Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Zazzer, Effective i-Inc, Esonmniture [RESOLVED]

Started by melonworm , Aug 07 2005 06:11 AM

  • This topic is locked This topic is locked

#16
Dragon
Posted 16 August 2005 - 02:42 PM

Dragon

    All Around Computer Nut

  • Retired Staff
  • 2,682 posts
Download about:buster by RubbeRDuckY Here.
Download and install CleanUp! Here

Save all of these files somewhere you will remember like to the Desktop.

Update About:Buster
  • Unzip the contents of AboutBuster.zip and an AboutBuster directory will be created.
  • Navigate to the AboutBuster directory and double-click on AboutBuster.exe.
  • Click "OK" at the prompt with instructions.
  • Click "Update" and then "Check For Update" to begin the update process.
  • If any updates exist please download them by clicking "Download Update" then click the X to close that window.
  • Now close About:Buster
Boot into Safe Mode:
Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.

Please run about:buster by RubbeRDuckY:
  • Click Start and then OK to allow AboutBuster to scan for Alternate Data Streams.
  • Click Yes to allow it to shutdown explorer.exe.
  • It will begin to check your computer for malicious files. If it asks if you would like to do a second pass, allow it to do so.
  • When it has finished, click Save Log. Make sure you save it as I may need a copy of it later.
  • Reboot your computer into safe mode again
Run about:buster again following the same instructions as above, this time without the restart at the end

Now run CWShredder. Click I Agree, then Fix and then Next, let it fix everything it asks about.

Now run CleanUp!Reboot your computer into normal windows.

Please run an on-line virus scan at Kaspersky OnLine Scan or if that doesnt work, you can use TrendMicro or BitDefender. (Please post the results of the scan(s) in your next reply)

After all that, please post back with how things went as well as the logs requested and a new HiJackThis log.
  • 0

Advertisements

#17
melonworm
Posted 16 August 2005 - 05:45 PM

melonworm

    Member

  • Topic Starter
  • Member
  • PipPip
  • 28 posts
Ok, will do......... I updated my Spysubtract last evening, it found another Trojan and a few other instances of Spyware. Here is the Edwido log........ will run the others and post logs.


--------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 6:29:40 PM, 8/16/2005
+ Report-Checksum: A31FCF83

+ Scan result:

:mozilla.16:C:\Documents and Settings\Steve\Application Data\Mozilla\Firefox\Profiles\default.1l7\cookies.txt -> Spyware.Cookie.Esomniture : Cleaned with backup
:mozilla.18:C:\Documents and Settings\Steve\Application Data\Mozilla\Firefox\Profiles\default.1l7\cookies.txt -> Spyware.Cookie.Esomniture : Cleaned with backup


::Report End

Edited by melonworm, 16 August 2005 - 07:40 PM.

  • 0

#18
melonworm
Posted 16 August 2005 - 09:14 PM

melonworm

    Member

  • Topic Starter
  • Member
  • PipPip
  • 28 posts
Rubber Ducky.....clean
CWShredder....clean

Kapersky scan *non extended mode* Critiacl areas and my computer.... clean

After Kapersky I ran Trend Micro House Call and it found and cleaned that TROJ_SMALL.Afg again, it is in the system files before the boot portion of the scan.


Logfile of HijackThis v1.99.1
Scan saved at 10:11:06 PM, on 8/16/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\System32\dllhost.exe
C:\WINDOWS\System32\CTSvcCDA.EXE
C:\Program Files\ewido\security suite\ewidoctrl.exe
c:\progra~1\mcafee\MCAFEE~1\MssSrv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\QuickTime\qttask.exe
C:\progra~1\mcafee\MCAFEE~1\MssCli.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
C:\Program Files\DefenderPro AntiSpy\DPASNT.exe
C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Defender\Defender Pro Firewall\KAVPF.exe
C:\Program Files\InterMute\SpySubtract\SpySub.exe
C:\Program Files\DefenderPro AntiSpy\AntiSpy\TSAntiSpy.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://mail.yahoo.co....cldefstat=Def1
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: IE PopUp-Killer ; Neikeisoft - {49E0E0F0-5C30-11D4-945D-000000000003} - C:\PROGRA~1\DEFEND~1\DEFEND~1\PopUp.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\RoboForm.dll
O2 - BHO: OsbornTech Popup Blocker - {C68AE9C0-0909-4DDC-B661-C1AFB9F5AE53} - C:\Program Files\DefenderPro AntiSpy\PopupBlocker\PopupBlocker.dll
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\RoboForm.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [_AntiSpyware] c:\progra~1\mcafee\MCAFEE~1\MssCli.exe
O4 - HKLM\..\Run: [KAVPersonal50] C:\Program Files\Defender\Defender Pro 2005\kav.exe /minimize
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Dell AIO Printer A940] "C:\Program Files\Dell AIO Printer A940\dlbabmgr.exe"
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [Antispy] C:\Program Files\Defender Pro\AntiSpy\Dpas.exe startup
O4 - HKLM\..\Run: [DPAS] "C:\Program Files\DefenderPro AntiSpy\DPASNT.exe"
O4 - HKLM\..\Run: [DPASUpdate] "C:\Program Files\DefenderPro AntiSpy\DPASAutoUpdate.exe"
O4 - HKCU\..\Run: [RoboForm] "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe"
O4 - HKCU\..\Run: [Ashampoo PopUpBlocker] C:\PROGRA~1\DEFEND~1\DEFEND~1\PopUpKiller.exe
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
O4 - Global Startup: Defender Pro Firewall.lnk = ?
O4 - Global Startup: SpySubtract.lnk = C:\Program Files\InterMute\SpySubtract\SpySub.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Fill && Submit &8 - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillSubmit.html
O8 - Extra context menu item: Fill Forms &] - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: Save Forms &[ - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\Msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\Msjava.dll
O9 - Extra button: Popup Blocker - {0D555BC6-E331-48b3-A60E-AAC0DF79438A} - C:\Program Files\DefenderPro AntiSpy\PopupBlocker\PopupBlocker.dll
O9 - Extra 'Tools' menuitem: Popup Blocker - {0D555BC6-E331-48b3-A60E-AAC0DF79438A} - C:\Program Files\DefenderPro AntiSpy\PopupBlocker\PopupBlocker.dll
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms &] - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms &[ - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: Clear Fields - {320AF880-6646-11D3-ABEE-C5DBF3571F54} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComClearFields.html
O9 - Extra 'Tools' menuitem: Clear Fields &0 - {320AF880-6646-11D3-ABEE-C5DBF3571F54} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComClearFields.html
O9 - Extra button: Fill Submit - {320AF880-6646-11D3-ABEE-C5DBF3571F56} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillSubmit.html
O9 - Extra 'Tools' menuitem: Fill && Submit &8 - {320AF880-6646-11D3-ABEE-C5DBF3571F56} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillSubmit.html
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RF Toolbar &2 - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O12 - Plugin for .hlq: C:\Program Files\Internet Explorer\PLUGINS\NpHcd32.dll
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.t...all/xscan60.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {31E68DE2-5548-4B23-88F0-C51E6A0F695E} (Microsoft PID Sniffer) - https://support.micr...ActiveX/odc.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcaf...84/mcinsctl.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://www.bitdefend...can8/oscan8.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/s...nfo/webscan.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft...free/asinst.cab
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.c.../ymmapi_416.dll
O16 - DPF: {A922B6AB-3B87-11D3-B3C2-0008C7DA6CB9} (InetDownload Class) - http://activex.micro...loadcontrol.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.c...utocomplete.cab
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (ASquaredScanForm Element) - http://www.windowsec...scan/axscan.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcaf...,21/mcgdmgr.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcaf...549/mcfscan.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://lw14fd.law14....ex/HMAtchmt.ocx
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTSvcCDA.EXE
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: kavsvc - Kaspersky Labs - C:\Program Files\Defender\Defender Pro 2005\kavsvc.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: McAfee AntiSpyware Real-Time Scanner (McAfeeAntiSpyware) - McAfee, Inc. - c:\progra~1\mcafee\MCAFEE~1\MssSrv.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
  • 0

#19
Dragon
Posted 17 August 2005 - 06:57 AM

Dragon

    All Around Computer Nut

  • Retired Staff
  • 2,682 posts
This is being a real tough one to beat, but we will get it, I still have an arsenal tools to help.

Please download WebRoot SpySweeper from HERE (It's a 2 week trial):
  • Click the Free Trial link on the right - next to "SpySweeper for Home Computers" to download the program.
  • Double-click the file to install it as follows:
    • Click "Next", read the agreement, Click "Next"
    • Choose "Custom" click "Next".
    • Leave the default installation directory as it is, then click "Next".
    • UNcheck "Run SpySweeper at Windows Startup" and "Add Sweep for Spyware to Windows Explorer Context Menu". Click "Next".
    • On the following screen you can leave the e-mail address field blank, if you wish. Click "Next".
    • Finally, click "Install"
  • Once the program is installed, it will open.
  • It will prompt you to update to the latest definitions, click Yes.
  • Once the definitions are installed, click Sweep Now on the left side.
  • Click the Start button.
  • When it's done scanning, click the Next button.
  • Make sure everything has a check next to it, then click the Next button.
  • It will remove all of the items found.
  • Click Session Log in the upper right corner, copy everything in that window.
  • Click the Summary tab and click Finish.
  • Paste the contents of the session log you copied into your next reply.

  • 0

#20
melonworm
Posted 17 August 2005 - 07:36 AM

melonworm

    Member

  • Topic Starter
  • Member
  • PipPip
  • 28 posts
I have the purchased version of WR Spysweeper so I updated definitions and ran that, if that is not ok I will d/l and runn the free version.

07:55 AM: |··· Start of Session, Wednesday, August 17, 2005 ···|
07:55 AM: Spy Sweeper 3.5.0 (Build 191) started
07:55 AM: |··· End of Session, Wednesday, August 17, 2005 ···|
08:03 AM: |··· Start of Session, Wednesday, August 17, 2005 ···|
08:03 AM: Spy Sweeper 3.5.0 (Build 191) started
08:06 AM: Updating spyware definitions
08:06 AM: Your spyware definitions have been updated.
08:07 AM: |··· End of Session, Wednesday, August 17, 2005 ···|
08:13 AM: |··· Start of Session, Wednesday, August 17, 2005 ···|
08:13 AM: Spy Sweeper 3.5.0 (Build 191) started
08:14 AM: Sweep initiated using definitions version 518
08:14 AM: Sweeping memory for threats.
08:14 AM: Memory sweep has completed. Elapsed time 00:00:07
08:14 AM: Registry sweep initiated.
08:14 AM: Found: 2 Web Dialect Toolbar registry traces.
08:14 AM: Registry sweep completed. Elapsed time 00:00:15
08:14 AM: Full sweep on all local drives initiated.
08:14 AM: Now sweeping drive C:
08:16 AM: Found Cookie: 2o7.net Cookie, version 1, c:\documents and settings\melons contests\cookies\melons contests@2o7[2].txt
08:16 AM: Found Cookie: Overture Cookie, version 1, c:\documents and settings\melons contests\cookies\melons [email protected][1].txt
08:16 AM: Found Cookie: Tracking Cookie, version 1, c:\documents and settings\melons contests\cookies\melons contests@tracking[1].txt
08:16 AM: Found Cookie: Statcounter Cookie, version 1, c:\documents and settings\melons contests\cookies\melons contests@statcounter[1].txt
08:16 AM: Found Cookie: Atwola Cookie, version 1, c:\documents and settings\melons contests\cookies\melons contests@atwola[1].txt
08:16 AM: Found Cookie: Banners Cookie, version 1, c:\documents and settings\melons contests\cookies\melons contests@banners[2].txt
08:28 AM: Found: 6 file traces.
08:28 AM: Full Sweep has completed. Elapsed time 00:13:41
60,702 files swept
8 item traces located
08:32 AM: Removal process initiated
08:32 AM: Quarantining: 2o7.net Cookie
08:32 AM: Cookie: c:\documents and settings\melons contests\cookies\melons contests@2o7[2].txt
08:32 AM: Quarantining: Atwola Cookie
08:32 AM: Cookie: c:\documents and settings\melons contests\cookies\melons contests@atwola[1].txt
08:32 AM: Quarantining: Banners Cookie
08:32 AM: Cookie: c:\documents and settings\melons contests\cookies\melons contests@banners[2].txt
08:32 AM: Quarantining: Overture Cookie
08:32 AM: Cookie: c:\documents and settings\melons contests\cookies\melons [email protected][1].txt
08:32 AM: Quarantining: Statcounter Cookie
08:32 AM: Cookie: c:\documents and settings\melons contests\cookies\melons contests@statcounter[1].txt
08:32 AM: Quarantining: Tracking Cookie
08:32 AM: Cookie: c:\documents and settings\melons contests\cookies\melons contests@tracking[1].txt
08:32 AM: Quarantining: Web Dialect Toolbar
08:32 AM: Registry: HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\browser helper objects\{c68ae9c0-0909-4ddc-b661-c1afb9f5ae53}
08:32 AM: Registry: HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\browser helper objects\{c68ae9c0-0909-4ddc-b661-c1afb9f5ae53}||(-default-)
08:32 AM: Cleaning Traces
08:32 AM: Removing registry: HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\browser helper objects\{c68ae9c0-0909-4ddc-b661-c1afb9f5ae53}
08:32 AM: Removal process completed. Elapsed time 00:00:00
7 items (8 traces) quarantined.


I have a hunch that that TROJ_SMALL Trend Micro is hitting on, may actually be the Spysubtract program. With your apporval, I'd like to test that thoery by uninstalling Spysubtract and running a Trend Micro scan at next boot.
  • 0

#21
Dragon
Posted 17 August 2005 - 05:19 PM

Dragon

    All Around Computer Nut

  • Retired Staff
  • 2,682 posts
By all means, if you think that is the issue then please try it. Also could you tell me if you are still getting any signs of zazzer?

if you are Please RIGHT-CLICK HERE to download Silent Runner's.
  • Save it to the desktop.
  • Run Silent Runner's by doubleclicking the "Silent Runners" icon on your desktop.
  • You will see a text file appear on the desktop - it's not done, let it run (it won't appear to be doing anything!)
  • Once you receive the prompt All Done!, open the text file on the desktop, copy that entire log, and paste it here.
*NOTE* If you receive any warning message about scripts, please choose to allow the script to run.
  • 0

#22
melonworm
Posted 17 August 2005 - 06:58 PM

melonworm

    Member

  • Topic Starter
  • Member
  • PipPip
  • 28 posts
This is the "no" option of SR.... I also ran the "yes" option and can post that if you prefer.

"Silent Runners.vbs", revision 39, http://www.silentrunners.org/
Operating System: Windows XP SP2
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"RoboForm" = ""C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe"" ["Siber Systems"]
"Ashampoo PopUpBlocker" = "C:\PROGRA~1\DEFEND~1\DEFEND~1\PopUpKiller.exe" [null data]
"SpySweeper" = ""C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0" ["Webroot Software, Inc."]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"gcasServ" = ""C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"" [MS]
"QuickTime Task" = ""C:\Program Files\QuickTime\qttask.exe" -atboottime" ["Apple Computer, Inc."]
"_AntiSpyware" = "c:\progra~1\mcafee\MCAFEE~1\MssCli.exe" ["McAfee, Inc."]
"KAVPersonal50" = "C:\Program Files\Defender\Defender Pro 2005\kav.exe /minimize" ["Kaspersky Labs"]
"DVDSentry" = "C:\WINDOWS\System32\DSentry.exe" ["Dell - Advanced Desktop Engineering"]
"SunJavaUpdateSched" = "C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe" [null data]
"NvCplDaemon" = "RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup" [MS]
"Dell AIO Printer A940" = ""C:\Program Files\Dell AIO Printer A940\dlbabmgr.exe"" [file not found]
"MCAgentExe" = "c:\PROGRA~1\mcafee.com\agent\mcagent.exe" ["McAfee, Inc"]
"MCUpdateExe" = "C:\PROGRA~1\mcafee.com\agent\McUpdate.exe" ["McAfee, Inc"]
"KernelFaultCheck" = "C:\WINDOWS\system32\dumprep 0 -k" [MS]
"Antispy" = "C:\Program Files\Defender Pro\AntiSpy\Dpas.exe startup" ["Defender Pro"]
"DPAS" = ""C:\Program Files\DefenderPro AntiSpy\DPASNT.exe"" ["DefenderPro"]
"DPASUpdate" = ""C:\Program Files\DefenderPro AntiSpy\DPASAutoUpdate.exe"" [file not found]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = "AcroIEHlprObj Class" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"]
{49E0E0F0-5C30-11D4-945D-000000000003}\(Default) = "IE PopUp-Killer ; Neikeisoft" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\DEFEND~1\DEFEND~1\PopUp.dll" [null data]
{53707962-6F74-2D53-2644-206D7942484F}\(Default) = (no title provided)
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\SPYBOT~1\SDHelper.dll" ["Safer Networking Limited"]
{724d43a9-0d85-11d4-9908-00400523e39a}\(Default) = (no title provided)
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Siber Systems\AI RoboForm\RoboForm.dll" ["Siber Systems"]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Display Panning CPL Extension"
-> {CLSID}\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."]
"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}" = "Shell Extensions for RealOne Player"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Real\RealPlayer\rpshellext.dll" ["RealNetworks"]
"{5E44E225-A408-11CF-B581-008029601108}" = "Adaptec DirectCD Shell Extension"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\Roxio\EASYCD~1\DirectCD\Shellex.dll" ["Roxio"]
"{5464D816-CF16-4784-B9F3-75C0DB52B499}" = "Yahoo! Mail"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\Yahoo!\Common\ymmapi.dll" ["Yahoo! Inc."]
"{A68865DD-EE3C-4442-9BE9-1BAB2576E3FA}" = "NOMAD Explorer"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Creative\Creative NOMAD Jukebox Zen Xtra\NOMAD Explorer\CTJBNS.DLL" ["Creative Technology Ltd"]
"{F2A0229A-C4CA-4789-B606-973D24DCDD1C}" = "McAfee AntiSpyware Shell Extension"
-> {CLSID}\InProcServer32\(Default) = "c:\progra~1\mcafee\MCAFEE~1\mssshell.dll" ["McAfee, Inc."]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\
INFECTION WARNING! "{F2A0229A-C4CA-4789-B606-973D24DCDD1C}" = "McAfee AntiSpyware Shell Extension"
-> {CLSID}\InProcServer32\(Default) = "c:\progra~1\mcafee\MCAFEE~1\mssshell.dll" ["McAfee, Inc."]
INFECTION WARNING! "{9EF34FF2-3396-4527-9D27-04C8C1C67806}" = "Microsoft AntiSpyware Service Hook"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Microsoft AntiSpyware\shellextension.dll" [MS]
INFECTION WARNING! "{54D9498B-CF93-414F-8984-8CE7FDE0D391}" = "ewido shell guard"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\ewido\security suite\shellhook.dll" ["TODO: <Firmenname>"]

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
Kaspersky Anti-Virus\(Default) = "{dd230880-495a-11d1-b064-008048ec2fc5}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Defender\Defender Pro 2005\shellex.dll" ["Kaspersky Labs"]
Yahoo! Mail\(Default) = "{5464D816-CF16-4784-B9F3-75C0DB52B499}"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\Yahoo!\Common\ymmapi.dll" ["Yahoo! Inc."]

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
Kaspersky Anti-Virus\(Default) = "{dd230880-495a-11d1-b064-008048ec2fc5}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Defender\Defender Pro 2005\shellex.dll" ["Kaspersky Labs"]


Active Desktop and Wallpaper:
-----------------------------

Active Desktop is disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\Documents and Settings\melons contests\Application Data\Microsoft\Internet Explorer\Internet Explorer Wallpaper.bmp"


Enabled Screen Saver:
---------------------

HKCU\Control Panel\Desktop\
"SCRNSAVE.EXE" = "C:\WINDOWS\System32\logon.scr" [MS]


Startup items in "melons contests" & "All Users" startup folders:
-----------------------------------------------------------------

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
"Defender Pro Firewall" -> shortcut to: "C:\WINDOWS\Installer\{75D46594-4DE1-4A90-AE74-38637D301EF2}\StartUpShortcut.exe /silence" ["InstallShield Software Corp."]


Enabled Scheduled Tasks:
------------------------

"McAfee AntiSpyware" -> launches: "c:\progra~1\mcafee\MCAFEE~1\mcspy.exe /cmd:Schedule" ["McAfee, Inc."]
"McAfee.com Scan for Viruses - My Computer (MELONHED-melons contests)" -> launches: "c:\program files\mcafee.com\vso\mcmnhdlr.exe /runtask:0" [file not found]
"McAfee.com Update Check (D80XPX21-Owner)" -> launches: "C:\PROGRA~1\McAfee.com\Agent\mcupdate.exe /Schedule" ["McAfee, Inc"]
"McAfee.com Update Check (MELONHED-Melinda)" -> launches: "C:\PROGRA~1\mcafee.com\agent\mcupdate.exe /Schedule" ["McAfee, Inc"]
"McAfee.com Update Check (MELONHED-melons contests)" -> launches: "C:\PROGRA~1\mcafee.com\agent\mcupdate.exe /Schedule" ["McAfee, Inc"]
"McAfee.com Update Check (MELONHED-Steve)" -> launches: "C:\PROGRA~1\mcafee.com\agent\mcupdate.exe /Schedule" ["McAfee, Inc"]
"McAfee.com Update Check (MELONHED-Trey)" -> launches: "C:\PROGRA~1\mcafee.com\agent\mcupdate.exe /Schedule" ["McAfee, Inc"]


Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000004\LibraryPath = "C:\WINDOWS\system32\pnrpnsp.dll" [MS]
000000000005\LibraryPath = "C:\WINDOWS\system32\pnrpnsp.dll" [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 24
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05


Toolbars, Explorer Bars, Extensions:
------------------------------------

Toolbars

HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\
"{EF99BD32-C1FB-11D2-892F-0090271D4F88}" = "Yahoo! Toolbar" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll" ["Yahoo! Inc."]

"{724D43A0-0D85-11D4-9908-00400523E39A}" = "&RoboForm" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Siber Systems\AI RoboForm\RoboForm.dll" ["Siber Systems"]

HKLM\Software\Microsoft\Internet Explorer\Toolbar\
"{724D43A0-0D85-11D4-9908-00400523E39A}" = "&RoboForm" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Siber Systems\AI RoboForm\RoboForm.dll" ["Siber Systems"]

"{EF99BD32-C1FB-11D2-892F-0090271D4F88}" = "Yahoo! Toolbar" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll" ["Yahoo! Inc."]

Explorer Bars

HKCU\Software\Microsoft\Internet Explorer\Explorer Bars\
{4528BBE0-4E08-11D5-AD55-00010333D0AD}\ = "&Yahoo! Messenger" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll" ["Yahoo! Inc."]

HKLM\Software\Microsoft\Internet Explorer\Explorer Bars\
{4528BBE0-4E08-11D5-AD55-00010333D0AD}\ = "&Yahoo! Messenger" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll" ["Yahoo! Inc."]

{FE54FA40-D68C-11D2-98FA-00C0F0318AFE}\ = "Real.com" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\Shdocvw.dll" [MS]

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\Software\Microsoft\Internet Explorer\Extensions\
{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\
"MenuText" = "Sun Java Console"
"CLSIDExtension" = "{08B0E5C0-4FCB-11CF-AAA5-00401C608501}"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\Msjava.dll" [MS]

{0D555BC6-E331-48B3-A60E-AAC0DF79438A}\
"ButtonText" = "Popup Blocker"
"MenuText" = "Popup Blocker"
"CLSIDExtension" = "{93F764AC-24D1-484F-92EA-3C84E31CDF72}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\DefenderPro AntiSpy\PopupBlocker\PopupBlocker.dll" ["Osborn Technologies, Inc."]

{320AF880-6646-11D3-ABEE-C5DBF3571F46}\
"ButtonText" = "Fill Forms"
"MenuText" = "Fill Forms &]"
"Script" = "file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html" [file not found]

{320AF880-6646-11D3-ABEE-C5DBF3571F49}\
"ButtonText" = "Save"
"MenuText" = "Save Forms &["
"Script" = "file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html" [file not found]

{320AF880-6646-11D3-ABEE-C5DBF3571F54}\
"ButtonText" = "Clear Fields"
"MenuText" = "Clear Fields &0"
"Script" = "file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComClearFields.html" [file not found]

{320AF880-6646-11D3-ABEE-C5DBF3571F56}\
"ButtonText" = "Fill Submit"
"MenuText" = "Fill && Submit &8"
"Script" = "file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillSubmit.html" [file not found]

{4528BBE0-4E08-11D5-AD55-00010333D0AD}\
"ButtonText" = "Messenger"
"MenuText" = "Yahoo! Messenger"
"CLSIDExtension" = "{4C171D40-8277-11D5-AD55-00010333D0AD}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll" ["Yahoo! Inc."]

{724D43AA-0D85-11D4-9908-00400523E39A}\
"ButtonText" = "RoboForm"
"MenuText" = "RF Toolbar &2"
"Script" = "file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html" [file not found]

{85D1F590-48F4-11D9-9669-0800200C9A66}\
"MenuText" = "Uninstall BitDefender Online Scanner v8"
"Exec" = "%windir%\bdoscandel.exe" [null data]

{CD67F990-D8E9-11D2-98FE-00C0F0318AFE}\
"ButtonText" = "Real.com"


Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

Creative Service for CDROM Access, Creative Service for CDROM Access, "C:\WINDOWS\System32\CTSvcCDA.EXE" ["Creative Technology Ltd"]
ewido security suite control, ewido security suite control, "C:\Program Files\ewido\security suite\ewidoctrl.exe" ["ewido networks"]
IPv6 Helper Service, 6to4, "C:\WINDOWS\System32\svchost.exe -k netsvcs" {"C:\WINDOWS\System32\6to4svc.dll" [MS]}
kavsvc, kavsvc, "C:\Program Files\Defender\Defender Pro 2005\kavsvc.exe" ["Kaspersky Labs"]
LexBce Server, LexBceS, "C:\WINDOWS\system32\LEXBCES.EXE" ["Lexmark International, Inc."]
McAfee AntiSpyware Real-Time Scanner, McAfeeAntiSpyware, "c:\progra~1\mcafee\MCAFEE~1\MssSrv.exe" ["McAfee, Inc."]
WMDM PMSP Service, WMDM PMSP Service, "C:\WINDOWS\System32\MsPMSPSv.exe" [MS]


----------
+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ To search all directories of local fixed drives for DESKTOP.INI
DLL launch points and all Registry CLSIDs for dormant Explorer Bars,
use the -supp parameter or answer "Yes" at the first message box.
---------- (total run time: 260 seconds, including 17 seconds for message boxes)




Still showing the Zazzer, tried to kill it in safe mode and normal, this thing will not budge nor will the SbSoft.dr or Systemsave.dr. Here's my AdAware log, I apologize if your eyeballs explode from the gi-normous block of text. :tazz: I highlighted the Zazzer entries in green for easy locating.


Ad-Aware SE Build 1.06r1
Logfile Created on:Wednesday, August 17, 2005 7:27:10 PM
Created with Ad-Aware SE Personal, free for private use.
Using definitions file:SE1R61 10.08.2005
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

References detected during the scan:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
MRU List(TAC index:0):12 total references
Tracking Cookie(TAC index:3):9 total references
ZaZZeR(TAC index:6):5 total references»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Ad-Aware SE Settings
===========================
Set : Search for negligible risk entries
Set : Safe mode (always request confirmation)
Set : Scan active processes
Set : Scan registry
Set : Deep-scan registry
Set : Scan my IE Favorites for banned URLs
Set : Scan within archives
Set : Scan my Hosts file

Extended Ad-Aware SE Settings
===========================
Set : Unload recognized processes & modules during scan
Set : Obtain command line of scanned processes
Set : Scan registry for all users instead of current user only
Set : Always try to unload modules before deletion
Set : During removal, unload Explorer and IE if necessary
Set : Let Windows remove files in use at next reboot
Set : Delete quarantined objects after restoring
Set : Write-protect system files after repair (Hosts file, etc.)
Set : Include basic Ad-Aware settings in log file
Set : Include additional Ad-Aware settings in log file
Set : Include reference summary in log file
Set : Include alternate data stream details in log file
Set : Play sound at scan completion if scan locates critical objects


8-17-2005 7:27:10 PM - Scan started. (Full System Scan)

MRU List Object Recognized!
Location: : C:\Documents and Settings\melons contests\recent
Description : list of recently opened documents


MRU List Object Recognized!
Location: : software\microsoft\direct3d\mostrecentapplication
Description : most recent application to use microsoft direct3d


MRU List Object Recognized!
Location: : software\microsoft\direct3d\mostrecentapplication
Description : most recent application to use microsoft direct X


MRU List Object Recognized!
Location: : software\microsoft\directdraw\mostrecentapplication
Description : most recent application to use microsoft directdraw


MRU List Object Recognized!
Location: : S-1-5-21-271172946-3900277460-3191590651-1010\software\microsoft\internet explorer
Description : last download directory used in microsoft internet explorer


MRU List Object Recognized!
Location: : S-1-5-21-271172946-3900277460-3191590651-1010\software\microsoft\search assistant\acmru
Description : list of recent search terms used with the search assistant


MRU List Object Recognized!
Location: : S-1-5-21-271172946-3900277460-3191590651-1010\software\microsoft\windows\currentversion\applets\paint\recent file list
Description : list of files recently opened using microsoft paint


MRU List Object Recognized!
Location: : S-1-5-21-271172946-3900277460-3191590651-1010\software\microsoft\windows\currentversion\explorer\comdlg32\lastvisitedmru
Description : list of recent programs opened


MRU List Object Recognized!
Location: : S-1-5-21-271172946-3900277460-3191590651-1010\software\microsoft\windows\currentversion\explorer\comdlg32\opensavemru
Description : list of recently saved files, stored according to file extension


MRU List Object Recognized!
Location: : S-1-5-21-271172946-3900277460-3191590651-1010\software\microsoft\windows\currentversion\explorer\recentdocs
Description : list of recent documents opened


MRU List Object Recognized!
Location: : S-1-5-21-271172946-3900277460-3191590651-1010\software\microsoft\windows\currentversion\explorer\runmru
Description : mru list for items opened in start | run


MRU List Object Recognized!
Location: : S-1-5-21-271172946-3900277460-3191590651-1010\software\microsoft\windows media\wmsdk\general
Description : windows media sdk


Listing running processes
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

#:1 [smss.exe]
ModuleName : \SystemRoot\System32\smss.exe
Command Line : n/a
ProcessID : 1004
ThreadCreationTime : 8-17-2005 1:10:39 PM
BasePriority : Normal


#:2 [csrss.exe]
ModuleName : \??\C:\WINDOWS\system32\csrss.exe
Command Line : C:\WINDOWS\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,3072,512 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ProfileControl=Off MaxRequestTh
ProcessID : 1052
ThreadCreationTime : 8-17-2005 1:10:40 PM
BasePriority : Normal


#:3 [winlogon.exe]
ModuleName : \??\C:\WINDOWS\system32\winlogon.exe
Command Line : winlogon.exe
ProcessID : 1076
ThreadCreationTime : 8-17-2005 1:10:41 PM
BasePriority : High


#:4 [services.exe]
ModuleName : C:\WINDOWS\system32\services.exe
Command Line : C:\WINDOWS\system32\services.exe
ProcessID : 1120
ThreadCreationTime : 8-17-2005 1:10:41 PM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Services and Controller app
InternalName : services.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : services.exe

#:5 [lsass.exe]
ModuleName : C:\WINDOWS\system32\lsass.exe
Command Line : C:\WINDOWS\system32\lsass.exe
ProcessID : 1132
ThreadCreationTime : 8-17-2005 1:10:41 PM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : LSA Shell (Export Version)
InternalName : lsass.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : lsass.exe

#:6 [svchost.exe]
ModuleName : C:\WINDOWS\system32\svchost.exe
Command Line : C:\WINDOWS\system32\svchost -k DcomLaunch
ProcessID : 1296
ThreadCreationTime : 8-17-2005 1:10:42 PM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:7 [svchost.exe]
ModuleName : C:\WINDOWS\system32\svchost.exe
Command Line : C:\WINDOWS\system32\svchost -k rpcss
ProcessID : 1384
ThreadCreationTime : 8-17-2005 1:10:42 PM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:8 [svchost.exe]
ModuleName : C:\WINDOWS\System32\svchost.exe
Command Line : C:\WINDOWS\System32\svchost.exe -k netsvcs
ProcessID : 1512
ThreadCreationTime : 8-17-2005 1:10:42 PM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:9 [svchost.exe]
ModuleName : C:\WINDOWS\System32\svchost.exe
Command Line : C:\WINDOWS\System32\svchost.exe -k NetworkService
ProcessID : 1552
ThreadCreationTime : 8-17-2005 1:10:42 PM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:10 [svchost.exe]
ModuleName : C:\WINDOWS\System32\svchost.exe
Command Line : C:\WINDOWS\System32\svchost.exe -k LocalService
ProcessID : 1600
ThreadCreationTime : 8-17-2005 1:10:42 PM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:11 [lexbces.exe]
ModuleName : C:\WINDOWS\system32\LEXBCES.EXE
Command Line : C:\WINDOWS\system32\LEXBCES.EXE
ProcessID : 1940
ThreadCreationTime : 8-17-2005 1:10:43 PM
BasePriority : Normal
FileVersion : 8.14
ProductVersion : 8.14
ProductName : MarkVision for Windows (32 bit)
CompanyName : Lexmark International, Inc.
FileDescription : LexBce Service
InternalName : LexBce Service
LegalCopyright : © 1993 - 2003 Lexmark International, Inc.
OriginalFilename : LexBceS.exe

#:12 [spoolsv.exe]
ModuleName : C:\WINDOWS\system32\spoolsv.exe
Command Line : C:\WINDOWS\system32\spoolsv.exe
ProcessID : 1972
ThreadCreationTime : 8-17-2005 1:10:43 PM
BasePriority : Normal
FileVersion : 5.1.2600.2696 (xpsp_sp2_gdr.050610-1519)
ProductVersion : 5.1.2600.2696
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Spooler SubSystem App
InternalName : spoolsv.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : spoolsv.exe

#:13 [lexpps.exe]
ModuleName : C:\WINDOWS\system32\LEXPPS.EXE
Command Line : LEXPPS.EXE
ProcessID : 2020
ThreadCreationTime : 8-17-2005 1:10:44 PM
BasePriority : Normal
FileVersion : 8.14
ProductVersion : 8.14
ProductName : MarkVision for Windows (32 bit)
CompanyName : Lexmark International, Inc.
FileDescription : LEXPPS.EXE
InternalName : LEXPPS
LegalCopyright : © 1993 - 2003 Lexmark International, Inc.
OriginalFilename : LEXPPS.EXE
Comments : MarkVision for Windows '95 New P2P Server (32-bit)

#:14 [cisvc.exe]
ModuleName : C:\WINDOWS\system32\cisvc.exe
Command Line : C:\WINDOWS\system32\cisvc.exe
ProcessID : 232
ThreadCreationTime : 8-17-2005 1:10:51 PM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Content Index service
InternalName : cisvc.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : cisvc.exe

#:15 [dllhost.exe]
ModuleName : C:\WINDOWS\System32\dllhost.exe
Command Line : C:\WINDOWS\System32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}
ProcessID : 224
ThreadCreationTime : 8-17-2005 1:10:51 PM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : COM Surrogate
InternalName : dllhost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : dllhost.exe

#:16 [ctsvccda.exe]
ModuleName : C:\WINDOWS\System32\CTSvcCDA.EXE
Command Line : C:\WINDOWS\System32\CTSvcCDA.EXE
ProcessID : 256
ThreadCreationTime : 8-17-2005 1:10:51 PM
BasePriority : Normal
FileVersion : 1.0.1.0
ProductVersion : 1.0.0.0
ProductName : Creative Service for CDROM Access
CompanyName : Creative Technology Ltd
FileDescription : Creative Service for CDROM Access
InternalName : CTsvcCDAEXE
LegalCopyright : Copyright © Creative Technology Ltd., 1999. All rights reserved.
OriginalFilename : CTsvcCDA.EXE

#:17 [ewidoctrl.exe]
ModuleName : C:\Program Files\ewido\security suite\ewidoctrl.exe
Command Line : "C:\Program Files\ewido\security suite\ewidoctrl.exe"
ProcessID : 304
ThreadCreationTime : 8-17-2005 1:10:51 PM
BasePriority : Normal
FileVersion : 3, 0, 0, 1
ProductVersion : 3, 0, 0, 1
ProductName : ewido control
CompanyName : ewido networks
FileDescription : ewido control
InternalName : ewido control
LegalCopyright : Copyright © 2004
OriginalFilename : ewidoctrl.exe

#:18 [msssrv.exe]
ModuleName : c:\progra~1\mcafee\MCAFEE~1\MssSrv.exe
Command Line : c:\progra~1\mcafee\MCAFEE~1\MssSrv.exe
ProcessID : 396
ThreadCreationTime : 8-17-2005 1:10:51 PM
BasePriority : Normal
FileVersion : 1.10.163.0
ProductVersion : 1.10.163.0
ProductName : McAfee AntiSpyware
CompanyName : McAfee, Inc.
FileDescription : McAfee AntiSpyware RealTime Service
InternalName : MssSrv.exe
LegalCopyright : Copyright © 2005 McAfee, Inc.
All Rights Reserved.
OriginalFilename : MssSrv.exe

#:19 [svchost.exe]
ModuleName : C:\WINDOWS\System32\svchost.exe
Command Line : C:\WINDOWS\System32\svchost.exe -k imgsvc
ProcessID : 572
ThreadCreationTime : 8-17-2005 1:10:51 PM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:20 [mspmspsv.exe]
ModuleName : C:\WINDOWS\System32\MsPMSPSv.exe
Command Line : C:\WINDOWS\System32\MsPMSPSv.exe
ProcessID : 664
ThreadCreationTime : 8-17-2005 1:10:52 PM
BasePriority : Normal
FileVersion : 7.00.00.1954
ProductVersion : 7.00.00.1954
ProductName : Microsoft ® DRM
CompanyName : Microsoft Corporation
FileDescription : WMDM PMSP Service
InternalName : MSPMSPSV.EXE
LegalCopyright : Copyright © Microsoft Corp. 1981-2000
OriginalFilename : MSPMSPSV.EXE

#:21 [svchost.exe]
ModuleName : C:\WINDOWS\system32\svchost.exe
Command Line : C:\WINDOWS\system32\svchost.exe -k netsvcs
ProcessID : 720
ThreadCreationTime : 8-17-2005 1:10:52 PM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:22 [explorer.exe]
ModuleName : C:\WINDOWS\Explorer.EXE
Command Line : C:\WINDOWS\Explorer.EXE
ProcessID : 2004
ThreadCreationTime : 8-17-2005 1:10:58 PM
BasePriority : Normal
FileVersion : 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 6.00.2900.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Windows Explorer
InternalName : explorer
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : EXPLORER.EXE

#:23 [gcasserv.exe]
ModuleName : C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
Command Line : "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
ProcessID : 1568
ThreadCreationTime : 8-17-2005 1:12:38 PM
BasePriority : Idle
FileVersion : 1.00.0615
ProductVersion : 1.00.0615
ProductName : Microsoft AntiSpyware (Beta 1)
CompanyName : Microsoft Corporation
FileDescription : Microsoft AntiSpyware Service
InternalName : gcasServ
LegalCopyright : Copyright © 2004-2005 Microsoft Corporation. All rights reserved.
LegalTrademarks : Microsoft® and Windows® are registered trademarks of Microsoft Corporation. SpyNet™ is a trademark of Microsoft Corporation.
OriginalFilename : gcasServ.exe

#:24 [qttask.exe]
ModuleName : C:\Program Files\QuickTime\qttask.exe
Command Line : "C:\Program Files\QuickTime\qttask.exe" -atboottime
ProcessID : 1484
ThreadCreationTime : 8-17-2005 1:12:38 PM
BasePriority : Normal
FileVersion : 6.5.1
ProductVersion : QuickTime 6.5.1
ProductName : QuickTime
CompanyName : Apple Computer, Inc.
InternalName : QuickTime Task
LegalCopyright : © Apple Computer, Inc. 2001-2004
OriginalFilename : QTTask.exe

#:25 [msscli.exe]
ModuleName : C:\progra~1\mcafee\MCAFEE~1\MssCli.exe
Command Line : "C:\progra~1\mcafee\MCAFEE~1\MssCli.exe"
ProcessID : 772
ThreadCreationTime : 8-17-2005 1:12:38 PM
BasePriority : Normal
FileVersion : 1.10.163.0
ProductVersion : 1.10.163.0
ProductName : McAfee AntiSpyware
CompanyName : McAfee, Inc.
FileDescription : McAfee AntiSpyware RealTime Client
InternalName : MssCli.exe
LegalCopyright : Copyright © 2005 McAfee, Inc.
All Rights Reserved.
OriginalFilename : MssCli.exe

#:26 [dsentry.exe]
ModuleName : C:\WINDOWS\System32\DSentry.exe
Command Line : "C:\WINDOWS\System32\DSentry.exe"
ProcessID : 2012
ThreadCreationTime : 8-17-2005 1:12:39 PM
BasePriority : Normal
FileVersion : 1, 0, 2, 0
ProductVersion : 1, 0, 2, 0
ProductName : Dell - DVDSentry
CompanyName : Dell - Advanced Desktop Engineering
FileDescription : DVDSentry
InternalName : DVDSentry
LegalCopyright : Copyright © 2002 Dell
OriginalFilename : DSentry.exe
Comments : DVDSentry launches your software DVD player when a DVD is inserted.

#:27 [jusched.exe]
ModuleName : C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
Command Line : "C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe"
ProcessID : 768
ThreadCreationTime : 8-17-2005 1:12:39 PM
BasePriority : Normal


#:28 [mcagent.exe]
ModuleName : C:\PROGRA~1\mcafee.com\agent\mcagent.exe
Command Line : "C:\PROGRA~1\mcafee.com\agent\mcagent.exe"
ProcessID : 1784
ThreadCreationTime : 8-17-2005 1:12:40 PM
BasePriority : Normal
FileVersion : 5, 1, 0, 2
ProductVersion : 5, 1, 0, 0
ProductName : McAfee SecurityCenter
CompanyName : McAfee, Inc
FileDescription : McAfee SecurityCenter Agent
InternalName : mcagent
LegalCopyright : Copyright © 2005 McAfee, Inc.
OriginalFilename : mcagent.exe

#:29 [dpasnt.exe]
ModuleName : C:\Program Files\DefenderPro AntiSpy\DPASNT.exe
Command Line : "C:\Program Files\DefenderPro AntiSpy\DPASNT.exe"
ProcessID : 1856
ThreadCreationTime : 8-17-2005 1:12:41 PM
BasePriority : Normal
FileVersion : 4, 4, 1, 0
ProductVersion : 4, 4, 1, 0
ProductName : DefPro AntiSpy
CompanyName : DefenderPro
FileDescription : DefPro AntiSpy
InternalName : DefPro AntiSpy
LegalCopyright : Copyright © Omniquad 2000-05. This product is powered by Omniquad Ltd.
OriginalFilename : DefPro AntiSpy
Comments : DefPro AntiSpy

#:30 [robotaskbaricon.exe]
ModuleName : C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe
Command Line : "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe"
ProcessID : 1744
ThreadCreationTime : 8-17-2005 1:12:42 PM
BasePriority : Normal


#:31 [gcasdtserv.exe]
ModuleName : C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
Command Line : "C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe"
ProcessID : 2264
ThreadCreationTime : 8-17-2005 1:12:52 PM
BasePriority : Normal
FileVersion : 1.00.0615
ProductVersion : 1.00.0615
ProductName : Microsoft AntiSpyware (Beta 1)
CompanyName : Microsoft Corporation
FileDescription : Microsoft AntiSpyware Data Service
InternalName : gcasDtServ
LegalCopyright : Copyright © 2004-2005 Microsoft Corporation. All rights reserved.
LegalTrademarks : Microsoft® and Windows® are registered trademarks of Microsoft Corporation. SpyNet™ is a trademark of Microsoft Corporation.
OriginalFilename : gcasDtServ.exe

#:32 [alg.exe]
ModuleName : C:\WINDOWS\System32\alg.exe
Command Line : C:\WINDOWS\System32\alg.exe
ProcessID : 2300
ThreadCreationTime : 8-17-2005 1:12:53 PM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Application Layer Gateway Service
InternalName : ALG.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : ALG.exe

#:33 [kavpf.exe]
ModuleName : C:\Program Files\Defender\Defender Pro Firewall\KAVPF.exe
Command Line : "C:\Program Files\Defender\Defender Pro Firewall\KAVPF.exe" /silence
ProcessID : 2716
ThreadCreationTime : 8-17-2005 1:13:06 PM
BasePriority : Normal
FileVersion : 1, 0, 0, 1
ProductVersion : 1, 0, 0, 1
ProductName : Kaspersky Anti-Hacker
CompanyName : Kaspersky Lab.
FileDescription : Kaspersky Anti-Hacker
InternalName : KAVPF
LegalCopyright : Copyright © 2002
OriginalFilename : KAVPF.EXE

#:34 [tsantispy.exe]
ModuleName : C:\Program Files\DefenderPro AntiSpy\AntiSpy\TSAntiSpy.exe
Command Line : "C:\Program Files\DefenderPro AntiSpy\DPASNT.exe\..\AntiSpy\TSAntiSpy.exe"
ProcessID : 2912
ThreadCreationTime : 8-17-2005 1:13:10 PM
BasePriority : Normal
FileVersion : 4, 4, 1, 0
ProductVersion : 4, 4, 1, 0
ProductName : Omniquad AntiSpy
CompanyName : DefenderPro
InternalName : Omniquad AntiSpy
LegalCopyright : Copyright © Omniquad 2000-05. dit product is ontwikkeld door Omniquad Ltd.
OriginalFilename : Omniquad AntiSpy
Comments : AntiSpy

#:35 [maxthon.exe]
ModuleName : C:\Program Files\Maxthon\Maxthon.exe
Command Line : "C:\Program Files\Maxthon\Maxthon.exe"
ProcessID : 3380
ThreadCreationTime : 8-17-2005 1:14:52 PM
BasePriority : Normal
FileVersion : 1, 3, 3, 50
ProductVersion : 1, 3, 3, 50
ProductName : Maxthon Application
CompanyName : MY Soft Technology
FileDescription : Maxthon Web Browser
InternalName : Maxthon
LegalCopyright : Copyright © 2002
LegalTrademarks : Maxthon
OriginalFilename : Maxthon.EXE

#:36 [cidaemon.exe]
ModuleName : C:\WINDOWS\system32\cidaemon.exe
Command Line : n/a
ProcessID : 2808
ThreadCreationTime : 8-17-2005 1:18:28 PM
BasePriority : Idle
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Indexing Service filter daemon
InternalName : cidaemon.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : cidaemon.exe

#:37 [cidaemon.exe]
ModuleName : C:\WINDOWS\system32\cidaemon.exe
Command Line : n/a
ProcessID : 496
ThreadCreationTime : 8-17-2005 1:18:31 PM
BasePriority : Idle
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Indexing Service filter daemon
InternalName : cidaemon.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : cidaemon.exe

#:38 [acrord32.exe]
ModuleName : C:\Program Files\Adobe\Acrobat 7.0\Reader\AcroRd32.exe
Command Line : "C:\Program Files\Adobe\Acrobat 7.0\Reader\AcroRd32.exe" /o /eo /l
ProcessID : 3640
ThreadCreationTime : 8-17-2005 11:09:27 PM
BasePriority : Normal
FileVersion : 7.0.2.2005060200
ProductVersion : 7.0.2.2005060200
ProductName : Adobe Reader
CompanyName : Adobe Systems Incorporated
FileDescription : Adobe Reader 7.0
LegalCopyright : Copyright 1984-2005 Adobe Systems Incorporated and its licensors. All rights reserved.
OriginalFilename : AcroRd32.exe

#:39 [dpas.exe]
ModuleName : C:\Program Files\Defender Pro\AntiSpy\Dpas.exe
Command Line : "C:\Program Files\Defender Pro\AntiSpy\Dpas.exe"
ProcessID : 1276
ThreadCreationTime : 8-18-2005 12:22:35 AM
BasePriority : Normal
FileVersion : 1.1
ProductVersion : 1.1
ProductName : AntiSpy Application
CompanyName : Defender Pro
FileDescription : AntiSpy Application
InternalName : AntiSpy
LegalCopyright : Copyright © 2004
OriginalFilename : AntiSpy.EXE

#:40 [ad-aware.exe]
ModuleName : C:\Program Files\Lavasoft\Ad-Aware SE Personal\Ad-Aware.exe
Command Line : "C:\Program Files\Lavasoft\Ad-Aware SE Personal\Ad-Aware.exe"
ProcessID : 3584
ThreadCreationTime : 8-18-2005 12:26:57 AM
BasePriority : Normal
FileVersion : 6.2.0.236
ProductVersion : SE 106
ProductName : Lavasoft Ad-Aware SE
CompanyName : Lavasoft Sweden
FileDescription : Ad-Aware SE Core application
InternalName : Ad-Aware.exe
LegalCopyright : Copyright © Lavasoft AB Sweden
OriginalFilename : Ad-Aware.exe
Comments : All Rights Reserved

Memory scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 12


Started registry scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

ZaZZeR Object Recognized!
Type : Regkey
Data :
TAC Rating : 6
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : clsid\{c68ae9c0-0909-4ddc-b661-c1afb9f5ae53}

ZaZZeR Object Recognized!
Type : RegValue
Data :
TAC Rating : 6
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : clsid\{c68ae9c0-0909-4ddc-b661-c1afb9f5ae53}
Value : AppID

ZaZZeR Object Recognized!
Type : Regkey
Data :
TAC Rating : 6
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : typelib\{90a52f08-64ac-4dc6-9d7d-4516670275d3}
Registry Scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 3
Objects found so far: 15


Started deep registry scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Deep registry scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 15


Started Tracking Cookie scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»


Tracking Cookie Object Recognized!
Type : IECache Entry
Data : melons contests@cgi-bin[1].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:1
Value : Cookie:melons [email protected]/cgi-bin
Expires : 2-27-2015 7:00:00 PM
LastSync : Hits:1
UseCount : 0
Hits : 1

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : melons contests@statcounter[1].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:11
Value : Cookie:melons [email protected]/
Expires : 8-16-2010 5:35:50 PM
LastSync : Hits:11
UseCount : 0
Hits : 11

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : melons contests@247realmedia[2].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:4
Value : Cookie:melons [email protected]/
Expires : 8-17-2006 5:38:38 PM
LastSync : Hits:4
UseCount : 0
Hits : 4

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : melons contests@centrport[1].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:5
Value : Cookie:melons [email protected]/
Expires : 12-31-2029 7:00:00 PM
LastSync : Hits:5
UseCount : 0
Hits : 5

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : melons contests@2o7[1].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:195
Value : Cookie:melons [email protected]/
Expires : 8-16-2010 7:09:18 PM
LastSync : Hits:195
UseCount : 0
Hits : 195

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : melons [email protected][1].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:1
Value : Cookie:melons [email protected]/
Expires : 8-16-2009 9:07:20 AM
LastSync : Hits:1
UseCount : 0
Hits : 1

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : melons [email protected][1].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:5
Value : Cookie:melons [email protected]/
Expires : 8-17-2006 9:24:36 AM
LastSync : Hits:5
UseCount : 0
Hits : 5

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : melons [email protected][1].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:3
Value : Cookie:melons [email protected]/
Expires : 8-10-2035 10:11:38 AM
LastSync : Hits:3
UseCount : 0
Hits : 3

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : melons contests@questionmarket[1].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:1
Value : Cookie:melons [email protected]/
Expires : 10-8-2006 1:53:38 AM
LastSync : Hits:1
UseCount : 0
Hits : 1

Tracking cookie scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 9
Objects found so far: 24



Deep scanning and examining files (C:)
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Disk Scan Result for C:\
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 24


Scanning Hosts file......
Hosts file location:"C:\WINDOWS\system32\drivers\etc\hosts".
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Hosts file scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
1 entries scanned.
New critical objects:0
Objects found so far: 24




Performing conditional scans...
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

ZaZZeR Object Recognized!
Type : Regkey
Data :
TAC Rating : 6
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : appid\{90a52f08-64ac-4dc6-9d7d-4516670275d3}

ZaZZeR Object Recognized!
Type : Regkey
Data :
TAC Rating : 6
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : interface\{6c51f7e9-8542-4f25-a30f-2060157752e1}Conditional scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Edited by melonworm, 17 August 2005 - 07:10 PM.

  • 0

#23
melonworm
Posted 18 August 2005 - 06:08 AM

melonworm

    Member

  • Topic Starter
  • Member
  • PipPip
  • 28 posts
I uninstalled Spysubtract and Trend Micro still finds and cleans the TROJ_SMALL.AFG. :tazz: I guess that Trojan is whats messing up the Spysubtract.
  • 0

#24
Dragon
Posted 19 August 2005 - 06:51 AM

Dragon

    All Around Computer Nut

  • Retired Staff
  • 2,682 posts
lets do a free trojan scan here:
http://www.moosoft.com/

Reboot your PC.

then let me know if your still recieving warning about Zazzer and TROJ_SMALL.AFG.

I will do a little research today to see if I can find any further ways of removing Zazzer in case this doesn't work.
  • 0

#25
melonworm
Posted 19 August 2005 - 02:24 PM

melonworm

    Member

  • Topic Starter
  • Member
  • PipPip
  • 28 posts
The Trojan scan returned as clean.

I am still getting the hit on the TROJ_SMALL.AFG on Trend Micro.... I researched this a bit and I have one of the registry keys asscoiated with this Trojan still in my registry.... I don't know if this means the Trojan is still active, since there are 5 or 6 entries associated with this bug.

My computer is running faster but it takes forever to boot up and shut down. Something keeps allowing 6 items in my Spywareblaster, I enable all portections and in less than a minute, those 6 items are deselected, even in safe mode.

I also have an AUupdater hanging on in memory after I close my browser, a bit of research (on safe sites only, like TrendMicro and Norton, no "off-roading") indicated this AUupdater is tied into the MSCache/XXXtoolbar family of malware. Interestingly enough, MScache is one of the items that deselects itself in Spyware blaster, XXX toolbar is an item my DP A/S cannot delete as access is denied.

I cannot use my keyboard in safe mode or it will lock up both the mouse and keyboard and I am stuck. It does not lock up whatever program I am running, just the mouse and keyboard.

My CD burner will not work, it is always "busy".

I don't know if it is worth much more time (mine or yours) to keep trying to resolve this. I'll let you decide if you want to keep cracking at it, elsewise, you can go on to someone who is "helpable", I am beginning to think I am a lost cause.

Edited in to add..... I am grateful for your time and patience, :tazz: I don't want to come off as rude. I just don't know if this is a solvable problem.

Edited by melonworm, 19 August 2005 - 04:07 PM.

  • 0

Advertisements

#26
Dragon
Posted 20 August 2005 - 08:02 AM

Dragon

    All Around Computer Nut

  • Retired Staff
  • 2,682 posts
hi meloneworm,
All things are fixable, but with what you are describing, and I hate saying this, your Windows install is seriously corrupted.
I would recommend making a backup of all your important files that you don't want to lose, and then reinstall Windows.

If you still want to continue on trying to fix this without reinstalling, let me know, I will continue until it is fixed. But be warned this could turn into a lengthy process.

Waiting to hear your decision
  • 0

#27
melonworm
Posted 20 August 2005 - 09:23 AM

melonworm

    Member

  • Topic Starter
  • Member
  • PipPip
  • 28 posts
I'm game if you are, glutton for punishment!!!!


The install you are speaking of, is that where you install over current version without repartitioning the hard drive?
  • 0

#28
Dragon
Posted 20 August 2005 - 10:52 AM

Dragon

    All Around Computer Nut

  • Retired Staff
  • 2,682 posts
yes, if you want to reinstall Windows, you need to have your Windows XP cd avialable, then you hit enter and then hit repair install. please note, after doing this you will need to reapply your service packs and all updates.

if you want to continue trying to fix this let me know, other wise I will give you a link to a great tutorial on doing the repair install.
  • 0

#29
melonworm
Posted 20 August 2005 - 11:55 AM

melonworm

    Member

  • Topic Starter
  • Member
  • PipPip
  • 28 posts
I am still waiting for SP2 disk to arrive (Lost the first one), meantime I'd like to try to knock out the ZaZZer and other pests.
  • 0

#30
Dragon
Posted 20 August 2005 - 12:44 PM

Dragon

    All Around Computer Nut

  • Retired Staff
  • 2,682 posts
ok, let see what we can do :tazz:

first can you supply me with the registry entry that you have found dealing with the trojan that trend micro is finding?

We will do this one step at a time, I will do some research on the zazzer issue and see what I can come up with for a fix in teh mean time.
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP