Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

new ad-aware logfile[RESOLVED]

Started by chbroad , May 18 2005 10:20 PM

  • This topic is locked This topic is locked

#1
chbroad
Posted 18 May 2005 - 10:20 PM

chbroad

    Member

  • Member
  • PipPip
  • 12 posts
Lots of pop-ups! I tried to do my homework, and followed suggestions within the different posts for problems similar to this. Used Cleanup, ad-aware, and Spybot, but keep seeing the same pop-ups back within minutes. HELP?

Specifically, nLite trying to install MM Player (I think that's what it said).

Thanks so much, Chad

_____________________________________________

Logfile removed: Incorrect Logfile type posted

Edited by Andy_veal, 19 May 2005 - 06:22 AM.

  • 0

Advertisements

#2
Untouchable J
Posted 19 May 2005 - 04:34 AM

Untouchable J

    Member

  • Member
  • PipPip
  • 10 posts
Morning,

Follow the instructions here: Before posting an Ad-aware logfile

Before starting your scan make sure "perform a full system scan" is selected. Complete a full scan and post your updated logfile here.

-J
  • 0

#3
chbroad
Posted 19 May 2005 - 09:50 PM

chbroad

    Member

  • Topic Starter
  • Member
  • PipPip
  • 12 posts
Sorry about that. I think I got it right this time.

Thanks, Chad

-----------------------------------------------------


Ad-Aware SE Build 1.05
Logfile Created on:Thursday, May 19, 2005 10:44:14 PM
Created with Ad-Aware SE Personal, free for private use.
Using definitions file:SE1R46 17.05.2005
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Definition File:
=========================
Definitions File Loaded:
Reference Number : SE1R46 17.05.2005
Internal build : 54
File location : C:\Program Files\Lavasoft\Ad-Aware SE Personal\defs.ref
File size : 474775 Bytes
Total size : 1435210 Bytes
Signature data size : 1404100 Bytes
Reference data size : 30598 Bytes
Signatures total : 40060
Fingerprints total : 883
Fingerprints size : 30250 Bytes
Target categories : 15
Target families : 674


Memory + processor status:
==========================
Number of processors : 1
Processor architecture : Intel Pentium III
Memory available:38 %
Total physical memory:245232 kb
Available physical memory:92348 kb
Total page file size:601216 kb
Available on page file:477124 kb
Total virtual memory:2097024 kb
Available virtual memory:2049288 kb
OS:Microsoft Windows XP Home Edition Service Pack 1 (Build 2600)

Ad-Aware SE Settings
===========================
Set : Safe mode (always request confirmation)
Set : Scan active processes
Set : Scan registry
Set : Deep-scan registry
Set : Scan my IE Favorites for banned URLs
Set : Scan within archives
Set : Scan my Hosts file

Extended Ad-Aware SE Settings
===========================
Set : Unload recognized processes & modules during scan
Set : Obtain command line of scanned processes
Set : Scan registry for all users instead of current user only
Set : Always try to unload modules before deletion
Set : During removal, unload Explorer and IE if necessary
Set : Let Windows remove files in use at next reboot
Set : Delete quarantined objects after restoring
Set : Write-protect system files after repair (Hosts file, etc.)
Set : Include basic Ad-Aware settings in log file
Set : Include additional Ad-Aware settings in log file
Set : Play sound at scan completion if scan locates critical objects


5-19-2005 10:44:14 PM - Scan started. (Full System Scan)

Listing running processes
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

#:1 [smss.exe]
ModuleName : \SystemRoot\System32\smss.exe
Command Line : n/a
ProcessID : 344
ThreadCreationTime : 5-20-2005 3:31:11 AM
BasePriority : Normal


#:2 [csrss.exe]
ModuleName : \??\C:\WINDOWS\system32\csrss.exe
Command Line : C:\WINDOWS\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,3072,512 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ProfileControl=Off MaxRequestTh
ProcessID : 400
ThreadCreationTime : 5-20-2005 3:31:12 AM
BasePriority : Normal


#:3 [winlogon.exe]
ModuleName : \??\C:\WINDOWS\system32\winlogon.exe
Command Line : winlogon.exe
ProcessID : 424
ThreadCreationTime : 5-20-2005 3:31:12 AM
BasePriority : High


#:4 [services.exe]
ModuleName : C:\WINDOWS\system32\services.exe
Command Line : C:\WINDOWS\system32\services.exe
ProcessID : 476
ThreadCreationTime : 5-20-2005 3:31:12 AM
BasePriority : Normal
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Services and Controller app
InternalName : services.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : services.exe

#:5 [lsass.exe]
ModuleName : C:\WINDOWS\system32\lsass.exe
Command Line : C:\WINDOWS\system32\lsass.exe
ProcessID : 488
ThreadCreationTime : 5-20-2005 3:31:12 AM
BasePriority : Normal
FileVersion : 5.1.2600.1106 (xpsp1.020828-1920)
ProductVersion : 5.1.2600.1106
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : LSA Shell (Export Version)
InternalName : lsass.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : lsass.exe

#:6 [svchost.exe]
ModuleName : C:\WINDOWS\system32\svchost.exe
Command Line : C:\WINDOWS\system32\svchost -k rpcss
ProcessID : 648
ThreadCreationTime : 5-20-2005 3:31:13 AM
BasePriority : Normal
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:7 [svchost.exe]
ModuleName : C:\WINDOWS\System32\svchost.exe
Command Line : C:\WINDOWS\System32\svchost.exe -k netsvcs
ProcessID : 700
ThreadCreationTime : 5-20-2005 3:31:13 AM
BasePriority : Normal
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:8 [svchost.exe]
ModuleName : C:\WINDOWS\System32\svchost.exe
Command Line : C:\WINDOWS\System32\svchost.exe -k NetworkService
ProcessID : 828
ThreadCreationTime : 5-20-2005 3:31:14 AM
BasePriority : Normal
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:9 [svchost.exe]
ModuleName : C:\WINDOWS\System32\svchost.exe
Command Line : C:\WINDOWS\System32\svchost.exe -k LocalService
ProcessID : 864
ThreadCreationTime : 5-20-2005 3:31:15 AM
BasePriority : Normal
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:10 [spoolsv.exe]
ModuleName : C:\WINDOWS\system32\spoolsv.exe
Command Line : C:\WINDOWS\system32\spoolsv.exe
ProcessID : 940
ThreadCreationTime : 5-20-2005 3:31:16 AM
BasePriority : Normal
FileVersion : 5.1.2600.0 (XPClient.010817-1148)
ProductVersion : 5.1.2600.0
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Spooler SubSystem App
InternalName : spoolsv.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : spoolsv.exe

#:11 [alg.exe]
ModuleName : C:\WINDOWS\System32\alg.exe
Command Line : C:\WINDOWS\System32\alg.exe
ProcessID : 1040
ThreadCreationTime : 5-20-2005 3:31:16 AM
BasePriority : Normal
FileVersion : 5.1.2600.1106 (xpsp1.020828-1920)
ProductVersion : 5.1.2600.1106
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Application Layer Gateway Service
InternalName : ALG.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : ALG.exe

#:12 [explorer.exe]
ModuleName : C:\WINDOWS\Explorer.EXE
Command Line : C:\WINDOWS\Explorer.EXE
ProcessID : 1628
ThreadCreationTime : 5-20-2005 3:31:27 AM
BasePriority : Normal
FileVersion : 6.00.2800.1106 (xpsp1.020828-1920)
ProductVersion : 6.00.2800.1106
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Windows Explorer
InternalName : explorer
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : EXPLORER.EXE

#:13 [agrsmmsg.exe]
ModuleName : C:\WINDOWS\AGRSMMSG.exe
Command Line : "C:\WINDOWS\AGRSMMSG.exe"
ProcessID : 1692
ThreadCreationTime : 5-20-2005 3:31:28 AM
BasePriority : Normal
FileVersion : 2.1.30 2.1.30 05/23/2003 10:43:49
ProductVersion : 2.1.30 2.1.30 05/23/2003 10:43:49
ProductName : Agere SoftModem Messaging Applet
CompanyName : Agere Systems
FileDescription : SoftModem Messaging Applet
InternalName : smdmstat.exe
LegalCopyright : Copyright © Agere Systems 1998-2000
OriginalFilename : smdmstat.exe

#:14 [jusched.exe]
ModuleName : C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
Command Line : "C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe"
ProcessID : 1700
ThreadCreationTime : 5-20-2005 3:31:28 AM
BasePriority : Normal


#:15 [pxui.exe]
ModuleName : C:\Program Files\PhreegoExpress\PxUi.exe
Command Line : "C:\Program Files\PhreegoExpress\PxUi.exe" /Automation
ProcessID : 1748
ThreadCreationTime : 5-20-2005 3:31:28 AM
BasePriority : Normal
FileVersion : 2, 0, 0, 1
ProductVersion : 2, 0, 0, 1
ProductName : Proxyconn Accelerator
CompanyName : Proxyconn, Inc.
FileDescription : Proxyconn User Interface
InternalName : PxUi
LegalCopyright : Copyright © Proxyconn, Inc. 2001-2003
OriginalFilename : PxUi.EXE

#:16 [pxclient.exe]
ModuleName : C:\Program Files\PhreegoExpress\PxClient.exe
Command Line : "C:\Program Files\PhreegoExpress\PxClient.exe" -ok
ProcessID : 1808
ThreadCreationTime : 5-20-2005 3:31:30 AM
BasePriority : Normal


#:17 [dialer.exe]
ModuleName : C:\Program Files\Phreego Network\dialer.exe
Command Line : "C:\Program Files\Phreego Network\dialer.exe" dial
ProcessID : 1892
ThreadCreationTime : 5-20-2005 3:31:32 AM
BasePriority : Normal
FileVersion : 3.0.5.4
ProductVersion : 3.05a
ProductName : ISPWizard Dialer - Internet Setup Program Wizard Dialer
CompanyName : ISPWizard
FileDescription : ISPWizard Dialer
LegalCopyright : Copyright 2000-2005 Mark Griffiths
Comments : http://www.ispwizard.com

#:18 [iexplore.exe]
ModuleName : C:\Program Files\Internet Explorer\IEXPLORE.EXE
Command Line : "C:\Program Files\Internet Explorer\IEXPLORE.EXE"
ProcessID : 1672
ThreadCreationTime : 5-20-2005 3:37:26 AM
BasePriority : Normal
FileVersion : 6.00.2800.1106 (xpsp1.020828-1920)
ProductVersion : 6.00.2800.1106
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Internet Explorer
InternalName : iexplore
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : IEXPLORE.EXE

#:19 [xenldpc.exe]
ModuleName : C:\WINDOWS\System32\xenldpc.exe
Command Line : C:\WINDOWS\System32\xenldpc.exe
ProcessID : 1560
ThreadCreationTime : 5-20-2005 3:43:11 AM
BasePriority : Normal


#:20 [acltfp.exe]
ModuleName : C:\WINDOWS\System32\acltfp.exe
Command Line : C:\WINDOWS\System32\acltfp.exe
ProcessID : 1740
ThreadCreationTime : 5-20-2005 3:43:13 AM
BasePriority : Normal


#:21 [ad-aware.exe]
ModuleName : C:\Program Files\Lavasoft\Ad-Aware SE Personal\Ad-Aware.exe
Command Line : "C:\Program Files\Lavasoft\Ad-Aware SE Personal\Ad-Aware.exe"
ProcessID : 1712
ThreadCreationTime : 5-20-2005 3:43:58 AM
BasePriority : Normal
FileVersion : 6.2.0.206
ProductVersion : VI.Second Edition
ProductName : Lavasoft Ad-Aware SE
CompanyName : Lavasoft Sweden
FileDescription : Ad-Aware SE Core application
InternalName : Ad-Aware.exe
LegalCopyright : Copyright © Lavasoft Sweden
OriginalFilename : Ad-Aware.exe
Comments : All Rights Reserved

Memory scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 0


Started registry scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Adintelligence.AproposToolbar Object Recognized!
Type : Regkey
Data :
Category : Misc
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : clsid\{016235be-59d4-4ceb-add5-e2378282a1d9}

Adintelligence.AproposToolbar Object Recognized!
Type : Regkey
Data :
Category : Misc
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : interface\{b548b7d8-3d03-4aed-a6a1-4251fad00c10}

Adintelligence.AproposToolbar Object Recognized!
Type : RegValue
Data :
Category : Misc
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : interface\{b548b7d8-3d03-4aed-a6a1-4251fad00c10}
Value :

Adintelligence.AproposToolbar Object Recognized!
Type : Regkey
Data :
Category : Misc
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : interface\{b99a727f-0782-4a71-bcc2-6e1e66414904}

Adintelligence.AproposToolbar Object Recognized!
Type : RegValue
Data :
Category : Misc
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : interface\{b99a727f-0782-4a71-bcc2-6e1e66414904}
Value :

BookedSpace Object Recognized!
Type : Regkey
Data :
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : appid\bookedspace.dll

BookedSpace Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : appid\bookedspace.dll
Value : AppID

BookedSpace Object Recognized!
Type : Regkey
Data :
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : appid\{0dc5cd7c-f653-4417-aa43-d457be3a9622}

BookedSpace Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : appid\{0dc5cd7c-f653-4417-aa43-d457be3a9622}
Value :

BookedSpace Object Recognized!
Type : Regkey
Data :
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : bookedspace.extension

BookedSpace Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : bookedspace.extension
Value :

BookedSpace Object Recognized!
Type : Regkey
Data :
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : bookedspace.extension.5

BookedSpace Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : bookedspace.extension.5
Value :

BookedSpace Object Recognized!
Type : Regkey
Data :
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : clsid\{0019c3e2-dd48-4a6d-abcd-8d32436323d9}

BookedSpace Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : clsid\{0019c3e2-dd48-4a6d-abcd-8d32436323d9}
Value :

BookedSpace Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : clsid\{0019c3e2-dd48-4a6d-abcd-8d32436323d9}
Value : AppID

BookedSpace Object Recognized!
Type : Regkey
Data :
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : interface\{05080e6b-a88a-4cfd-8c3d-9b2557670b6e}

BookedSpace Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : interface\{05080e6b-a88a-4cfd-8c3d-9b2557670b6e}
Value :

BookedSpace Object Recognized!
Type : Regkey
Data :
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : typelib\{0dc5cd7c-f653-4417-aa43-d457be3a9622}

Adintelligence.AproposToolbar Object Recognized!
Type : Regkey
Data :
Category : Misc
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\windows\currentversion\explorer\browser helper objects\{016235be-59d4-4ceb-add5-e2378282a1d9}

Adintelligence.AproposToolbar Object Recognized!
Type : Regkey
Data :
Category : Misc
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\windows\currentversion\uninstall\aproposclient

Adintelligence.AproposToolbar Object Recognized!
Type : RegValue
Data :
Category : Misc
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\windows\currentversion\uninstall\aproposclient
Value : UninstallString

BookedSpace Object Recognized!
Type : Regkey
Data :
Category : Malware
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\windows\currentversion\explorer\browser helper objects\{0019c3e2-dd48-4a6d-abcd-8d32436323d9}

PeopleOnPage Object Recognized!
Type : Regkey
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\apropos

PeopleOnPage Object Recognized!
Type : Regkey
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\envolo

PeopleOnPage Object Recognized!
Type : Regkey
Data : e_uninstall.log
Category : Data Miner
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\windows\currentversion\uninstall\autoupdate

PeopleOnPage Object Recognized!
Type : RegValue
Data : e_uninstall.log
Category : Data Miner
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\windows\currentversion\uninstall\autoupdate
Value : UninstallString

Ebates MoneyMaker Object Recognized!
Type : RegValue
Data :
Category : Data Miner
Comment : "AC"
Rootkey : HKEY_USERS
Object : S-1-5-21-1229272821-2111687655-1957994488-1004\software\lq
Value : AC

Registry Scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 28
Objects found so far: 28


Started deep registry scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

PeopleOnPage Object Recognized!
Type : RegValue
Data :
Category : Data Miner
Comment : "AutoUpdater"
Rootkey : HKEY_LOCAL_MACHINE
Object : Software\Microsoft\Windows\CurrentVersion\Run
Value : AutoUpdater

PeopleOnPage Object Recognized!
Type : File
Data : autoupdate.exe
Category : Data Miner
Comment :
Object : c:\program files\autoupdate\



Deep registry scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 1
Objects found so far: 30


Started Tracking Cookie scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»


Tracking Cookie Object Recognized!
Type : IECache Entry
Data : chad@revenue[2].txt
Category : Data Miner
Comment : Hits:17
Value : Cookie:[email protected]/
Expires : 6-10-2022 12:05:42 AM
LastSync : Hits:17
UseCount : 0
Hits : 17

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : chad@casalemedia[1].txt
Category : Data Miner
Comment : Hits:3
Value : Cookie:[email protected]/
Expires : 5-10-2006 6:44:38 PM
LastSync : Hits:3
UseCount : 0
Hits : 3

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : [email protected][1].txt
Category : Data Miner
Comment : Hits:5
Value : Cookie:[email protected]/
Expires : 8-31-2008 10:44:02 PM
LastSync : Hits:5
UseCount : 0
Hits : 5

Tracking cookie scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 3
Objects found so far: 33



Deep scanning and examining files (C:)
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

PeopleOnPage Object Recognized!
Type : File
Data : auto_update_install.exe
Category : Data Miner
Comment :
Object : C:\Documents and Settings\chad\Local Settings\Temp\AutoUpdate0\



PeopleOnPage Object Recognized!
Type : File
Data : AutoUpdaterInstaller[1].exe
Category : Data Miner
Comment :
Object : C:\Documents and Settings\chad\Local Settings\Temporary Internet Files\Content.IE5\WHQNODQB\



Disk Scan Result for C:\
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 35


Scanning Hosts file......
Hosts file location:"C:\WINDOWS\system32\drivers\etc\hosts".
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Hosts file scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
1 entries scanned.
New critical objects:0
Objects found so far: 35




Performing conditional scans...
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Adintelligence.AproposToolbar Object Recognized!
Type : Regkey
Data :
Category : Misc
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\autoloader

Adintelligence.AproposToolbar Object Recognized!
Type : Folder
Category : Misc
Comment :
Object : C:\Program Files\AutoUpdate

Adintelligence.AproposToolbar Object Recognized!
Type : File
Data : libexpat.dll
Category : Misc
Comment :
Object : C:\Program Files\autoupdate\



PeopleOnPage Object Recognized!
Type : Folder
Category : Data Miner
Comment :
Object : C:\DOCUME~1\chad\LOCALS~1\Temp\AutoUpdate0

PeopleOnPage Object Recognized!
Type : Folder
Category : Data Miner
Comment :
Object : c:\docume~1\chad\locals~1\temp\Atf

PeopleOnPage Object Recognized!
Type : File
Data : auto_update_uninstall.exe
Category : Data Miner
Comment :
Object : C:\WINDOWS\System32\



PeopleOnPage Object Recognized!
Type : File
Data : auto_update_uninstall.log
Category : Data Miner
Comment :
Object : C:\WINDOWS\System32\



PeopleOnPage Object Recognized!
Type : File
Data : auto_update_install.exe
Category : Data Miner
Comment :
Object : C:\DOCUME~1\chad\LOCALS~1\Temp\autoupdate0\



PeopleOnPage Object Recognized!
Type : File
Data : setup.inf
Category : Data Miner
Comment :
Object : C:\DOCUME~1\chad\LOCALS~1\Temp\autoupdate0\



PeopleOnPage Object Recognized!
Type : File
Data : ace.dll
Category : Data Miner
Comment :
Object : C:\Program Files\cxtpls\
FileVersion : 5.1.18
ProductVersion : 5.1.18
ProductName : ACE
FileDescription : ACE
InternalName : ACEDLL
OriginalFilename : ACE.DLL


PeopleOnPage Object Recognized!
Type : File
Data : AI_19-05-2005.log
Category : Data Miner
Comment :
Object : C:\Program Files\cxtpls\



PeopleOnPage Object Recognized!
Type : File
Data : atl.dll
Category : Data Miner
Comment :
Object : C:\Program Files\cxtpls\
FileVersion : 3.00.9435
ProductVersion : 6.00.9435
ProductName : Microsoft ® Visual C++
CompanyName : Microsoft Corporation
FileDescription : ATL Module for Windows NT (Unicode)
InternalName : ATL
LegalCopyright : Copyright © Microsoft Corp. 1996-1998
OriginalFilename : ATL.DLL


PeopleOnPage Object Recognized!
Type : File
Data : CxtPls.dll
Category : Data Miner
Comment :
Object : C:\Program Files\cxtpls\



PeopleOnPage Object Recognized!
Type : File
Data : CxtPls.exe
Category : Data Miner
Comment :
Object : C:\Program Files\cxtpls\
FileVersion : 1, 0, 0, 1
ProductVersion : 1, 0, 0, 1
ProductName : Ads
CompanyName : Apropos Media
FileDescription : Internet Explorer
InternalName : Ads.
LegalCopyright : Copyright © 2003
OriginalFilename : SysAI.exe


PeopleOnPage Object Recognized!
Type : File
Data : data.bin
Category : Data Miner
Comment :
Object : C:\Program Files\cxtpls\



PeopleOnPage Object Recognized!
Type : File
Data : libexpat.dll
Category : Data Miner
Comment :
Object : C:\Program Files\cxtpls\



PeopleOnPage Object Recognized!
Type : File
Data : ProxyStub.dll
Category : Data Miner
Comment :
Object : C:\Program Files\cxtpls\



PeopleOnPage Object Recognized!
Type : File
Data : uninstaller.exe
Category : Data Miner
Comment :
Object : C:\Program Files\cxtpls\



PeopleOnPage Object Recognized!
Type : File
Data : WinGenerics.dll
Category : Data Miner
Comment :
Object : C:\Program Files\cxtpls\



Ebates MoneyMaker Object Recognized!
Type : Regkey
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_CURRENT_USER
Object : software\lq

Ebates MoneyMaker Object Recognized!
Type : RegValue
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_CURRENT_USER
Object : software\lq
Value : TM

Ebates MoneyMaker Object Recognized!
Type : RegValue
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_CURRENT_USER
Object : software\lq
Value : AT

Ebates MoneyMaker Object Recognized!
Type : RegValue
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_CURRENT_USER
Object : software\lq
Value : AC

Ebates MoneyMaker Object Recognized!
Type : RegValue
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_CURRENT_USER
Object : software\lq
Value : AD

Ebates MoneyMaker Object Recognized!
Type : RegValue
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_CURRENT_USER
Object : software\lq
Value : AM

Ebates MoneyMaker Object Recognized!
Type : RegValue
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_CURRENT_USER
Object : software\lq
Value : U

Ebates MoneyMaker Object Recognized!
Type : RegValue
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_CURRENT_USER
Object : software\lq
Value : I

Ebates MoneyMaker Object Recognized!
Type : RegValue
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_CURRENT_USER
Object : software\lq
Value : TR

Ebates MoneyMaker Object Recognized!
Type : RegValue
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_CURRENT_USER
Object : software\lq
Value : leck

Ebates MoneyMaker Object Recognized!
Type : RegValue
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_CURRENT_USER
Object : software\lq
Value : country

Ebates MoneyMaker Object Recognized!
Type : RegValue
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_CURRENT_USER
Object : software\lq
Value : city

Ebates MoneyMaker Object Recognized!
Type : RegValue
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_CURRENT_USER
Object : software\lq
Value : state

Ebates MoneyMaker Object Recognized!
Type : RegValue
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_CURRENT_USER
Object : software\lq
Value : RX

Ebates MoneyMaker Object Recognized!
Type : RegValue
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_CURRENT_USER
Object : software\lq
Value : RX2.8

Ebates MoneyMaker Object Recognized!
Type : RegValue
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_CURRENT_USER
Object : software\lq
Value : RX2.9

Ebates MoneyMaker Object Recognized!
Type : RegValue
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_CURRENT_USER
Object : software\lq
Value : RX3.0

Ebates MoneyMaker Object Recognized!
Type : RegValue
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_CURRENT_USER
Object : software\lq
Value : RX3.1

Ebates MoneyMaker Object Recognized!
Type : RegValue
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_CURRENT_USER
Object : software\lq
Value : RX3.2

Ebates MoneyMaker Object Recognized!
Type : RegValue
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_CURRENT_USER
Object : software\lq
Value : RX3.3

Ebates MoneyMaker Object Recognized!
Type : RegValue
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_CURRENT_USER
Object : software\lq
Value : FU3.4

Ebates MoneyMaker Object Recognized!
Type : RegValue
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_CURRENT_USER
Object : software\lq
Value : FU3.5

Ebates MoneyMaker Object Recognized!
Type : RegValue
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_CURRENT_USER
Object : software\lq
Value : FU3.6

Ebates MoneyMaker Object Recognized!
Type : RegValue
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_CURRENT_USER
Object : software\lq
Value : LU3.7

Conditional scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 43
Objects found so far: 78

10:48:13 PM Scan Complete

Summary Of This Scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Total scanning time:00:03:58.844
Objects scanned:71610
Objects identified:78
Objects ignored:0
New critical objects:78
  • 0

#4
Guest_thatman_*
Posted 20 May 2005 - 06:59 PM

Guest_thatman_*
  • Guest
Hi

Ewido Trojan’s and malware remover http://www.ewido.net/en/download/
This setup contains the free as well as the plus-version of the ewido security suite. After the installation, a free 14-day test version containing all the extensions of the plus-version will be activated. At the end of the test phase, the extensions of the plus version are deactivated and the freeware version can be used unlimited times. The purchased license code of the plus version can be entered at any time.
Ewido will auto-udate. run a full scan save the log.

Post the ewido log and a new HJT.Log

Kc :tazz:
  • 0

#5
chbroad
Posted 22 May 2005 - 08:28 AM

chbroad

    Member

  • Topic Starter
  • Member
  • PipPip
  • 12 posts
Thanks for your help, I've done as you asked. Here are my ewido log and hjt log.

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 8:58:41 PM, 5/21/2005
+ Report-Checksum: CBE54529

+ Date of database: 5/21/2005
+ Version of scan engine: v3.0

+ Duration: 9 min
+ Scanned Files: 30109
+ Speed: 53.22 Files/Second
+ Infected files: 2
+ Removed files: 2
+ Files put in quarantine: 2
+ Files that could not be opened: 0
+ Files that could not be cleaned: 0

+ Binder: Yes
+ Crypter: Yes
+ Archives: Yes

+ Scanned items:
C:\

+ Scan result:
C:\WINDOWS\EliteToolBar\EliteToolBar version 60.dll -> Spyware.EliteBar.af -> Cleaned with backup
C:\WINDOWS\system32\eliteohl32.exe -> Spyware.Hijacker.Generic -> Cleaned with backup


::Report End

--------------------------------------------------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 9:28:26 AM, on 5/22/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\Program Files\PhreegoExpress\PxUi.exe
C:\WINDOWS\System32\acltfp.exe
C:\WINDOWS\System32\xenldpc.exe
C:\Program Files\PhreegoExpress\PxClient.exe
C:\Program Files\CxtPls\CxtPls.exe
C:\Program Files\hijackthis\HijackThis.exe
C:\Program Files\Phreego Network\dialer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\ewido\security suite\SecuritySuite.exe
C:\WINDOWS\system32\NOTEPAD.EXE

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:6198
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = clinic.mcafee.com; bin.mcafee.com; download.mcafee.com;<local>
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: CExtension Object - {0019C3E2-DD48-4A6D-ABCD-8D32436323D9} - C:\WINDOWS\cfgmgr52.dll (file missing)
O2 - BHO: (no name) - {016235BE-59D4-4CEB-ADD5-E2378282A1D9} - C:\Program Files\CxtPls\cxtpls.dll
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [Users System] C:\WINDOWS\svchost.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [AUNPS2] RUNDLL32 AUNPS2.DLL,_Run@16
O4 - HKLM\..\Run: [Sysnet] C:\WINDOWS\System32\snuninst.exe
O4 - HKLM\..\Run: [PxClient.exe] "C:\Program Files\PhreegoExpress\PxUi.exe" /Automation
O4 - HKLM\..\Run: [03tf3EX] acltfp.exe
O4 - HKLM\..\RunServices: [Users System] C:\WINDOWS\svchost.exe
O4 - HKCU\..\Run: [Users System] C:\WINDOWS\svchost.exe
O4 - HKCU\..\Run: [H02pROb7P] xenldpc.exe
O4 - HKCU\..\Run: [sf] C:\Program Files\sf\sf.exe
O4 - HKCU\..\Run: [sfita] C:\WINDOWS\sfita.exe
O4 - HKCU\..\RunServices: [Users System] C:\WINDOWS\svchost.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Show with Full Quality - res://C:\PROGRA~1\PHREEG~1\PRXCNB~1.DLL/IDR_HTML2
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{710EAD98-F33D-48AB-8A32-C07A4EBC9D05}: NameServer = 216.151.83.45 216.151.83.55
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
  • 0

#6
Guest_thatman_*
Posted 22 May 2005 - 09:40 AM

Guest_thatman_*
  • Guest
Hi chbroad

Please read through the instructions before you start (you may want to print this out).

Please set your system to show all files; please see here if you're unsure how to do this.

Please download and install AD-Aware.
Check Here on how setup and use it - please make sure you update it first. Don't run yet.

Download Pocket Killbox and unzip it; save it to your Desktop.

Ewido Trojan’s and malware remover http://www.ewido.net/en/download/
This setup contains the free as well as the plus-version of the ewido security suite. After the installation, a free 14-day test version containing all the extensions of the plus-version will be activated. At the end of the test phase, the extensions of the plus version are deactivated and the freeware version can be used unlimited times. The purchased license code of the plus version can be entered at any time.
Ewido will auto-udate. Don't run yet

Reboot into Safe Mode: please see here if you are not sure how to do this.

Run Ewido full scan save the log.

Clear out the files in the Prefetch folder. Go to start> run> type into the box Prefetch and delete all the files in that folder.

Clean out temporary and TIF files. Go to Start > Run and type in the box: cleanmgr. Let it scan your system for files to remove. Make sure all are checked and then press *ok* to remove:

Please go offline, close all browsers and any open Windows, making sure that only HijackThis is open. Scan and when it finishes, put an X in the boxes, only next to these following items:
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: CExtension Object - {0019C3E2-DD48-4A6D-ABCD-8D32436323D9} - C:\WINDOWS\cfgmgr52.dll (file missing)
O2 - BHO: (no name) - {016235BE-59D4-4CEB-ADD5-E2378282A1D9} - C:\Program Files\CxtPls\cxtpls.dll
O4 - HKLM\..\Run: [Users System] C:\WINDOWS\svchost.exe
O4 - HKLM\..\Run: [AUNPS2] RUNDLL32 AUNPS2.DLL,_Run@16
O4 - HKLM\..\Run: [Sysnet] C:\WINDOWS\System32\snuninst.exe
O4 - HKLM\..\Run: [03tf3EX] acltfp.exe
O4 - HKLM\..\RunServices: [Users System] C:\WINDOWS\svchost.exe
O4 - HKCU\..\Run: [Users System] C:\WINDOWS\svchost.exe
O4 - HKCU\..\Run: [H02pROb7P] xenldpc.exe
O4 - HKCU\..\Run: [sf] C:\Program Files\sf\sf.exe
O4 - HKCU\..\Run: [sfita] C:\WINDOWS\sfita.exe
O4 - HKCU\..\RunServices: [Users System] C:\WINDOWS\svchost.exe
Click on Fix Checked when finished and exit HijackThis.

Run Ad-aware se let remove all it finds

Run killbox and click the radio button that says Delete a file on reboot. For each of the files you could not delete, paste them one at a time into the full path of file to delete box and click the red circle with a white cross in it.
The program will ask you if you want to reboot; say No each time until the last one has been pasted in whereupon you should answer Yes.
C:\WINDOWS\cfgmgr52.dll (file missing)
C:\Program Files\CxtPls\cxtpls.dll
C:\WINDOWS\svchost.exe
C:\WINDOWS\AUNPS2.DLL
C:\WINDOWS\System32\AUNPS2.DLL
C:\WINDOWS\System32\snuninst.exe
C:\WINDOWS\System32\acltfp.exe
C:\WINDOWS\System32\xenldpc.exe
C:\Program Files\sf\sf.exe
C:\WINDOWS\sfita.exe
Let the system reboot.

Please download, install and run this disk cleanup utility called Cleanup version 4.0!
http://downloads.ste...p/CleanUp40.exe
It will get rid of any malware which may be hiding in your temp folders ( a common hiding place). You will also regain a massive amount of disk space. Here is a tutorial which describes its usage:
http://www.bleepingc...tutorial93.html
Check the custom settings to your liking under options, but be sure to delete temporary files and temporary internet files for all user profiles. Also, cleanout the prefetch folder and the recycle bin.When the scan has finnished click the close button
When prompted Reboot to let it clean out the remaining files.

Please run the following free, online virus scans.
http://www.pandasoft...n_principal.htm
http://housecall.tre.../start_corp.asp
Please post the logs From Panda, Ewido and HJT.logWe will need them to remove previous infections that have left files on your system.

Kc :tazz:
  • 0

#7
Guest_Andy_veal_*
Posted 22 May 2005 - 03:56 PM

Guest_Andy_veal_*
  • Guest
Moving this topic to the HJT forum to save confusion.

:tazz:
  • 0

#8
chbroad
Posted 22 May 2005 - 08:06 PM

chbroad

    Member

  • Topic Starter
  • Member
  • PipPip
  • 12 posts
I've done all as requested. Thank you.
_____________________________________________
PANDA
_____________________________________________

Incident Status Location

Adware:Adware/Sqwire No disinfected C:\Program Files\Common Files\ukfk\ukfkd\ukfkc.dll
Adware:Adware/Apropos No disinfected C:\Program Files\hijackthis\backups\backup-20050522-193541-903.dll
Adware:Adware/InstaFinder No disinfected C:\Program Files\INSTAFINK\InstaFinderK_inst.exe
Adware:Adware/Twain-Tech No disinfected C:\WINDOWS\smdat32a.sys
Adware:Adware/Apropos No disinfected C:\WINDOWS\system32\acltfp.exe
Adware:Adware/PortalScan No disinfected C:\WINDOWS\system32\Cache\InstallAPS.exe
Spyware:Spyware/Dyfuca No disinfected C:\WINDOWS\system32\Cache\optimize.exe
Adware:Adware/eZula No disinfected C:\WINDOWS\system32\ezPopStub.exe
Spyware:Spyware/ISTbar No disinfected C:\WINDOWS\system32\tsuninst.exe
Adware:Adware/PortalScan No disinfected C:\WINDOWS\system32\winupdt.008
Adware:Adware/PortalScan No disinfected C:\WINDOWS\system32\winupdt.bin
Adware:Adware/Apropos No disinfected C:\WINDOWS\system32\xenldpc.exe
_________________________________________________
---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 7:21:09 PM, 5/22/2005
+ Report-Checksum: AB6457BD

+ Date of database: 5/22/2005
+ Version of scan engine: v3.0

+ Duration: 14 min
+ Scanned Files: 30321
+ Speed: 34.48 Files/Second
+ Infected files: 7
+ Removed files: 7
+ Files put in quarantine: 7
+ Files that could not be opened: 0
+ Files that could not be cleaned: 0

+ Binder: Yes
+ Crypter: Yes
+ Archives: Yes

+ Scanned items:
C:\

+ Scan result:
C:\Documents and Settings\chad\Cookies\[email protected][1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\chad\Cookies\chad@cgi-bin[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\chad\Cookies\chad@doubleclick[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\chad\Cookies\[email protected][1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\chad\Local Settings\Temp\AutoUpdate0\auto_update_install.exe -> Spyware.POP.dl -> Cleaned with backup
C:\Program Files\AutoUpdate\AutoUpdate.exe -> TrojanDownloader.Apropo.g -> Cleaned with backup
C:\WINDOWS\system32\auto_update_uninstall.exe -> Spyware.Apropos -> Cleaned with backup


::Report End
_________________________________________________

Logfile of HijackThis v1.99.1
Scan saved at 9:19:52 AM, on 5/22/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\Program Files\PhreegoExpress\PxUi.exe
C:\WINDOWS\System32\acltfp.exe
C:\WINDOWS\System32\xenldpc.exe
C:\Program Files\PhreegoExpress\PxClient.exe
C:\Program Files\CxtPls\CxtPls.exe
C:\Program Files\hijackthis\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:6198
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = clinic.mcafee.com; bin.mcafee.com; download.mcafee.com;<local>
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: CExtension Object - {0019C3E2-DD48-4A6D-ABCD-8D32436323D9} - C:\WINDOWS\cfgmgr52.dll (file missing)
O2 - BHO: (no name) - {016235BE-59D4-4CEB-ADD5-E2378282A1D9} - C:\Program Files\CxtPls\cxtpls.dll
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [Users System] C:\WINDOWS\svchost.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [AUNPS2] RUNDLL32 AUNPS2.DLL,_Run@16
O4 - HKLM\..\Run: [Sysnet] C:\WINDOWS\System32\snuninst.exe
O4 - HKLM\..\Run: [PxClient.exe] "C:\Program Files\PhreegoExpress\PxUi.exe" /Automation
O4 - HKLM\..\Run: [03tf3EX] acltfp.exe
O4 - HKLM\..\RunServices: [Users System] C:\WINDOWS\svchost.exe
O4 - HKCU\..\Run: [Users System] C:\WINDOWS\svchost.exe
O4 - HKCU\..\Run: [H02pROb7P] xenldpc.exe
O4 - HKCU\..\Run: [sf] C:\Program Files\sf\sf.exe
O4 - HKCU\..\Run: [sfita] C:\WINDOWS\sfita.exe
O4 - HKCU\..\RunServices: [Users System] C:\WINDOWS\svchost.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Show with Full Quality - res://C:\PROGRA~1\PHREEG~1\PRXCNB~1.DLL/IDR_HTML2
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe

_________________________________________________
  • 0

#9
Guest_thatman_*
Posted 22 May 2005 - 08:25 PM

Guest_thatman_*
  • Guest
Hi chbroad

Please read through the instructions before you start (you may want to print this out).

Please set your system to show all files; please see here if you're unsure how to do this.

Please go offline, close all browsers and any open Windows, making sure that only HijackThis is open. Scan and when it finishes, put an X in the boxes, only next to these following items:
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
O2 - BHO: CExtension Object - {0019C3E2-DD48-4A6D-ABCD-8D32436323D9} - C:\WINDOWS\cfgmgr52.dll (file missing)
O2 - BHO: (no name) - {016235BE-59D4-4CEB-ADD5-E2378282A1D9} - C:\Program Files\CxtPls\cxtpls.dll
O4 - HKLM\..\Run: [Users System] C:\WINDOWS\svchost.exe
O4 - HKLM\..\Run: [AUNPS2] RUNDLL32 AUNPS2.DLL,_Run@16
O4 - HKLM\..\Run: [Sysnet] C:\WINDOWS\System32\snuninst.exe
O4 - HKLM\..\Run: [03tf3EX] acltfp.exe
O4 - HKLM\..\RunServices: [Users System] C:\WINDOWS\svchost.exe
O4 - HKCU\..\Run: [Users System] C:\WINDOWS\svchost.exe
O4 - HKCU\..\Run: [H02pROb7P] xenldpc.exe
O4 - HKCU\..\Run: [sf] C:\Program Files\sf\sf.exe
O4 - HKCU\..\Run: [sfita] C:\WINDOWS\sfita.exe
O4 - HKCU\..\RunServices: [Users System] C:\WINDOWS\svchost.exe
Click on Fix Checked when finished and exit HijackThis.

If you were unable to find any of the files then please follow these additional instructions:
Download Pocket Killbox and unzip it; save it to your Desktop.
Run killbox and click the radio button that says Delete a file on reboot. For each of the files you could not delete, paste them one at a time into the full path of file to delete box and click the red circle with a white cross in it.
The program will ask you if you want to reboot; say No each time until the last one has been pasted in whereupon you should answer Yes.
C:\WINDOWS\System32\xenldpc.exe
C:\Program Files\CxtPls\CxtPls.exe
C:\WINDOWS\cfgmgr52.dll (file missing)
C:\WINDOWS\svchost.exe
RUNDLL32 AUNPS2.DLL,_Run@16
C:\WINDOWS\System32\snuninst.exe
acltfp.exe
C:\Program Files\sf\sf.exe
C:\WINDOWS\sfita.exe
C:\Program Files\Common Files\ukfk\ukfkd\ukfkc.dll
C:\Program Files\hijackthis\backups\backup-20050522-193541-903.dll
C:\Program Files\INSTAFINK\InstaFinderK_inst.exe
C:\WINDOWS\smdat32a.sys
C:\WINDOWS\system32\acltfp.exe
C:\WINDOWS\system32\Cache\InstallAPS.exe
C:\WINDOWS\system32\Cache\optimize.exe
C:\WINDOWS\system32\ezPopStub.exe
C:\WINDOWS\system32\tsuninst.exe
C:\WINDOWS\system32\winupdt.008
C:\WINDOWS\system32\winupdt.bin
C:\WINDOWS\system32\xenldpc.exe
Let the system reboot.

Please run the following free, online virus scans.
http://www.pandasoft...n_principal.htm
http://housecall.tre.../start_corp.asp
Please post the logs From Panda virus scan and HJT.logWe will need them to remove previous infections that have left files on your system.

Kc :tazz:
  • 0

#10
chbroad
Posted 23 May 2005 - 10:03 PM

chbroad

    Member

  • Topic Starter
  • Member
  • PipPip
  • 12 posts
Did as requested. Things are running much smoother now! Here are the logs form Panda and HJT.

Thank you, Chad

---------------------------------------------------------------
PANDA
---------------------------------------------------------------
Incident Status Location

Adware:Adware/Apropos No disinfected C:\Program Files\hijackthis\backups\backup-20050522-193541-903.dll
--------------------------------------------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 11:02:24 PM, on 5/23/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\Program Files\PhreegoExpress\PxUi.exe
C:\Program Files\PhreegoExpress\PxClient.exe
C:\Program Files\Phreego Network\dialer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:6198
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = clinic.mcafee.com; bin.mcafee.com; download.mcafee.com;<local>
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [PxClient.exe] "C:\Program Files\PhreegoExpress\PxUi.exe" /Automation
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Show with Full Quality - res://C:\PROGRA~1\PHREEG~1\PRXCNB~1.DLL/IDR_HTML2
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{710EAD98-F33D-48AB-8A32-C07A4EBC9D05}: NameServer = 216.151.83.45 216.151.83.55
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
  • 0

#11
Guest_thatman_*
Posted 24 May 2005 - 08:42 AM

Guest_thatman_*
  • Guest
Hi chbroad

Congratulations! Your system is CLEAN ;)

Microsoft® Windows AntiSpyware (Beta) 2000 and XP ONLY.
SpyBot Search & Destroy v1.3
Spybot Tutorial
Disable Spybot Tutorial

Winpatrol Free

Ad-Aware SE Personal Edition Free
AdAware Tutorial

Turn of system restore
Disabling or enabling Windows XP System Restore
WIndows ME
Defrag your hard drive. Turn system restore back on and create a new restore point.

Tony Klien: So how did I get infected in the first place

How do you prevent spyware from being installed again? We strongly recommend installing SpywareBlaster (it's free for personal use). Click Here
QUOTE
Prevent the installation of ActiveX-based spyware, adware, browser hijackers, dialers, and other potentially unwanted pests.
Block spyware/tracking cookies in Internet Explorer and Mozilla/Firefox.
Restrict the actions of potentially dangerous sites in Internet Explorer.
Consumes no system resources.

Download, run, check for updates, download updates, select all, protect against checked. All done. Check for updates every couple of weeks. If you have any errors running the program like a missing file see the link at the bottom of the javacool page.

It's also very important to keep your system up to date to avoid unnecessary security risks. Click Here to make sure that you have the latest patches for Windows.

These next two steps are optional, but will provide the greatest protection.
1. Use ANY browser besides Internet Explorer, almost every exploit is crafted to take advantage of an IE weakness. We usually recommend FireFox.
http://www.mozilla.o...oducts/firefox/
2. Install Sun's Java. It's much more secure than Microsoft's Java Virtual Machine .
You can download Sun's newer JVM for Windows at http://java.sun.com/getjava/index.html.
http://www.java.com/...load/manual.jsp Windows (Offline Installation)

After doing all these, your system will be thoroughly protected from future threats.

Kc :tazz:
  • 0

#12
chbroad
Posted 24 May 2005 - 07:51 PM

chbroad

    Member

  • Topic Starter
  • Member
  • PipPip
  • 12 posts
You ROCK!

Thanks so much for your help! How do I go about making a donation through PayPal?

--Chad
  • 0

#13
Guest_thatman_*
Posted 25 May 2005 - 02:28 AM

Guest_thatman_*
  • Guest
Hi chbroad

Thanks for the offer.

I do this for free

Have a nice day.

Kc :tazz:
  • 0

#14
Guest_thatman_*
Posted 25 May 2005 - 02:47 AM

Guest_thatman_*
  • Guest
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :tazz:

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP