Today I ran a scan with CA antivirus, Lava Soft Ad-Aware 2007, SuperAntispyware, AVG Antispyware and finally Panda Active scan. It still showed active spyware instances. I am no longer getting the antispyware, but my task manager is disabled. That may be the last of it, but am not sure.
When I cleaned it Tuesday I had to reenble the taks manager and the active desktop. I thought then I should do this step, but hoped I got it all.
I am running winxp pro sp2, patched to today.
here are the logs:
AVG Anti spyware:
---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------
+ Created at: 3:03:16 PM 3/22/2008
+ Scan result:
C:\Program Files\180search assistant -> Adware.180Solutions : Cleaned.
C:\Program Files\180search assistant\180sa.exe -> Adware.180Solutions : Cleaned.
C:\Program Files\180search assistant\sau.exe -> Adware.180Solutions : Cleaned.
C:\Program Files\180searchassistant -> Adware.180Solutions : Cleaned.
C:\Program Files\180searchassistant\saap.exe -> Adware.180Solutions : Cleaned.
C:\Program Files\180searchassistant\sac.exe -> Adware.180Solutions : Cleaned.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5929cd6e-2062-44a4-b2c5-2c7e78fbab38} -> Adware.Generic : Cleaned.
HKU\S-1-5-20\Software\Microsoft\Internet Explorer\Extensions\CmdMapping\\{c95fe080-8f5d-11d2-a20b-00aa003c157a} -> Adware.Generic : Cleaned.
HKU\S-1-5-21-790525478-1993962763-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{5929CD6E-2062-44A4-B2C5-2C7E78FBAB38} -> Adware.Generic : Cleaned.
C:\Documents and Settings\Law Office\Local Settings\Temp\nsu3DA.tmp\Install.dll -> Not-A-Virus.Adware.180Solutions : Cleaned.
C:\Documents and Settings\Law Office\Local Settings\Temp\Cookies\law [email protected][1].txt -> TrackingCookie.Zedo : Cleaned.
C:\Documents and Settings\Law Office\Local Settings\Temp\Cookies\law office@zedo[2].txt -> TrackingCookie.Zedo : Cleaned.
::Report end
ACTIVE SCAN:
Incident Status Location
Spyware:spyware/whazit Not disinfected c:\windows\system32\KYF.DAT
Adware:adware/startpage.aco Not disinfected c:\windows\system32\NTNUT32.EXE
Spyware:spyware/fastsearchweb Not disinfected c:\windows\system32\SHDOCPE.DLL
Adware:adware/123mania Not disinfected c:\windows\system32\SIPSPI32.DLL
Adware:adware/tubby Not disinfected c:\windows\system32\WER8274.DLL
Adware:adware/ncase Not disinfected c:\windows\DIDDUID.INI
Adware:adware/topconvert Not disinfected c:\windows\UPDATETC.EXE
Adware:adware/portalscan Not disinfected c:\program files\STC
Adware:adware/kingporn Not disinfected Windows Registry
Adware:adware/surfassistant Not disinfected Windows Registry
Adware:adware/powerstrip Not disinfected Windows Registry
Adware:adware/adlogix Not disinfected Windows Registry
Spyware:spyware/searchcentrix Not disinfected Windows Registry
Potentially unwanted tool:Application/Restart Not disinfected C:\WINDOWS\SYSTEM\Tools\Restart.exe
SuperAntispyware:
SUPERAntiSpyware Scan Log
http://www.superantispyware.com
Generated 03/22/2008 at 05:00 PM
Application Version : 3.9.1008
Core Rules Database Version : 3423
Trace Rules Database Version: 1415
Scan type : Complete Scan
Total Scan Time : 01:41:30
Memory items scanned : 335
Memory threats detected : 2
Registry items scanned : 4126
Registry threats detected : 31
File items scanned : 27404
File threats detected : 20
Rogue.Unclassified/Loader
C:\WINDOWS\SYSTEM32\MGMRWMRV.EXE
C:\WINDOWS\SYSTEM32\MGMRWMRV.EXE
Trojan.Downloader-Gen/Burre
C:\WINDOWS\SYSTEM32\MARWIN32.DLL
C:\WINDOWS\SYSTEM32\MARWIN32.DLL
C:\WINDOWS\SYSTEM32\CYGWN32.DLL
Unclassified.Unknown Origin
HKLM\Software\Classes\CLSID\{FFFFFFFF-F538-4f86-ABAF-E9D94D5C007C}
HKCR\CLSID\{FFFFFFFF-F538-4F86-ABAF-E9D94D5C007C}
HKCR\CLSID\{FFFFFFFF-F538-4F86-ABAF-E9D94D5C007C}
HKCR\CLSID\{FFFFFFFF-F538-4F86-ABAF-E9D94D5C007C}\InprocServer32
HKCR\CLSID\{FFFFFFFF-F538-4F86-ABAF-E9D94D5C007C}\InprocServer32#ThreadingModel
HKCR\CLSID\{FFFFFFFF-F538-4F86-ABAF-E9D94D5C007C}\ProgID
HKCR\CLSID\{FFFFFFFF-F538-4F86-ABAF-E9D94D5C007C}\TypeLib
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{15651c7c-e812-44a2-a9ac-b467a2233e7d}
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{FFFFFFFF-F538-4f86-ABAF-E9D94D5C007C}
Transponder Variant BHO
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{00000250-0320-4dd4-be4f-7566d2314352}
Adware.2020Search
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{4e1075f4-eec4-4a86-add7-cd5f52858c31}
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{4e7bd74f-2b8d-469e-92c6-ce7eb590a94d}
Adware.180solutions/SurfAssistant
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5dafd089-24b1-4c5e-bd42-8ca72550717b}
Adware.Second Thought
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{965a592f-8efa-4250-8630-7960230792f1}
C:\WINDOWS\BOKJA.EXE
C:\WINDOWS\STCLOADER.EXE
Adware.180solutions/ZangoSearch
C:\Program Files\Zango\zango.exe
C:\Program Files\Zango
Adware.180solutions/Seekmo
C:\Program Files\Seekmo\seekmohook.dll
C:\Program Files\Seekmo
C:\DOCUMENTS AND SETTINGS\LAW OFFICE\LOCAL SETTINGS\TEMP\SAI3D7.TMP
C:\DOCUMENTS AND SETTINGS\LAW OFFICE\LOCAL SETTINGS\TEMP\NSU3DA.TMP\RESOURCE.DLL
Adware.Zango Toolbar/Hb
HKCR\InstIE.HbInstObj
HKCR\InstIE.HbInstObj\CLSID
HKCR\InstIE.HbInstObj\CurVer
HKCR\InstIE.HbInstObj.1
HKCR\InstIE.HbInstObj.1\CLSID
HKCR\Toolbar.HtmlMenuUI
HKCR\Toolbar.HtmlMenuUI\CLSID
HKCR\Toolbar.HtmlMenuUI\CurVer
HKCR\Toolbar.HtmlMenuUI.1
HKCR\Toolbar.HtmlMenuUI.1\CLSID
Rogue.AntiSpywareSuite
HKU\S-1-5-21-790525478-1993962763-1343024091-1003\Software\AntiSpywareSuiteDownloader
HKLM\Software\AntiSpywareSuiteDownloader
HKLM\Software\AntiSpywareSuiteDownloader#TotalSize
HKLM\Software\AntiSpywareSuiteDownloader#SeekPos
Rootkit.Unclassified/SysDamp-Traces
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\System Reserved
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\System Reserved
Rogue.TrustedAntiVirus
HKLM\Software\Microsoft\Windows\CurrentVersion\Run#SBI [ C:\Documents and Settings\Law Office\Local Settings\Temporary Internet Files\Content.IE5\KDCXAJSD\install_sbd_en[1].exe ]
Trojan.Media-Codec/V5
C:\Program Files\Helper
Torjan.SecondThoughtInstaller
C:\WINDOWS\INSTALLER\ID53.EXE
Trojan.FakeDrop-180AX
C:\WINDOWS\FLEOK\180AX.EXE
C:\WINDOWS\180AX.EXE
Trojan.FakeDrop-SWin32
C:\WINDOWS\SWIN32.DLL
Trojan.FakeDrop-2020Search
C:\WINDOWS\2020SEARCH.DLL
Trojan.FakeDrop-CDSM32
C:\WINDOWS\CDSM32.DLL
Adware.Tracking Cookie
C:\Documents and Settings\Law Office\Local Settings\Temp\Cookies\law [email protected][1].txt
Trojan.Unknown Origin
C:\DOCUMENTS AND SETTINGS\LOCALSERVICE\APPLICATION DATA\907608617.EXE
HIJACK This log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:59:17 PM, on 3/22/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
C:\WINDOWS\System32\CcEvtSvc.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Hewlett-Packard\OrderReminder\OrderReminder.exe
C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe
C:\Program Files\Sunbelt Software\iHateSpam\siService.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Sunbelt Software\iHateSpam\siSpamFilterEngine.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Sunbelt Software\iHateSpam\siMailProxyServer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\mgmrwmrv.exe,
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: (no name) - {13197ace-6851-45c3-a7ff-c281324d5489} - (no file)
O2 - BHO: (no name) - {5929cd6e-2062-44a4-b2c5-2c7e78fbab38} - (no file)
O2 - BHO: (no name) - {5fa6752a-c4a0-4222-88c2-928ae5ab4966} - (no file)
O2 - BHO: (no name) - {622cc208-b014-4fe0-801b-874a5e5e403a} - (no file)
O2 - BHO: (no name) - {8674aea0-9d3d-11d9-99dc-00600f9a01f1} - (no file)
O2 - BHO: (no name) - {9c5b2f29-1f46-4639-a6b4-828942301d3e} - (no file)
O2 - BHO: (no name) - {cf021f40-3e14-23a5-cba2-717765728274} - (no file)
O2 - BHO: (no name) - {fc3a74e5-f281-4f10-ae1e-733078684f3c} - (no file)
O2 - BHO: (no name) - {ffff0001-0002-101a-a3c9-08002b2f49fb} - (no file)
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [OrderReminder] C:\Program Files\Hewlett-Packard\OrderReminder\OrderReminder.exe
O4 - HKLM\..\Run: [cctray] "C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe"
O4 - HKLM\..\Run: [siService.exe] "C:\Program Files\Sunbelt Software\iHateSpam\siService.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-18\..\RunOnce: [Printing Migration] rundll32.exe C:\WINDOWS\System32\spool\migrate.dll,ProcessWin9xNetworkPrinters (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [Printing Migration] rundll32.exe C:\WINDOWS\System32\spool\migrate.dll,ProcessWin9xNetworkPrinters (User 'Default user')
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcaf...01/mcinsctl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1141083023502
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: CaCCProvSP - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
O23 - Service: CbEvtSvc - Unknown owner - C:\WINDOWS\System32\CbEvtSvc.exe (file missing)
O23 - Service: CcEvtSvc - Unknown owner - C:\WINDOWS\System32\CcEvtSvc.exe
O23 - Service: VET Message Service (VETMSGNT) - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe
--
End of file - 6379 bytes
Uninstall Log:
Ad-Aware 2007
Adobe Acrobat 5.0
Adobe Flash Player 9 ActiveX
AVG Anti-Spyware 7.5
CA Anti-Virus
CA Anti-Virus
Canon iP1600
Canon Utilities Easy-PhotoPrint
Easy-WebPrint
HijackThis 2.0.2
Hotfix for Windows XP (KB896344)
iHateSpam
LaserJet 1020 series
Microsoft Office 2000 Premium
OrderReminder HP LaserJet 1020
Panda ActiveScan
PCI Audio Applications
PowerDVD
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows Media Player 9 (KB917734)
Security Update for Windows Media Player 9 (KB936782)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896422)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899589)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB905915)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB908531)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911567)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912812)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913446)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB916281)
Security Update for Windows XP (KB917159)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917422)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918118)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB918899)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920214)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921398)
Security Update for Windows XP (KB921883)
Security Update for Windows XP (KB922616)
Security Update for Windows XP (KB922760)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923694)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924191)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924496)
Security Update for Windows XP (KB924667)
Security Update for Windows XP (KB925454)
Security Update for Windows XP (KB925486)
Security Update for Windows XP (KB925902)
Security Update for Windows XP (KB926255)
Security Update for Windows XP (KB926436)
Security Update for Windows XP (KB927779)
Security Update for Windows XP (KB927802)
Security Update for Windows XP (KB928255)
Security Update for Windows XP (KB928843)
Security Update for Windows XP (KB929123)
Security Update for Windows XP (KB930178)
Security Update for Windows XP (KB931261)
Security Update for Windows XP (KB931784)
Security Update for Windows XP (KB932168)
Security Update for Windows XP (KB933729)
Security Update for Windows XP (KB935839)
Security Update for Windows XP (KB935840)
Security Update for Windows XP (KB936021)
Security Update for Windows XP (KB937894)
Security Update for Windows XP (KB938127)
Security Update for Windows XP (KB938829)
Security Update for Windows XP (KB941202)
Security Update for Windows XP (KB941568)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB941644)
Security Update for Windows XP (KB943055)
Security Update for Windows XP (KB943460)
Security Update for Windows XP (KB943485)
Security Update for Windows XP (KB944533)
Security Update for Windows XP (KB944653)
Security Update for Windows XP (KB946026)
SiS Audio Driver
SUPERAntiSpyware Free Edition
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB904942)
Update for Windows XP (KB910437)
Update for Windows XP (KB911280)
Update for Windows XP (KB916595)
Update for Windows XP (KB920342)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Update for Windows XP (KB927891)
Update for Windows XP (KB930916)
Update for Windows XP (KB938828)
Update for Windows XP (KB942763)
Update for Windows XP (KB942840)
Windows Defender
Windows Defender Signatures
Windows Installer 3.1 (KB893803)
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB887742
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB891781
Windows XP Service Pack 2
WVID Filter (remove only)