Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

mediagateway.exe, SAHagent, WebSearch Toolbar [RESOLVED]

Started by Globaliser , Jul 20 2005 02:11 PM

  • This topic is locked This topic is locked

#1
Globaliser
Posted 20 July 2005 - 02:11 PM

Globaliser

    Member

  • Member
  • PipPip
  • 13 posts
I was hit by something called mediagateway.exe, which seemed to be something to do with SAHagent or WebSearch Toolbar. Every 24 hours there was another attempt to download another set of this stuff. My virus scanner, AdAware and Spybot could only deal with the consequences and didn't kill either mediagateway.exe or whatever else might have been running every 24 hours.

After some research, I have uninstalled mediagateway.exe and killed everything else that was found by AdAware, Spybot and Housecall. My XP Pro SP1 is up to date.

Is there anything else that I need to do? The HJT log follows. I am suspicious of the first and third O16 entries, and the last three O16 entries as well.

Many thanks!

Logfile of HijackThis v1.99.1
Scan saved at 20:58:53, on 20.07.2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Iomega\AutoDisk\ADService.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\AOL 7.0\aoltray.exe
C:\Palm\HOTSYNC.EXE
C:\Program Files\Star Alliance Timetable\StarUpdater.exe
C:\WINDOWS\system32\userinit.exe
C:\HJT\HijackThis.exe
C:\WINDOWS\System32\wuauclt.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.euro.dell...gen/default.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://p089.ezboard.com/bhottalk
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [ADUserMon] C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
O4 - HKLM\..\Run: [Iomega Drive Icons] C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
O4 - HKLM\..\Run: [Deskup] C:\Program Files\Iomega\DriveIcons\deskup.exe /IMGSTART
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Startup: StarUpdater.exe.lnk = ?
O4 - Global Startup: AOL 7.0 Tray Icon.lnk = C:\Program Files\AOL 7.0\aoltray.exe
O4 - Global Startup: HotSync Manager.lnk = C:\Palm\HOTSYNC.EXE
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0246ECA8-996F-11D1-BE2F-00A0C9037DFE} (TDServer Control) - http://www.bc.edu/bc...er/tdserver.cab
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windup.../bridge-c18.cab
O16 - DPF: {62789780-B744-11D0-986B-00609731A21D} (Autodesk MapGuide ActiveX Control) - http://gisweb7.city....ad/mgaxctrl.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9FC5238F-12C4-454F-B1B5-74599A21DE47} (Webshots Photo Uploader) - http://community.web...otoUploader.CAB
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {CC110316-5BE7-4AAA-AEDD-1A5B147BE34C} - http://198.143.27.21...r_loader/uk.cab
O16 - DPF: {DB893839-10F0-4AF9-92FA-B23528F530AF} - http://205.177.28.16...oad/1025966.exe
O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abac...abasetup156.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = 1tg.local
O17 - HKLM\Software\..\Telephony: DomainName = 1tg.local
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = 1tg.local
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = 1tg.local
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
O23 - Service: Iomega Active Disk (_IOMEGA_ACTIVE_DISK_SERVICE_) - Iomega Corporation - C:\Program Files\Iomega\AutoDisk\ADService.exe
  • 0

Advertisements

#2
Rawe
Posted 01 August 2005 - 06:09 AM

Rawe

    Visiting Staff

  • Member
  • PipPipPipPipPipPipPip
  • 4,746 posts
Hello and welcome, I'm really sorry about the late reply. Do you still need help or have you gotten help elsewhere.. Please let me know. If you still need help, I need a fresh HiJackThis log. Again, sorry for the late reply.

- Rawe :tazz:
  • 0

#3
Globaliser
Posted 01 August 2005 - 08:28 AM

Globaliser

    Member

  • Topic Starter
  • Member
  • PipPip
  • 13 posts
Although I've not seen any overt problems since my first post, I haven't had any help from anywhere else and I'd still appreciate an expert eye being cast over this to make sure that I have fixed what's necessary and that there aren't any more lurking problems. Many thanks - and no apologies necessary, as I'm very glad of any help I can get!

Logfile of HijackThis v1.99.1
Scan saved at 15:24:52, on 01.08.2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\cisvc.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Iomega\AutoDisk\ADService.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\AOL 7.0\aoltray.exe
C:\Palm\HOTSYNC.EXE
C:\Program Files\Star Alliance Timetable\StarUpdater.exe
C:\WINDOWS\system32\userinit.exe
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.euro.dell...gen/default.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://p089.ezboard.com/bhottalk
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [ADUserMon] C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
O4 - HKLM\..\Run: [Iomega Drive Icons] C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
O4 - HKLM\..\Run: [Deskup] C:\Program Files\Iomega\DriveIcons\deskup.exe /IMGSTART
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Startup: StarUpdater.exe.lnk = ?
O4 - Global Startup: AOL 7.0 Tray Icon.lnk = C:\Program Files\AOL 7.0\aoltray.exe
O4 - Global Startup: HotSync Manager.lnk = C:\Palm\HOTSYNC.EXE
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0246ECA8-996F-11D1-BE2F-00A0C9037DFE} (TDServer Control) - http://www.bc.edu/bc...er/tdserver.cab
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windup.../bridge-c18.cab
O16 - DPF: {62789780-B744-11D0-986B-00609731A21D} (Autodesk MapGuide ActiveX Control) - http://gisweb7.city....ad/mgaxctrl.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9FC5238F-12C4-454F-B1B5-74599A21DE47} (Webshots Photo Uploader) - http://community.web...otoUploader.CAB
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {CC110316-5BE7-4AAA-AEDD-1A5B147BE34C} - http://198.143.27.21...r_loader/uk.cab
O16 - DPF: {DB893839-10F0-4AF9-92FA-B23528F530AF} - http://205.177.28.16...oad/1025966.exe
O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abac...abasetup156.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = 1tg.local
O17 - HKLM\Software\..\Telephony: DomainName = 1tg.local
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = 1tg.local
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = 1tg.local
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
O23 - Service: Iomega Active Disk (_IOMEGA_ACTIVE_DISK_SERVICE_) - Iomega Corporation - C:\Program Files\Iomega\AutoDisk\ADService.exe
  • 0

#4
Rawe
Posted 01 August 2005 - 08:33 AM

Rawe

    Visiting Staff

  • Member
  • PipPipPipPipPipPipPip
  • 4,746 posts
Not looking bad.. But let's see what we'll catch.

Download
CleanUp

Run the CleanUp! installer.

Now run CleanUp!
and reboot. Run this online scan for me and post the results;

Panda Activescan

Let it also fix anything it finds.

- Rawe :tazz:
  • 0

#5
Globaliser
Posted 01 August 2005 - 01:29 PM

Globaliser

    Member

  • Topic Starter
  • Member
  • PipPip
  • 13 posts
Thanks!

Activescan log follows:-
Incident                      Status                        Location
Virus:Trj/Downloader.CHF      Disinfected                   C:\Documents and Settings\rt\Local Settings\Application Data\Microsoft\Internet Explorer\V0.21.dat
Adware:Adware/WUpd            No disinfected                C:\WINDOWS\Downloaded Program Files\MediaGatewayX.dll
Adware:Adware/BTGrab          No disinfected                C:\WINDOWS\INF\btgrab.inf

  • 0

#6
Rawe
Posted 02 August 2005 - 04:10 AM

Rawe

    Visiting Staff

  • Member
  • PipPipPipPipPipPipPip
  • 4,746 posts
Ok, let's see what we can do ;)

Please print these instructions out, or write them down, as you can't read them during the fix.

If you have not already installed Ad-Aware SE 1.06, follow these download and setup instructions, otherwise, check for updates:
Ad-Aware SE Setup
Don't run it yet!

Get CleanUp!
ready to be used..

Please download the trial version of Ewido Security Suite here:
http://www.ewido.net/en/download/

Please read Ewido Setup Instructions
Install it, and update the definitions to the newest files. Do NOT run a scan yet.

Next, please reboot your computer in Safe Mode by doing the following;

1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode.

Open Ad-aware and do a Full Scan. Remove all it finds.

Launch Ewido and do a Full Scan. Clean anything it finds.

When the scan is finished, click the Save report button at the bottom of the screen.
Save the report to your desktop.
Close Ewido.

Use Windows Explorer, and locate the following file and delete if present;

C:\WINDOWS\Downloaded Program Files\MediaGatewayX.dll

Let me know if you can't see it.

Now run CleanUp!
and reboot. Boot into normal mode..
  • Open HiJackThis
  • Click on the configure button on the bottom right
  • Click on the tab "Misc Tools"
  • Click on the Box that says "Uninstall Manager"
  • Click on the button "Save list"
  • Copy and paste the List from the notebook onto your post
Now go back, run a new scan with HijackThis and post the fresh log here along with the Ewido log and the uninstall list.

- Rawe :tazz:
  • 0

#7
Globaliser
Posted 02 August 2005 - 06:22 AM

Globaliser

    Member

  • Topic Starter
  • Member
  • PipPip
  • 13 posts
I've done this as closely as I could.

1. I couldn't log on to Windows in safe mode using the same user name, as that required network connections that didn't seem to be running in safe mode, so I had to revert to an older standalone user name. But AdAware and Ewido seemed to scan all the relevant folders so I hope that this isn't fatal.

2. Ewido detected one Flash executable as a joke program and offered deletion, but I didn't delete it because I've had it a long time and this isn't the only time it's been suggested for deletion.

3. C:\WINDOWS\Downloaded Program Files\MediaGatewayX.dll was deleted by Ewido (it was specifically offered) and therefore wasn't present when I was looking for it using Windows Explorer.

Many thanks!

Ewido log:-

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on:  13:00:49, 02.08.2005
+ Report-Checksum:  D4EB5428

+ Scan result:

C:\Program Files\AOL 7.0\download\Joke programs\washing machine.exe -> Not-A-Virus.Joke.Train : Ignored
HKLM\SOFTWARE\Classes\TypeLib\{948A53C0-724B-4386-B84D-EB7D3DCD1600} -> Dialer.Generic : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CC110316-5BE7-4AAA-AEDD-1A5B147BE34C} -> Dialer.Generic : Cleaned with backup
C:\Documents and Settings\rt\Cookies\[email protected][1].txt -> Spyware.Cookie.2o7 : Cleaned with backup
C:\Documents and Settings\rt\Cookies\[email protected][2].txt -> Spyware.Cookie.Euroclick : Cleaned with backup
C:\WINDOWS\Downloaded Program Files\MediaGatewayX.dll -> Spyware.WinAD : Cleaned with backup


::Report End


Uninstall Manager report:-

Active Disk
Ad-Aware SE Personal
Adobe Acrobat - Reader 6.0.2 Update
Adobe Acrobat and Reader 6.0.3 Update
Adobe Download Manager 1.2 (Remove Only)
Adobe Photoshop Album 2.0 Starter Edition
Adobe Reader 6.0.1
Adobe Reader Korean Fonts
AMGRPH
AOL UK
ArcSoft PhotoImpression 3.0
Availability Tool
Civil Procedure Forms
CleanUp!
ConcordeScreensaver
Conexant HSF V92 56K RTAD Speakerphone PCI Modem
Copy Utility
Dell ResourceCD
Dell Solution Center
DirectX 9 Hotfix - KB839643
DivX Player
Easy CD Creator 5 Basic
EPSON Photo Print
EPSON Smart Panel
EPSON TWAIN 5
ewido security suite
HijackThis 1.99.1
Internet Explorer Q903235
IomegaWare 4.0.2
J2SE Runtime Environment 5.0 Update 2
Java 2 Runtime Environment, SE v1.4.2_02
Java 2 Runtime Environment, SE v1.4.2_03
Java 2 Runtime Environment, SE v1.4.2_05
Java 2 Runtime Environment, SE v1.4.2_06
LiveNote SR Demonstration
Logitech Desktop Messenger
Logitech MouseWare 9.73
Logitech Resource Center
McAfee VirusScan Enterprise
Microsoft Data Access Components KB870669
Microsoft Interactive Training
Microsoft Office XP Media Content
Microsoft Office XP Small Business
Microsoft PowerPoint Viewer 97
Modem Helper
MUSICMATCH Jukebox
NVIDIA Windows 2000/XP Display Drivers
Personal Injury Practice
PhoneTools
QuickTime
RealPlayer
Realtek RTL8139 Diagnostics Program
Remove DivX Codec
Remove Hidden Data Tool
SabreTool
ScanToWeb
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896422)
Security Update for Windows XP (KB896426)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB901214)
SkyGuide Screen Saver
Spybot - Search & Destroy 1.3
Star Alliance Screen Saver
Update for Windows XP (KB898461)
Viewpoint Media Player (Remove Only)
Webshots Desktop
Windows Backup Utility
Windows Installer 3.1 (KB893803)
Windows Installer 3.1 (KB893803)
Windows Media Player 9 Hotfix [See KB885492 for more information]
Windows Media Player Hotfix [See Q828026 for more information]
Windows XP Hotfix - KB821253
Windows XP Hotfix - KB823182
Windows XP Hotfix - KB824105
Windows XP Hotfix - KB824141
Windows XP Hotfix - KB825119
Windows XP Hotfix - KB826939
Windows XP Hotfix - KB828028
Windows XP Hotfix - KB828035
Windows XP Hotfix - KB828741
Windows XP Hotfix - KB833987
Windows XP Hotfix - KB834707
Windows XP Hotfix - KB835732
Windows XP Hotfix - KB837001
Windows XP Hotfix - KB839645
Windows XP Hotfix - KB840315
Windows XP Hotfix - KB840374
Windows XP Hotfix - KB840987
Windows XP Hotfix - KB841356
Windows XP Hotfix - KB841533
Windows XP Hotfix - KB841873
Windows XP Hotfix - KB842773
Windows XP Hotfix - KB867282
Windows XP Hotfix - KB871250
Windows XP Hotfix - KB873333
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB873376
Windows XP Hotfix - KB883357
Windows XP Hotfix - KB883939
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB889293
Windows XP Hotfix - KB890047
Windows XP Hotfix - KB890175
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB890923
Windows XP Hotfix - KB891711
Windows XP Hotfix - KB891781
Windows XP Hotfix - KB892944
Windows XP Hotfix - KB893066
Windows XP Hotfix - KB893086
Windows XP Hotfix - KB897715
WinPcap 3.1 beta
WinZip


HijackThis! log:-

Logfile of HijackThis v1.99.1
Scan saved at 13:12:13, on 02.08.2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Iomega\AutoDisk\ADService.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\AOL 7.0\aoltray.exe
C:\Palm\HOTSYNC.EXE
C:\Program Files\Star Alliance Timetable\StarUpdater.exe
C:\HJT\HijackThis.exe
C:\WINDOWS\System32\wuauclt.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.euro.dell...gen/default.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://p089.ezboard.com/bhottalk
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [ADUserMon] C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
O4 - HKLM\..\Run: [Iomega Drive Icons] C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
O4 - HKLM\..\Run: [Deskup] C:\Program Files\Iomega\DriveIcons\deskup.exe /IMGSTART
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [LDM] \Program\BackWeb-8876480.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Startup: StarUpdater.exe.lnk = ?
O4 - Global Startup: AOL 7.0 Tray Icon.lnk = C:\Program Files\AOL 7.0\aoltray.exe
O4 - Global Startup: HotSync Manager.lnk = C:\Palm\HOTSYNC.EXE
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0246ECA8-996F-11D1-BE2F-00A0C9037DFE} (TDServer Control) - http://www.bc.edu/bc...er/tdserver.cab
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windup.../bridge-c18.cab
O16 - DPF: {62789780-B744-11D0-986B-00609731A21D} (Autodesk MapGuide ActiveX Control) - http://gisweb7.city....ad/mgaxctrl.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {9FC5238F-12C4-454F-B1B5-74599A21DE47} (Webshots Photo Uploader) - http://community.web...otoUploader.CAB
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {DB893839-10F0-4AF9-92FA-B23528F530AF} - http://205.177.28.16...oad/1025966.exe
O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abac...abasetup156.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = 1tg.local
O17 - HKLM\Software\..\Telephony: DomainName = 1tg.local
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = 1tg.local
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = 1tg.local
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
O23 - Service: Iomega Active Disk (_IOMEGA_ACTIVE_DISK_SERVICE_) - Iomega Corporation - C:\Program Files\Iomega\AutoDisk\ADService.exe


  • 0

#8
Rawe
Posted 02 August 2005 - 06:34 AM

Rawe

    Visiting Staff

  • Member
  • PipPipPipPipPipPipPip
  • 4,746 posts
Ok, I want you do few things. Uninstall list showed couple things for me. Firstly, is this program something you use specifically?

AMGRPH

Next, your version of SpyBot is an old one ;)

Let's take few steps on upgrading it.

Before installing Spybot S&D 1.4

1. Undo immunization
2. If SDHelper and TeaTimer are enabled, deactivate them first.
3. If Opera Browser is installed, de-select protection for Opera Immunity
4. Uninstall old version of Spybot S&D

Then, copy & paste the following text from the code box to a blank notepad file. Make sure there is NO blank line above "REGEDIT4"!

REGEDIT4

[-HKEY_LOCAL_MACHINE\Software\PepiMK Software\SpyBotSnD]
[-HKEY_CURRENT_USER\Software\PepiMK Software\SpyBotSnD]

[-HKEY_CLASSES_ROOT\Applications\SpybotSD.exe]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SpyBotSnD]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Spybot - Search & Destroy_is1]

[-HKEY_CLASSES_ROOT\CLSID\{53707962-6F74-2D53-2644-206D7942484F}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}]

[-HKEY_CLASSES_ROOT\.disabled]
[-HKEY_CLASSES_ROOT\.sbb]
[-HKEY_CLASSES_ROOT\.sbe]
[-HKEY_CLASSES_ROOT\.sbi]
[-HKEY_CLASSES_ROOT\.sbs]
[-HKEY_CLASSES_ROOT\.tnfo]
[-HKEY_CLASSES_ROOT\.uti]
[-HKEY_CLASSES_ROOT\.uts]

[-HKEY_CLASSES_ROOT\SpybotSD.DisabledFile]
[-HKEY_CLASSES_ROOT\SpybotSD.SBBFile]
[-HKEY_CLASSES_ROOT\SpybotSD.SBEFile]
[-HKEY_CLASSES_ROOT\SpybotSD.SBIFile]
[-HKEY_CLASSES_ROOT\SpybotSD.SBSFile]
[-HKEY_CLASSES_ROOT\SpybotSD.TInfoFile]
[-HKEY_CLASSES_ROOT\SpybotSD.UTIFile]
[-HKEY_CLASSES_ROOT\SpybotSD.UTSFile]

Save it as clean.reg to your desktop.
Double-click on the clean.reg and when it asks if you want to merge with registry, hit YES.

Now reboot.

Download & install the latest version here;

http://www.majorgeek...troy_d2471.html

(Note; Do NOT use TeaTimer on this install yet, since we might have to do some fixing AND it might interfere with it.)

When booted back to normal mode, do the following;
  • Please go to Jotti's malware scan
  • Copy and paste the following file path into the "File to upload & scan" box on the top of the page:
    • C:\Program Files\AOL 7.0\download\Joke programs\washing machine.exe
  • Click on the submit button
  • Please post the results in your next reply.
- Rawe :tazz:
  • 0

#9
Globaliser
Posted 02 August 2005 - 07:09 AM

Globaliser

    Member

  • Topic Starter
  • Member
  • PipPip
  • 13 posts
Thanks for the heads-up about the new Spybot - didn't know there was a new one!

AMGRPH is a graphing program which is part of a suite of applications that I use for work. Why it's in its own separate folder I have no idea, but that's what I was given!

Jotti's malware scan returns these results:-

File:  washing_machine.exe 
Status:  INFECTED/MALWARE (Note: only non-destructive malware has been found. Considering the non-destructive nature of samples like these - although they can be a pain -, results will not be stored in the database.)
MD5  2f1e1389b4e11695f588ba316d767993 
Packers detected:  UPX
Scanner results 
AntiVir  Found Joke/Around joke 
ArcaVir  Found Joke.Kaszana 
Avast  Found Win32:Semnet 
AVG Antivirus  Found nothing
BitDefender  Found Joke.Train 
ClamAV  Found nothing
Dr.Web  Found not a virus Joke.Slidescreen 
F-Prot Antivirus  Found joke program 
Fortinet  Found nothing
Kaspersky Anti-Virus  Found not-virus:BadJoke.Win32.Train 
NOD32  Found Win32/Train joke 
Norman Virus Control  Found nothing
UNA  Found Joke.Win32.Train 
VBA32  Found Win32.Joke.Train 


  • 0

#10
Rawe
Posted 02 August 2005 - 07:17 AM

Rawe

    Visiting Staff

  • Member
  • PipPipPipPipPipPipPip
  • 4,746 posts
Ok, well if C:\Program Files\AOL 7.0\download\Joke programs\washing machine.exe is something you want to keep and not to delete, no need for that then.

I'd like you to run a new Panda scan.. And I'll see what's left.

Panda ActiveScan

Post the results. (Let it fix anything it finds.)

- Rawe :tazz:
  • 0

Advertisements

#11
Globaliser
Posted 02 August 2005 - 08:25 AM

Globaliser

    Member

  • Topic Starter
  • Member
  • PipPip
  • 13 posts
I got what seems to be a new version of Activescan which didn't offer an option for fixing things. At any rate, the Activescan log says this:-
Incident                      Status                        Location

Dialer:Dialer.DK              No disinfected                C:\Documents and Settings\rt\Local Settings\Application Data\Microsoft\Internet Explorer\V0.26.dat

Dialer:dialer.dk              No disinfected                C:\WINDOWS\Downloaded Program Files\games.inf

Adware:Adware/BTGrab          No disinfected                C:\WINDOWS\INF\btgrab.inf

  • 0

#12
Rawe
Posted 02 August 2005 - 08:26 AM

Rawe

    Visiting Staff

  • Member
  • PipPipPipPipPipPipPip
  • 4,746 posts
Please download WebRoot SpySweeper from HERE (It's a 2 week trial):
  • Click the Free Trial link on the right - next to "SpySweeper for Home Computers" to download the program.
  • Double-click the file to install it as follows:
    • Click "Next", read the agreement, Click "Next"
    • Choose "Custom" click "Next".
    • Leave the default installation directoy as it is, then click "Next".
    • UNcheck "Run SpySweeper at Windows Startup" and "Add Sweep for Spyware to Windows Explorer Context Menu". Click "Next".
    • On the following screen you can leave the e-mail address field blank, if you wish. Click "Next".
    • Finally, click "Install"
  • Once the program is installed, it will open.
  • It will prompt you to update to the latest definitions, click Yes.
    Disable SpySweeper Shields
    • Click Shields on the left.
    • Click Internet Explorer and uncheck all items.
    • Click Windows System and uncheck all items.
    • Click Startup Programs and uncheck all items.
  • Once the definitions are installed and shields disabled, click Sweep Now on the left side.
  • Click the Start button.
  • When it's done scanning, click the Next button.
  • Make sure everything has a check next to it, then click the Next button.
  • It will remove all of the items found.
  • Click Session Log in the upper right corner, copy everything in that window.
  • Click the Summary tab and click Finish.
  • Paste the contents of the session log you copied into your next reply.
- Rawe :tazz:
  • 0

#13
Globaliser
Posted 02 August 2005 - 09:02 AM

Globaliser

    Member

  • Topic Starter
  • Member
  • PipPip
  • 13 posts
This is the complete SpySweeper log:-

********
15:48: |···  Start of Session, 02 August 2005  ···|
15:48: Spy Sweeper started
15:48: Sweep initiated using definitions version 507
15:48: Starting Memory Sweep
15:50: Memory Sweep Complete, Elapsed Time: 00:02:06
15:50: Starting Registry Sweep
15:50:  Found Adware: abetterinternet
15:50:  HKU\S-1-5-21-790525478-1482476501-682003330-1129\software\btgrab\  (1 subtraces) (ID = 145850)
15:50:  Found Adware: websearch toolbar
15:50:  HKLM\software\microsoft\windows\currentversion\moduleusage\c:/windows/downloaded program files/qdow_as2.dll\  (2 subtraces) (ID = 146482)
15:50:  Found Adware: winad
15:50:  HKLM\software\microsoft\code store database\distribution units\{15ad6789-cdb4-47e1-a9da-992ee8e6bad6}\  (10 subtraces) (ID = 147185)
15:50:  HKCR\appid\mediagateway.exe\  (1 subtraces) (ID = 359541)
15:50:  HKLM\software\classes\appid\mediagateway.exe\  (1 subtraces) (ID = 359543)
15:50:  HKCR\mediagatewayx.installer\  (3 subtraces) (ID = 372857)
15:50:  HKLM\software\classes\mediagatewayx.installer\  (3 subtraces) (ID = 398902)
15:50: Registry Sweep Complete, Elapsed Time:00:00:08
15:50: Starting Cookie Sweep
15:50:  Found Spy Cookie: com.com cookie
15:50:  rt@com[2].txt (ID = 2445)
15:50: Cookie Sweep Complete, Elapsed Time: 00:00:01
15:50: Starting File Sweep
15:56:  Found Adware: livexxx dialer
15:56:  livexxx.inf (ID = 65687)
15:56:  btgrab.inf (ID = 83222)
15:56: File Sweep Complete, Elapsed Time: 00:05:39
15:56: Full Sweep has completed.  Elapsed time 00:07:57
15:56: Traces Found: 31
15:59: Removal process initiated
15:59:  Quarantining All Traces: abetterinternet
15:59:  Quarantining All Traces: websearch toolbar
15:59:  Quarantining All Traces: winad
15:59:  Quarantining All Traces: com.com cookie
15:59:  Quarantining All Traces: livexxx dialer
15:59: Removal process completed.  Elapsed time 00:00:10
********
15:46: |···  Start of Session, 02 August 2005  ···|
15:46: Spy Sweeper started
15:47: Your spyware definitions have been updated.
15:47: Warning: Hosts File Shield unable to read from hosts file.  Access violation at address 77F94213 in module 'ntdll.dll'. Read of address 00000058
15:47: Warning: Hosts File Shield unable to read from hosts file.  Access violation at address 77F94213 in module 'ntdll.dll'. Read of address 000004AC
15:47: Warning: Hosts File Shield unable to read from hosts file.  Access violation at address 77F94213 in module 'ntdll.dll'. Read of address 00000024
15:48: |···  End of Session, 02 August 2005  ···|


  • 0

#14
Rawe
Posted 02 August 2005 - 09:16 AM

Rawe

    Visiting Staff

  • Member
  • PipPipPipPipPipPipPip
  • 4,746 posts
Ok, looking better ;)

Please download Trend Micro™ Anti-Spyware for the Web Utility (by clicking the "Scan and Clean your PC" button).
  • Save it to your desktop.
  • Double-click the new icon on your desktop (tmas-web-scan.exe)
  • It will say "Loading TrendMicro definitions".
  • Once the definitions are loaded, the program will appear to close then re-open.
  • Click "Start Scan"
  • After it's done scanning, click "Scan Results"
  • Make sure all items found have a check next to them, then click "Clean Threats Now".
  • Click Exit.
Reboot your computer. In place of the TrendMicro icon will be a text file called "Antispyware.log", please double-click that log and copy the entire contents and paste them here.

- Rawe :tazz:
  • 0

#15
Globaliser
Posted 02 August 2005 - 09:45 AM

Globaliser

    Member

  • Topic Starter
  • Member
  • PipPip
  • 13 posts
Complete log here:-

  Started Scanning
  Internet Cookies
  Found 'hitbox.com' in 'Internet Explorer Cache'
  Found 'com.com' in 'Internet Explorer Cache'
  Programs in Memory
  Windows Registry
  Found '' in 'Software\Dynamic Toolbar'
  Found '' in 'Software\Microsoft\Internet Explorer\Explorer Bars\{30D02401-6A81-11D0-8274-00C04FD5AE38}'
  Internet URL Shortcuts
  Files and Directories
  Finished Scanning
  Started Backup
  Finished Backup
  Started Cleaning
  Finished Cleaning


  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP