognized processes & modules during scan
Set : Scan registry for all users instead of current user only
Set : Always try to unload modules before deletion
Set : During removal, unload Explorer and IE if necessary
Set : Let Windows remove files in use at next reboot
Set : Delete quarantined objects after restoring
Set : Include basic Ad-Aware settings in log file
Set : Include additional Ad-Aware settings in log file
Set : Include reference summary in log file
Set : Include alternate data stream details in log file
Set : Play sound at scan completion if scan locates critical objects


10-29-2006 1:50:14 AM - Scan started. (Full System Scan)

MRU List Object Recognized!
Location: : S-1-5-21-566138470-3416646580-2083608904-1006\software\microsoft\direct3d\mostrecentapplication
Description : most recent application to use microsoft direct3d


MRU List Object Recognized!
Location: : software\microsoft\direct3d\mostrecentapplication
Description : most recent application to use microsoft direct3d


MRU List Object Recognized!
Location: : S-1-5-21-566138470-3416646580-2083608904-1006\software\microsoft\direct3d\mostrecentapplication
Description : most recent application to use microsoft direct X


MRU List Object Recognized!
Location: : software\microsoft\direct3d\mostrecentapplication
Description : most recent application to use microsoft direct X


MRU List Object Recognized!
Location: : software\microsoft\directdraw\mostrecentapplication
Description : most recent application to use microsoft directdraw


MRU List Object Recognized!
Location: : S-1-5-21-566138470-3416646580-2083608904-1006\software\microsoft\directinput\mostrecentapplication
Description : most recent application to use microsoft directinput


MRU List Object Recognized!
Location: : S-1-5-21-566138470-3416646580-2083608904-1006\software\microsoft\directinput\mostrecentapplication
Description : most recent application to use microsoft directinput


MRU List Object Recognized!
Location: : S-1-5-21-566138470-3416646580-2083608904-1006\software\microsoft\mediaplayer\player\recentfilelist
Description : list of recently used files in microsoft windows media player


MRU List Object Recognized!
Location: : S-1-5-21-566138470-3416646580-2083608904-1006\software\microsoft\mediaplayer\preferences
Description : last playlist index loaded in microsoft windows media player


MRU List Object Recognized!
Location: : S-1-5-21-566138470-3416646580-2083608904-1006\software\microsoft\mediaplayer\preferences
Description : last playlist loaded in microsoft windows media player


MRU List Object Recognized!
Location: : S-1-5-21-566138470-3416646580-2083608904-1006\software\microsoft\microsoft management console\recent file list
Description : list of recent snap-ins used in the microsoft management console


MRU List Object Recognized!
Location: : S-1-5-21-566138470-3416646580-2083608904-1006\software\microsoft\search assistant\acmru
Description : list of recent search terms used with the search assistant


MRU List Object Recognized!
Location: : S-1-5-21-566138470-3416646580-2083608904-1006\software\microsoft\windows\currentversion\explorer\comdlg32\lastvisitedmru
Description : list of recent programs opened


MRU List Object Recognized!
Location: : S-1-5-21-566138470-3416646580-2083608904-1006\software\microsoft\windows\currentversion\explorer\comdlg32\opensavemru
Description : list of recently saved files, stored according to file extension


MRU List Object Recognized!
Location: : S-1-5-21-566138470-3416646580-2083608904-1006\software\microsoft\windows\currentversion\explorer\recentdocs
Description : list of recent documents opened


MRU List Object Recognized!
Location: : S-1-5-21-566138470-3416646580-2083608904-1006\software\microsoft\windows\currentversion\explorer\runmru
Description : mru list for items opened in start | run


MRU List Object Recognized!
Location: : S-1-5-21-566138470-3416646580-2083608904-1006\software\microsoft\windows media\wmsdk\general
Description : windows media sdk


Listing running processes
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

#:1 [smss.exe]
FilePath : \SystemRoot\System32\
ProcessID : 752
ThreadCreationTime : 10-28-2006 3:46:58 PM
BasePriority : Normal


#:2 [csrss.exe]
FilePath : \??\C:\WINDOWS\system32\
ProcessID : 828
ThreadCreationTime : 10-28-2006 3:47:00 PM
BasePriority : Normal


#:3 [winlogon.exe]
FilePath : \??\C:\WINDOWS\system32\
ProcessID : 852
ThreadCreationTime : 10-28-2006 3:47:03 PM
BasePriority : High


#:4 [services.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 896
ThreadCreationTime : 10-28-2006 3:47:04 PM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Services and Controller app
InternalName : services.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : services.exe

#:5 [lsass.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 908
ThreadCreationTime : 10-28-2006 3:47:04 PM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : LSA Shell (Export Version)
InternalName : lsass.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : lsass.exe

#:6 [ati2evxx.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 1064
ThreadCreationTime : 10-28-2006 3:47:04 PM
BasePriority : Normal
FileVersion : 6.14.10.4115
ProductVersion : 6.14.10.4115.01
ProductName : ATI External Event Utility for WindowsNT and Windows9X
CompanyName : ATI Technologies Inc.
FileDescription : ATI External Event Utility EXE Module
InternalName : ATI2EVXX.EXE
LegalCopyright : Copyright © 1999-2004 ATI Technologies Inc.
OriginalFilename : ATI2EVXX.EXE

#:7 [svchost.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 1076
ThreadCreationTime : 10-28-2006 3:47:04 PM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:8 [svchost.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 1160
ThreadCreationTime : 10-28-2006 3:47:05 PM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:9 [svchost.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 1300
ThreadCreationTime : 10-28-2006 3:47:05 PM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:10 [svchost.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 1344
ThreadCreationTime : 10-28-2006 3:47:05 PM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:11 [svchost.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 1416
ThreadCreationTime : 10-28-2006 3:47:05 PM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:12 [ati2evxx.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 1784
ThreadCreationTime : 10-28-2006 3:47:06 PM
BasePriority : Normal
FileVersion : 6.14.10.4115
ProductVersion : 6.14.10.4115.01
ProductName : ATI External Event Utility for WindowsNT and Windows9X
CompanyName : ATI Technologies Inc.
FileDescription : ATI External Event Utility EXE Module
InternalName : ATI2EVXX.EXE
LegalCopyright : Copyright © 1999-2004 ATI Technologies Inc.
OriginalFilename : ATI2EVXX.EXE

#:13 [explorer.exe]
FilePath : C:\WINDOWS\
ProcessID : 1880
ThreadCreationTime : 10-28-2006 3:47:06 PM
BasePriority : Normal
FileVersion : 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 6.00.2900.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Windows Explorer
InternalName : explorer
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : EXPLORER.EXE

#:14 [wltrysvc.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 532
ThreadCreationTime : 10-28-2006 3:47:14 PM
BasePriority : Normal


#:15 [bcmwltry.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 544
ThreadCreationTime : 10-28-2006 3:47:14 PM
BasePriority : Normal
FileVersion : 3.100.64.1
ProductVersion : 3.100.64.1
ProductName : Broadcom 802.11 Network Adapter Wireless Network Controller
CompanyName : Broadcom Corporation
FileDescription : Broadcom 802.11 Network Adapter Wireless Network Controller
InternalName : bcmwltry.exe
LegalCopyright : 1998-2005, Broadcom Corporation All Rights Reserved.
OriginalFilename : bcmwltry.exe

#:16 [spoolsv.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 588
ThreadCreationTime : 10-28-2006 3:47:14 PM
BasePriority : Normal
FileVersion : 5.1.2600.2696 (xpsp_sp2_gdr.050610-1519)
ProductVersion : 5.1.2600.2696
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Spooler SubSystem App
InternalName : spoolsv.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : spoolsv.exe

#:17 [guard.exe]
FilePath : C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\
ProcessID : 1100
ThreadCreationTime : 10-28-2006 3:47:20 PM
BasePriority : Normal
FileVersion : 7, 5, 0, 47
ProductVersion : 7, 5, 0, 47
ProductName : AVG Anti-Spyware
CompanyName : Anti-Malware Development a.s.
FileDescription : AVG Anti-Spyware guard
InternalName : AVG Anti-Spyware guard
LegalCopyright : Copyright © 2006 Anti-Malware Development a.s.
OriginalFilename : guard.exe

#:18 [avgamsvr.exe]
FilePath : C:\PROGRA~1\Grisoft\AVGFRE~1\
ProcessID : 1088
ThreadCreationTime : 10-28-2006 3:47:20 PM
BasePriority : Normal
FileVersion : 7,1,0,365
ProductVersion : 7.1.0.365
ProductName : AVG Anti-Virus System
CompanyName : GRISOFT, s.r.o.
FileDescription : AVG Alert Manager
InternalName : avgamsvr
LegalCopyright : Copyright © 2005, GRISOFT, s.r.o.
OriginalFilename : avgamsvr.EXE

#:19 [avgupsvc.exe]
FilePath : C:\PROGRA~1\Grisoft\AVGFRE~1\
ProcessID : 1240
ThreadCreationTime : 10-28-2006 3:47:21 PM
BasePriority : Normal
FileVersion : 7,1,0,349
ProductVersion : 7.1.0.349
ProductName : AVG 7.0 Anti-Virus System
CompanyName : GRISOFT, s.r.o.
FileDescription : AVG Update Service
InternalName : avgupsvc
LegalCopyright : Copyright © 2005, GRISOFT, s.r.o.
OriginalFilename : avgupdsvc.EXE

#:20 [avgemc.exe]
FilePath : C:\PROGRA~1\Grisoft\AVGFRE~1\
ProcessID : 1276
ThreadCreationTime : 10-28-2006 3:47:21 PM
BasePriority : Normal
FileVersion : 7,1,0,400
ProductVersion : 7.1.0.400
ProductName : AVG Anti-Virus System
CompanyName : GRISOFT, s.r.o.
FileDescription : AVG E-Mail Scanner
InternalName : avgemc
LegalCopyright : Copyright © 2006, GRISOFT, s.r.o.
OriginalFilename : avgemc.exe

#:21 [ehrecvr.exe]
FilePath : C:\WINDOWS\eHome\
ProcessID : 1336
ThreadCreationTime : 10-28-2006 3:47:21 PM
BasePriority : Above Normal
FileVersion : 5.1.2715.2812 (xpsp(wmbla).051215-1116)
ProductVersion : 5.1.2715.2812
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Media Center Receiver Service
InternalName : ehRecvr
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : ehRecvr.exe

#:22 [ehsched.exe]
FilePath : C:\WINDOWS\eHome\
ProcessID : 1352
ThreadCreationTime : 10-28-2006 3:47:21 PM
BasePriority : Normal
FileVersion : 5.1.2710.2732 (xpsp(wmbla).050805-1239)
ProductVersion : 5.1.2710.2732
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Media Center Scheduler Service
InternalName : ehSched
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : ehSched.exe

#:23 [prismxl.sys]
FilePath : C:\Program Files\Common Files\New Boundary\PrismXL\
ProcessID : 1548
ThreadCreationTime : 10-28-2006 3:47:22 PM
BasePriority : Normal
FileVersion : 6.0.1.22
ProductVersion : 6.0.1.22
ProductName : PrismXL Software Family
CompanyName : New Boundary Technologies, Inc.
FileDescription : PrismXL Service
InternalName : PrismXL Service
LegalCopyright : © 1997-2004 New Boundary Technologies
OriginalFilename : PrismXL.sys

#:24 [svchost.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 388
ThreadCreationTime : 10-28-2006 3:47:25 PM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:25 [mcrdsvc.exe]
FilePath : C:\WINDOWS\ehome\
ProcessID : 704
ThreadCreationTime : 10-28-2006 3:47:25 PM
BasePriority : Normal
FileVersion : 4.1.2710.2732 (xpsp(wmbla).050805-1239)
ProductVersion : 4.1.2710.2732
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : MCRD Device Service
InternalName : McrdSvc.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : McrdSvc.exe

#:26 [alg.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 3212
ThreadCreationTime : 10-28-2006 3:47:43 PM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Application Layer Gateway Service
InternalName : ALG.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : ALG.exe

#:27 [dllhost.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 3292
ThreadCreationTime : 10-28-2006 3:47:44 PM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : COM Surrogate
InternalName : dllhost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : dllhost.exe

#:28 [ehtray.exe]
FilePath : C:\WINDOWS\ehome\
ProcessID : 3456
ThreadCreationTime : 10-28-2006 3:47:47 PM
BasePriority : Normal
FileVersion : 5.1.2710.2732 (xpsp(wmbla).050805-1239)
ProductVersion : 5.1.2710.2732
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Media Center Tray Applet
InternalName : ehtray
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : ehtray.exe

#:29 [syntpenh.exe]
FilePath : C:\Program Files\Synaptics\SynTP\
ProcessID : 3532
ThreadCreationTime : 10-28-2006 3:47:48 PM
BasePriority : Normal
FileVersion : 8.3.4 19May06
ProductVersion : 8.3.4 19May06
ProductName : Synaptics Pointing Device Driver
CompanyName : Synaptics, Inc.
FileDescription : Synaptics TouchPad Enhancements
InternalName : Synaptics Enhancements Application
LegalCopyright : Copyright © Synaptics, Inc. 1996-2006
OriginalFilename : SynTPEnh.exe

#:30 [ehmsas.exe]
FilePath : C:\WINDOWS\eHome\
ProcessID : 3576
ThreadCreationTime : 10-28-2006 3:47:49 PM
BasePriority : Normal
FileVersion : 5.1.2710.2732 (xpsp(wmbla).050805-1239)
ProductVersion : 5.1.2710.2732
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Media Center Media Status Aggregator Service
InternalName : eHMSAS
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : ehMSAS.exe

#:31 [avgcc.exe]
FilePath : C:\PROGRA~1\Grisoft\AVGFRE~1\
ProcessID : 3616
ThreadCreationTime : 10-28-2006 3:47:49 PM
BasePriority : Normal
FileVersion : 7,1,0,406
ProductVersion : 7.1.0.406
ProductName : AVG Anti-Virus System
CompanyName : GRISOFT, s.r.o.
FileDescription : AVG Control Center
InternalName : AvgCC
LegalCopyright : Copyright © 2006, GRISOFT, s.r.o.
OriginalFilename : AvgCC.EXE

#:32 [avgas.exe]
FilePath : C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\
ProcessID : 1396
ThreadCreationTime : 10-28-2006 3:47:59 PM
BasePriority : Normal
FileVersion : 7, 5, 0, 50
ProductVersion : 7, 5, 0, 50
ProductName : AVG Anti-Spyware
CompanyName : Anti-Malware Development a.s.
FileDescription : AVG Anti-Spyware
InternalName : AVG Anti-Spyware
LegalCopyright : Copyright © 2006 Anti-Malware Development a.s.
OriginalFilename : avgas.exe

#:33 [wuauclt.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 3108
ThreadCreationTime : 10-28-2006 3:48:56 PM
BasePriority : Normal
FileVersion : 5.8.0.2469 built by: lab01_n(wmbla)
ProductVersion : 5.8.0.2469
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Automatic Updates
InternalName : wuauclt.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : wuauclt.exe

#:34 [svchost.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 3776
ThreadCreationTime : 10-28-2006 3:49:28 PM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:35 [zlclient.exe]
FilePath : C:\Program Files\Zone Labs\ZoneAlarm\
ProcessID : 132
ThreadCreationTime : 10-29-2006 3:19:42 AM
BasePriority : Normal
FileVersion : 6.5.737.000
ProductVersion : 6.5.737.000
ProductName : Zone Labs Client
CompanyName : Zone Labs, LLC
FileDescription : Zone Labs Client
InternalName : zlclient
LegalCopyright : Copyright © 1998-2006, Zone Labs, LLC
OriginalFilename : zlclient.exe

#:36 [vsmon.exe]
FilePath : C:\WINDOWS\system32\ZoneLabs\
ProcessID : 1652
ThreadCreationTime : 10-29-2006 3:19:43 AM
BasePriority : Normal
FileVersion : 6.5.737.000
ProductVersion : 6.5.737.000
ProductName : TrueVector Service
CompanyName : Zone Labs, LLC
FileDescription : TrueVector Service
InternalName : vsmon
LegalCopyright : Copyright © 1998-2006, Zone Labs, LLC
OriginalFilename : vsmon.exe

#:37 [msnmsgr.exe]
FilePath : C:\Program Files\MSN Messenger\
ProcessID : 3648
ThreadCreationTime : 10-29-2006 6:31:30 AM
BasePriority : Normal
FileVersion : 8.0.0812.00
ProductVersion : 8.0.0812
ProductName : Messenger
CompanyName : Microsoft Corporation
FileDescription : Messenger
InternalName : msnmsgr.exe
LegalCopyright : Copyright © Microsoft Corporation. All rights reserved.
OriginalFilename : msnmsgr.exe

#:38 [firefox.exe]
FilePath : C:\Program Files\Mozilla Firefox\
ProcessID : 3128
ThreadCreationTime : 10-29-2006 6:38:22 AM
BasePriority : Normal


#:39 [ymsgr_tray.exe]
FilePath : C:\Program Files\Yahoo!\Messenger\
ProcessID : 3176
ThreadCreationTime : 10-29-2006 6:42:33 AM
BasePriority : Normal


#:40 [ose.exe]
FilePath : C:\Program Files\Common Files\Microsoft Shared\Source Engine\
ProcessID : 1056
ThreadCreationTime : 10-29-2006 6:44:33 AM
BasePriority : Normal


#:41 [trojanhunter.exe]
FilePath : C:\Program Files\TrojanHunter 4.6\
ProcessID : 1952
ThreadCreationTime : 10-29-2006 6:46:14 AM
BasePriority : Normal
FileVersion : 4.6.0.930
ProductVersion : 4.1.0.0
ProductName : TrojanHunter
CompanyName : Mischel Internet Security
FileDescription : TrojanHunter Scanner
InternalName : TrojanHunter Scanner
LegalCopyright : Mischel Internet Security
LegalTrademarks : TrojanHunter is a trademark of Mischel Internet Security
OriginalFilename : TrojanHunter.exe

#:42 [thguard.exe]
FilePath : C:\Program Files\TrojanHunter 4.6\
ProcessID : 2036
ThreadCreationTime : 10-29-2006 6:46:14 AM
BasePriority : Normal
FileVersion : 4.5.0.277
ProductVersion : 1.0.0.0
ProductName : TrojanHunter Guard
CompanyName : Mischel Internet Security
FileDescription : TrojanHunter Guard
LegalCopyright : Mischel Internet Security
LegalTrademarks : TrojanHunter is a trademark of Mischel Internet Security.
OriginalFilename : THGuard.exe

#:43 [ad-aware.exe]
FilePath : C:\Program Files\Lavasoft\Ad-Aware SE Personal\
ProcessID : 3524
ThreadCreationTime : 10-29-2006 6:49:44 AM
BasePriority : Normal
FileVersion : 6.2.0.236
ProductVersion : SE 106
ProductName : Lavasoft Ad-Aware SE
CompanyName : Lavasoft Sweden
FileDescription : Ad-Aware SE Core application
InternalName : Ad-Aware.exe
LegalCopyright : Copyright © Lavasoft AB Sweden
OriginalFilename : Ad-Aware.exe
Comments : All Rights Reserved

Memory scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 17


Started registry scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Adware.MyToolbar Object Recognized!
Type : Regkey
Data :
TAC Rating : 3
Category : Adware
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-566138470-3416646580-2083608904-1006\software\microsoft\windows\currentversion\ext\stats\{c004dec2-2623-438e-9ca2-c9043ab28508}

Registry Scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 1
Objects found so far: 18


Started deep registry scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Deep registry scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 18


Started Tracking Cookie scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»


Tracking Cookie Object Recognized!
Type : IECache Entry
Data : [email protected][1].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:3
Value : Cookie:[email protected]/
Expires : 12-9-2006 2:20:18 PM
LastSync : Hits:3
UseCount : 0
Hits : 3

Tracking cookie scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 1
Objects found so far: 19



Deep scanning and examining files (C:)
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Disk Scan Result for C:\
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 19


Deep scanning and examining files (D:)
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Disk Scan Result for D:\
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 19


Scanning Hosts file......
Hosts file location:"C:\WINDOWS\system32\drivers\etc\hosts".
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Hosts file scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
1 entries scanned.
New critical objects:0
Objects found so far: 19




Performing conditional scans...
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Conditional scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 19

2:06:51 AM Scan Complete

Summary Of This Scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Total scanning time:00:16:36.344
Objects scanned:140841
Objects identified:2
Objects ignored:0
New critical objects:2


Trend micro found 5 things...including a trojan and shut down before it could finish twice.

HJT

Logfile of HijackThis v1.99.1
Scan saved at 2:19:38 AM, on 10/29/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\TrojanHunter 4.6\THGuard.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\HJT\mayerrename.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.gateway.c...h...TB&M=MX6445
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gateway.c...h...TB&M=MX6445
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.gateway.c...h...TB&M=MX6445
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.6\THGuard.exe"
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\Common Files\AOL\Launch\AOLLaunch.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: Broadcom Wireless LAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe



No pop ups right now....but the trend micro thing, really concerned me and as of right now...I can't control my touchpad. What I mean by that is the taskbar ico went away and I can't scroll. If I go in to put it back and turn on scrolling, it just sets itself right back in front of my eyes. I've reinstalled the drivers but nothing...

Edited by Teri76, 29 October 2006 - 03:50 AM.

  • 0

#9
rambro

rambro

    Member 1K

  • Member
  • PipPipPipPip
  • 1,383 posts
Dear Teri76, :blink:

but I left UTorrent for now


Just so you know, if you leave this application and don't uninstall it, I will be seeing you back here in a few months. :whistling:
**************************

I have a quick question about something. you said WinAmp....does it show that I still have that on here? I thought I ditched that eons ago.


Winamp is not on your computer, I just used it to "make a point".
*******************************

Thanks for posting the Trojan Hunter logs and the Ad-aware logs, but I didn't need to see them, and I didn't ask you to post them. :help:
************************

but the trend micro thing, really concerned me and as of right now.


Don't worry if you could not get the Trend Micro Online Scan to work, it is a "flakey" application and I am thinking about phasing it out in my post to users.
****************************

Upon trying to delete from HJT the battyrun2.dll

An unexpected error has occurred at procedure: modBackup_MakeBackup(sItem=O20 - AppInit_DLLs: BattyRun2.dll)
Error #5 - Invalid procedure call or argument
*
*
*
System32 wouldnt allow me to delete logonkey.dll


Try deleting the above files in "Safe Mode". Here are some directions:

Please reboot into safe mode (continually tap the F8 key while your system is starting, select "Safe Mode" from the menu). For additional help in booting into Safe Mode, see the following site: http://www.pchell.co.../safemode.shtml

Next, make sure your PC is configured to show hidden files. Here is how to do this:

Windows XP

* Click "Start".
* Open "My Computer".
* Select the "Tools" menu and click "Folder Options".
* Select the "View" Tab.
* Under the "Hidden files and folders" heading select "Show hidden files and folders".
* Make sure "Hide extensions for known file types" is unchecked
* Uncheck the "Hide protected operating system files (recommended)" option.
* Click "Yes" to confirm.
* Click "OK".

Here is a link for further explanation: http://www.xtra.co.n...1916458,00.html

Delete the following file/files marked in blue (if they exist):

BattyRun2.dll <-- (Do a search for this file and then delete it)
C:\WINDOWS\system32\logonkey.dll

Delete the following folder/folders marked in blue (if they exist):

Finally, clean out temporary and Temporary Internet files. Go to Start -> Run and type in the box: cleanmgr. Let it scan your system for files to remove. Make sure these 3 are checked and then press *ok* to remove:

Temporary Files
Temporary Internet Files
Recycle Bin

Restart your computer.
****************************

I can't control my touchpad. What I mean by that is the taskbar ico went away and I can't scroll. If I go in to put it back and turn on scrolling, it just sets itself right back in front of my eyes. I've reinstalled the drivers but nothing...


[b]This a problem that concerns me. As of right now I have no solution on hand for you. Let me know in detail if you resolved the situation.


rambro :)
  • 0

#10
rambro

rambro

    Member 1K

  • Member
  • PipPipPipPip
  • 1,383 posts
Dear Teri76, :whistling:

I need you to install sun java software, please uninstall any previous versions of the sun java software through your Add or Remove programs.

(Note: Looking at your first post this is the application you need to uninstall, before installing the new version below: "J2SE Runtime Environment 5.0 Update 2").

I would like you to download some java software (i.e. good to have on you computer system, just keep it updated).

Go to the following link: http://java.sun.com/....0/download.jsp

This should bring you to a web site whose title is: Java SE Downloads

Click on the fourth download: Java Runtime Environment (JRE) 5.0 Update 9. The J2SE Runtime Environment (JRE) allows end-users to run Java applications.

Note: The link itself should say: Java Runtime Environment (JRE) 5.0 Update 9

Click on this link.

This should bring you to a web site whose title is: J2SE™ Runtime Environment 5.0 Update 9

Accept the License Agreement by clicking on its associated "radio/option" button.

Scroll to the box that says: Windows Platform - J2SE™ Runtime Environment 5.0 Update 9

Click on the link that says: Windows Offline Installation, Multi-language and proceed with the download and installation. (Note: It should also say: jre-1_5_0_09-windows-i586-p.exe - 15.74 MB)

Restart your computer and then post a new HijackThis log. :blink:

In addition, let me know in detail how your computer system is running after performing the above steps. :help:
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP