Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

I've Some Bonzibuddy, Sahagent, Alexa, Marketscore


  • Please log in to reply

#1
sanedrin

sanedrin

    New Member

  • Member
  • Pip
  • 9 posts
Hi !!. I'm surprised about this service, for free! Thanks very much.
It's my first post.

I try to have safe surfing habits, and I use AVG anti virus, Zone Alarm Firewall, and Ad-Aware 6.1. I ofen scan my computer for viruses and spyware. Except for some cookies (which I simply delete using the browser) and a couple of RegData's (which I think are a false positive from Ad-Aware: if deleted, my browser starts with the msn page instead of a blank page), this software didn't report any threads.

Despite this, I downloaded recently a free trial of XoftSpy, which reported 4 threads, one of them (nsreg.dat) as high rated. I'm not sure if it's a false positive from XoftSpy, as nsreg.dat seems to be something related to Netscape (although it isn't installed on my computer).

I don't know very much about viruses, and would be grateful if someone could help:
-- Are they threads both RegData's?
-- When bad cookies are found, is it safe to simply remove them?
-- What is thah nsreg.dat, and the other 3 parasites found by XoftSpy?

An extract of the logs follow (the XoftSpy's is hand picked; sorry for any mistake):
_____________________

Lavasoft Ad-aware Personal Build 6.181
Logfile created on :martes, 21 de septiembre de 2004 14:07:13
Created with Ad-aware Personal, free for private use.
Using reference-file :01R341 14.09.2004
______________________________________________________

Ad-aware Settings
=========================
Set : Activate in-depth scan (Recommended)
Set : Safe mode (always request confirmation)
Set : Scan active processes
Set : Scan registry
Set : Deep scan registry


21-09-04 14:07:13 - Scan started. (Custom mode)

(****....HERE A LIST OF RUNNING PROCESSES, OMITTED****)

Started deep registry scan
ŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻ
Possible browser hijack attempt : Software\Microsoft\Internet Explorer\MainStart Pageabout:blank

Possible Browser Hijack attempt Object recognized!
Type : RegData
Data : "about:blank"
Rootkey : HKEY_CURRENT_USER
Object : Software\Microsoft\Internet Explorer\Main
Value : Start Page
Data : "about:blank"

Possible browser hijack attempt : .Default\Software\Microsoft\Internet Explorer\MainStart Pageabout:blank

Possible Browser Hijack attempt Object recognized!
Type : RegData
Data : "about:blank"
Rootkey : HKEY_USERS
Object : .Default\Software\Microsoft\Internet Explorer\Main
Value : Start Page
Data : "about:blank"


Deep registry scan result :
ŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻ
New objects : 2
Objects found so far: 2


Deep scanning and examining files (C:)
ŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻ

Tracking Cookie Object recognized!
Type : File
Data : standard@doubleclick[1].txt
Object : C:\WINDOWS\Cookies\

Created on : 21/09/04 10:36:20
Last accessed : 20/09/04 22:00:00
Last modified : 21/09/04 10:36:22



Tracking Cookie Object recognized!
Type : File
Data : standard@z1.adserver[1].txt
Object : C:\WINDOWS\Cookies\

Created on : 21/09/04 10:37:24
Last accessed : 20/09/04 22:00:00
Last modified : 21/09/04 10:37:26
___________________________________________________________________

******** END OF THE EXTRACT OF THE AD-AWARE LOG *******************
******** AN EXTRACT OF XOFTSPY LOG FOLLOWS : *******************
___________________________________________________________________

VENDOR TYPE GATEGORY OBJECT DANGER

BonziBuddy Registry Key DataMiner software\classes\clsid\{ca141fd0- Annoyance
ac7f-11d1-97a3-0060082730ff}

SAHAgent Registry Key SpyWare Software\WinSock2 Threat

Alexa Registry Value DataMiner Software\Microsoft\Internet Explorer\ Minor Annoyance
Extensions\CmdMapping\{c95fe080-8f5d-
11d2-a20b-00aa003c157a}


Marketscore File DataMiner C:\WINDOWS\nsreg.dat High Threat
(Netsetter)
__________________________________________________________________

******** END OF THE EXTRACT OF THE xoftspy LOG *******************
__________________________________________________________________

_____________________
  • 0

Advertisements


#2
sanedrin

sanedrin

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
Oops, the xsoftspy's log more clearly:
___________________________________________________________________

******** AN EXTRACT OF XOFTSPY LOG FOLLOWS : *******************
___________________________________________________________________

VENDOR -- TYPE -- GATEGORY -- OBJECT -- DANGER

BonziBuddy -- Registry Key -- DataMiner -- software\classes\clsid\{ca141fd0-ac7f-11d1-97a3-0060082730ff} -- Annoyance

SAHAgent -- Registry Key -- SpyWare -- Software\WinSock2 -- Threat

Alexa -- Registry Value -- DataMiner -- Software\Microsoft\Internet Explorer\Extensions\CmdMapping\{c95fe080-8f5d-11d2-a20b-00aa003c157a} -- Minor Annoyance

Marketscore (Netsetter) -- File -- DataMiner -- C:\WINDOWS\nsreg.dat -- High Threat

__________________________________________________________________

******** END OF THE EXTRACT OF THE xoftspy LOG *******************
__________________________________________________________________
  • 0

#3
coachwife6

coachwife6

    SuperStar

  • Retired Staff
  • 11,413 posts
Hi Sanedrin. Welcome to Geeks to Go. <_<

It sounds as if you have some great surfing habits. Before we can help you, we will need to see a Hijack This Log.

Let us take a closer look at what is running on your PC. We'll need you to use a free diagnostic tool (HiJackThis) and post a log back here with the results.

Click the HijackThis Guide in my signature, download it and follow the instructions in the guide.

Most of what it lists will be harmless or even essential, DO NOT delete or modify anything yet! Someone will be along to tell you what steps to take after you post the contents of the scan results.

Edited by coachwife6, 21 September 2004 - 09:16 AM.

  • 0

#4
sanedrin

sanedrin

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
Well, here's the log from HiJackThis. I'm not sure to understand the log, but it seem to be more running processes than shown when I type ctrl-alt-del <_<

Logfile of HijackThis v1.98.2
Scan saved at 4:11:18, on 22/09/04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\ARCHIVOS DE PROGRAMA\ROLAND\VSC32\VSC32CNF.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
C:\ARCHIVOS DE PROGRAMA\AVG6_ANTIVIRUS\AVGSERV9.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\S3TRAYHP.EXE
C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPLPR.EXE
C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPENH.EXE
C:\WINDOWS\SYSTEM\PRPCUI.EXE
C:\ARCHIVOS DE PROGRAMA\ONE-TOUCH\CP32NBTN.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\ARCHIVOS DE PROGRAMA\ROLAND\VSC32\VSCVOL.EXE
C:\WINDOWS\SYSTEM\OCBTRAY.EXE
C:\ARCHIVOS DE PROGRAMA\ZONEALARM\ZLCLIENT.EXE
C:\ARCHIVOS DE PROGRAMA\AVG6_ANTIVIRUS\AVGCC32.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\IRMON.EXE
C:\ARCHIVOS DE PROGRAMA\ONE-TOUCH\CDROMMNT.EXE
C:\ARCHIVOS DE PROGRAMA\M-AUDIO MOBILEPRE\MPTASK.EXE
C:\ARCHIVOS DE PROGRAMA\ONE-TOUCH\KBOSDCTL.EXE
C:\ARCHIVOS DE PROGRAMA\ONE-TOUCH\CP32NKCC.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\TEMP\ANTIVIRUS_JUN04\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\ARCHIVOS DE PROGRAMA\ADOBEREADER\READER\ACTIVEX\ACROIEHELPER.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [S3TRAYHP] S3trayhp.exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [PRPCMonitor] PRPCUI.exe
O4 - HKLM\..\Run: [CP32NOT] C:\ARCHIV~1\ONE-TO~1\CP32NBTN.EXE
O4 - HKLM\..\Run: [CriticalUpdate] c:\windows\SYSTEM\wucrtupd.exe -startup
O4 - HKLM\..\Run: [zzzHPSETUP] D:\Setup.exe
O4 - HKLM\..\Run: [hpppta] C:\Archivos de programa\HP_PrecisionScan\PrecisionScan\hpppta.exe /ICON
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [vsc32cnf.exe] C:\Archivos de programa\Roland\VSC32\vsc32cnf.exe
O4 - HKLM\..\Run: [vscvol.exe] C:\Archivos de programa\Roland\VSC32\vscvol.exe
O4 - HKLM\..\Run: [OWCCardbusTray] ocbtray.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Archivos de programa\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [AVG_CC] C:\ARCHIVOS DE PROGRAMA\AVG6_ANTIVIRUS\avgcc32.exe /startup
O4 - HKLM\..\Run: [IrMon] IrMon.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [PavProc] C:\Archivos de programa\Archivos comunes\Panda Software\PavShld\PavPrS9x.exe
O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
O4 - HKLM\..\RunServices: [Avgserv9.exe] C:\ARCHIV~1\AVG6_A~1\Avgserv9.exe
O4 - Startup: M-Audio MobilePre Control Panel Launcher.lnk = C:\Archivos de programa\M-Audio MobilePre\MPTask.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = eis.uva.es
O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 157.88.200.33
  • 0

#5
coachwife6

coachwife6

    SuperStar

  • Retired Staff
  • 11,413 posts
Not sure how this works, but can you translate your log to English? Does it have that capability? Maybe we can muddle through it anyhow. <_<

Edited by coachwife6, 21 September 2004 - 08:55 PM.

  • 0

#6
sanedrin

sanedrin

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
Hi again, coachwife! Thanks for your interest and help :D

I don't know what I should translate exactly. As far as I see, the file form HJT is mostly in English. As to the rest, english isn’t my native language, but I'm trying to improve <_<
Anyway, the only spanish words I see in the file are:

ARCHIVOS DE PROGRAMA ---meaning literally----> Program Files

Which is the folder where I ususally install programs. There is also a folder named PROGRAM FILES (in english) in my computer, but it solely contains the installation of the Touchpad (I use a laptop).

Any suggestions are welcome.
  • 0

#7
coachwife6

coachwife6

    SuperStar

  • Retired Staff
  • 11,413 posts
That will work. I wasn't sure if there was a button to translate the language automatically. I have seen it, but never used it. I think it will work just fine the way it is.
  • 0

#8
sanedrin

sanedrin

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
Thanks a lot.
So I anxiously await your kind directives <_<
  • 0

#9
coachwife6

coachwife6

    SuperStar

  • Retired Staff
  • 11,413 posts
Thank you for being patient. I wanted to make sure I got this right and translated it correctly.
I really could not find anything wrong with your computer. Are you still having troubles? I found a few questionable entries, but left them.

You may wish to print out a copy of these instructions to follow while you complete this procedure.

Please save Hijack This in a permanent folder (i.e. C:\HJT). This ensures backups are saved and accessible.

Please go offline, close all browsers and any open Windows, making sure that only HijackThis is open. Scan and when it finishes, put an X in the boxes, only next to these following items, then click fix checked.


(Is this your home page? if so, leave it. If not, put a check mark by it.)R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos
O4 - Startup: M-Audio MobilePre Control Panel Launcher.lnk = C:\Archivos de programa\M-Audio MobilePre\MPTask.exe (resource hog)
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab (you are running AVG, so you don't need this. Delete this.

Reboot your PC.

If you would please, rescan with HijackThis and post a fresh log in this same topic, and let us know how your system's working. <_<
  • 0

#10
sanedrin

sanedrin

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
Hi coachwife ! Thanks a lot.
I deleted everything sou said, and got rid of an annoying folder in my favourites, which i was unable to delete till now. And the other 2 processes you told me should be redundant ones (as you said), since once deleted, everything seems to work as before.

I'm a bit more calmed, because you didn't find anything bad in my HJT log. But regarding my initial doubts, things are getting worse: That program I told you, XoftSpy, still finds those 4 things (2 registry keys, one registry value and one file), plus a new WORM !! None of them are detected by Ad-Aware. The XoftSpy report about the worm is as follows:

Vendor: W·32-Ticton-A
Type: Registry Value
Category: WORM
Object: Software\Microsoft\Windows\current version\run\critical update
Danger: Miner

A fresh HJT log follows just for your information, but don't worry. I think You did your best analyzing my previous HJT file, and I'm very grateful. Perhaps that XoftSpy is giving false positives... I'll try to find out if someone else has used that program, and how was it.

Just 1 more question: Should I delete this? (semms to be another panda process):
O4 - HKLM\..\RunServices: [PavProc] C:\Archivos de programa\Archivos comunes\Panda Software\PavShld\PavPrS9x.exe
Again, Thanks
_________________


Logfile of HijackThis v1.98.2
Scan saved at 4:38:34, on 26/09/04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\ARCHIVOS DE PROGRAMA\ROLAND\VSC32\VSC32CNF.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
C:\ARCHIVOS DE PROGRAMA\AVG6_ANTIVIRUS\AVGSERV9.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\S3TRAYHP.EXE
C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPLPR.EXE
C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPENH.EXE
C:\WINDOWS\SYSTEM\PRPCUI.EXE
C:\ARCHIVOS DE PROGRAMA\ONE-TOUCH\CP32NBTN.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\ARCHIVOS DE PROGRAMA\ROLAND\VSC32\VSCVOL.EXE
C:\WINDOWS\SYSTEM\OCBTRAY.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\ARCHIVOS DE PROGRAMA\ZONEALARM\ZLCLIENT.EXE
C:\ARCHIVOS DE PROGRAMA\AVG6_ANTIVIRUS\AVGCC32.EXE
C:\WINDOWS\SYSTEM\IRMON.EXE
C:\ARCHIVOS DE PROGRAMA\ONE-TOUCH\CDROMMNT.EXE
C:\ARCHIVOS DE PROGRAMA\ONE-TOUCH\KBOSDCTL.EXE
C:\ARCHIVOS DE PROGRAMA\ONE-TOUCH\CP32NKCC.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\TEMP\ANTIVIRUS_JUN04\HJT\HIJACKTHIS.EXE

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\ARCHIVOS DE PROGRAMA\ADOBEREADER\READER\ACTIVEX\ACROIEHELPER.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [S3TRAYHP] S3trayhp.exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [PRPCMonitor] PRPCUI.exe
O4 - HKLM\..\Run: [CP32NOT] C:\ARCHIV~1\ONE-TO~1\CP32NBTN.EXE
O4 - HKLM\..\Run: [CriticalUpdate] c:\windows\SYSTEM\wucrtupd.exe -startup
O4 - HKLM\..\Run: [zzzHPSETUP] D:\Setup.exe
O4 - HKLM\..\Run: [hpppta] C:\Archivos de programa\HP_PrecisionScan\PrecisionScan\hpppta.exe /ICON
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [vsc32cnf.exe] C:\Archivos de programa\Roland\VSC32\vsc32cnf.exe
O4 - HKLM\..\Run: [vscvol.exe] C:\Archivos de programa\Roland\VSC32\vscvol.exe
O4 - HKLM\..\Run: [OWCCardbusTray] ocbtray.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Archivos de programa\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [AVG_CC] C:\ARCHIVOS DE PROGRAMA\AVG6_ANTIVIRUS\avgcc32.exe /startup
O4 - HKLM\..\Run: [IrMon] IrMon.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [PavProc] C:\Archivos de programa\Archivos comunes\Panda Software\PavShld\PavPrS9x.exe
O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
O4 - HKLM\..\RunServices: [Avgserv9.exe] C:\ARCHIV~1\AVG6_A~1\Avgserv9.exe
O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = eis.uva.es
O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 157.88.200.33
  • 0

#11
coachwife6

coachwife6

    SuperStar

  • Retired Staff
  • 11,413 posts
http://www.spywarewa...opic.php?t=2678

I found this topic on the product you're running. I will continue searching about it's reliability. Remember, this is one person's opinion.
  • 0

#12
sanedrin

sanedrin

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
Oh Oh, perhaps I trusted too much on the advertisement of that software. I'll too look for further information about the reliability of that xoftspy. It maybe the problem instead of the solution :-(
Thanks for your time and kindness
JC
_________________
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP