Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Adware.BetterInternet [CLOSED]

Started by bfaris , Aug 14 2005 07:23 PM

  • This topic is locked This topic is locked

#1
bfaris
Posted 14 August 2005 - 07:23 PM

bfaris

    New Member

  • Member
  • Pip
  • 8 posts
Please help clean the virus(es) off of my computer. I've followed all of the required steps before posting this Hijackthis Log, but am still getting the pop-ups. Ad-Aware and Spybot flag items but are unable to remove them (even following re-start). Ewido cleaned and removed a number of them, but keeps popping with the same infection warning screen. TrojanHunter also identified a bunch, but apparently didn't remove them.

Here is the Scan Logfile from Ad-Aware:


Ad-Aware SE Build 1.06r1
Logfile Created on:Sunday, August 14, 2005 1:18:30 PM
Created with Ad-Aware SE Personal, free for private use.
Using definitions file:SE1R61 10.08.2005
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

References detected during the scan:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
IBIS Toolbar(TAC index:5):53 total references
Other(TAC index:5):3 total references
SahAgent(TAC index:9):3 total references
VX2(TAC index:10):26 total references
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Definition File:
=========================
Definitions File Loaded:
Reference Number : SE1R47 24.05.2005
Internal build : 55
File location : C:\PROGRA~1\Lavasoft\AD-AWA~1\defs.ref
File size : 476246 Bytes
Total size : 1439523 Bytes
Signature data size : 1408291 Bytes
Reference data size : 30720 Bytes
Signatures total : 40174
CSI Fingerprints total : 886
CSI data size : 30371 Bytes
Target categories : 15
Target families : 679

8-14-2005 1:14:24 PM Performing WebUpdate...

Installing Update...
Definitions File Loaded:
Reference Number : SE1R61 10.08.2005
Internal build : 71
File location : C:\PROGRA~1\Lavasoft\AD-AWA~1\defs.ref
File size : 508229 Bytes
Total size : 1531791 Bytes
Signature data size : 1498915 Bytes
Reference data size : 32364 Bytes
Signatures total : 42681
CSI Fingerprints total : 1003
CSI data size : 35408 Bytes
Target categories : 15
Target families : 729


8-14-2005 1:14:48 PM Success
Update successfully downloaded and installed.


Memory + processor status:
==========================
Number of processors : 1
Processor architecture : Intel Pentium IV
Memory available:30 %
Total physical memory:261424 kb
Available physical memory:77368 kb
Total page file size:633132 kb
Available on page file:463460 kb
Total virtual memory:2097024 kb
Available virtual memory:2037480 kb
OS:Microsoft Windows XP Home Edition Service Pack 1 (Build 2600)

Ad-Aware SE Settings
===========================
Set : Search for negligible risk entries
Set : Safe mode (always request confirmation)
Set : Scan active processes
Set : Scan registry
Set : Deep-scan registry
Set : Scan my IE Favorites for banned URLs
Set : Scan within archives
Set : Scan my Hosts file

Extended Ad-Aware SE Settings
===========================
Set : Unload recognized processes & modules during scan
Set : Obtain command line of scanned processes
Set : Scan registry for all users instead of current user only
Set : Always try to unload modules before deletion
Set : During removal, unload Explorer and IE if necessary
Set : Let Windows remove files in use at next reboot
Set : Delete quarantined objects after restoring
Set : Write-protect system files after repair (Hosts file, etc.)
Set : Include basic Ad-Aware settings in log file
Set : Include additional Ad-Aware settings in log file
Set : Include reference summary in log file
Set : Include alternate data stream details in log file
Set : Play sound at scan completion if scan locates critical objects


8-14-2005 1:18:30 PM - Scan started. (Custom mode)

Listing running processes
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

#:1 [smss.exe]
ModuleName : \SystemRoot\System32\smss.exe
Command Line : n/a
ProcessID : 356
ThreadCreationTime : 8-14-2005 5:45:36 PM
BasePriority : Normal


#:2 [csrss.exe]
ModuleName : \??\C:\WINNT\system32\csrss.exe
Command Line : C:\WINNT\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,3072,512 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ProfileControl=Off MaxRequestThre
ProcessID : 404
ThreadCreationTime : 8-14-2005 5:45:37 PM
BasePriority : Normal


#:3 [winlogon.exe]
ModuleName : \??\C:\WINNT\system32\winlogon.exe
Command Line : winlogon.exe
ProcessID : 428
ThreadCreationTime : 8-14-2005 5:45:38 PM
BasePriority : High


#:4 [services.exe]
ModuleName : C:\WINNT\system32\services.exe
Command Line : C:\WINNT\system32\services.exe
ProcessID : 480
ThreadCreationTime : 8-14-2005 5:45:38 PM
BasePriority : Normal
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Services and Controller app
InternalName : services.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : services.exe

#:5 [lsass.exe]
ModuleName : C:\WINNT\system32\lsass.exe
Command Line : C:\WINNT\system32\lsass.exe
ProcessID : 492
ThreadCreationTime : 8-14-2005 5:45:38 PM
BasePriority : Normal
FileVersion : 5.1.2600.1106 (xpsp1.020828-1920)
ProductVersion : 5.1.2600.1106
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : LSA Shell (Export Version)
InternalName : lsass.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : lsass.exe

#:6 [svchost.exe]
ModuleName : C:\WINNT\system32\svchost.exe
Command Line : C:\WINNT\system32\svchost -k rpcss
ProcessID : 656
ThreadCreationTime : 8-14-2005 5:45:39 PM
BasePriority : Normal
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:7 [svchost.exe]
ModuleName : C:\WINNT\System32\svchost.exe
Command Line : C:\WINNT\System32\svchost.exe -k netsvcs
ProcessID : 708
ThreadCreationTime : 8-14-2005 5:45:39 PM
BasePriority : Normal
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:8 [svchost.exe]
ModuleName : C:\WINNT\System32\svchost.exe
Command Line : C:\WINNT\System32\svchost.exe -k NetworkService
ProcessID : 900
ThreadCreationTime : 8-14-2005 5:45:41 PM
BasePriority : Normal
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:9 [svchost.exe]
ModuleName : C:\WINNT\System32\svchost.exe
Command Line : C:\WINNT\System32\svchost.exe -k LocalService
ProcessID : 1036
ThreadCreationTime : 8-14-2005 5:45:42 PM
BasePriority : Normal
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:10 [spoolsv.exe]
ModuleName : C:\WINNT\system32\spoolsv.exe
Command Line : C:\WINNT\system32\spoolsv.exe
ProcessID : 1168
ThreadCreationTime : 8-14-2005 5:45:42 PM
BasePriority : Normal
FileVersion : 5.1.2600.0 (XPClient.010817-1148)
ProductVersion : 5.1.2600.0
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Spooler SubSystem App
InternalName : spoolsv.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : spoolsv.exe

#:11 [alg.exe]
ModuleName : C:\WINNT\System32\alg.exe
Command Line : C:\WINNT\System32\alg.exe
ProcessID : 688
ThreadCreationTime : 8-14-2005 5:45:51 PM
BasePriority : Normal
FileVersion : 5.1.2600.1106 (xpsp1.020828-1920)
ProductVersion : 5.1.2600.1106
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Application Layer Gateway Service
InternalName : ALG.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : ALG.exe

#:12 [navapsvc.exe]
ModuleName : C:\Program Files\Norton AntiVirus\navapsvc.exe
Command Line : "C:\Program Files\Norton AntiVirus\navapsvc.exe"
ProcessID : 740
ThreadCreationTime : 8-14-2005 5:45:51 PM
BasePriority : Normal
FileVersion : 8.07.17
ProductVersion : 8.07.17
ProductName : Norton AntiVirus
CompanyName : Symantec Corporation
FileDescription : Norton AntiVirus Auto-Protect Service
InternalName : NAVAPSVC
LegalCopyright : Copyright © 2000-2002 Symantec Corporation. All rights reserved.
OriginalFilename : NAVAPSVC.EXE

#:13 [nvsvc32.exe]
ModuleName : C:\WINNT\System32\nvsvc32.exe
Command Line : C:\WINNT\System32\nvsvc32.exe
ProcessID : 840
ThreadCreationTime : 8-14-2005 5:45:51 PM
BasePriority : Normal
FileVersion : 5.13.01.1520
ProductVersion : 5.13.01.1520
ProductName : NVIDIA Driver Helper Service, Version 15.20
CompanyName : NVIDIA Corporation
FileDescription : NVIDIA Driver Helper Service, Version 15.20
InternalName : NVSVC
LegalCopyright : Copyright © 1998-2001 NVIDIA Corporation
OriginalFilename : nvsvc32.exe

#:14 [svchost.exe]
ModuleName : C:\WINNT\System32\svchost.exe
Command Line : C:\WINNT\System32\svchost.exe -k imgsvc
ProcessID : 1412
ThreadCreationTime : 8-14-2005 5:45:54 PM
BasePriority : Normal
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:15 [wkufind.exe]
ModuleName : C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
Command Line : "C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe"
ProcessID : 3592
ThreadCreationTime : 8-14-2005 5:48:31 PM
BasePriority : Normal
FileVersion : 6.00.3215.0
ProductVersion : 6.00.3215.0
ProductName : Microsoft® Works 6.0
CompanyName : Microsoft® Corporation
FileDescription : Microsoft® Works Update Detection
InternalName : WkUFind
LegalCopyright : Copyright © Microsoft Corporation 1987-2001. All rights reserved.
OriginalFilename : WkUFind.exe

#:16 [motivesb.exe]
ModuleName : C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
Command Line : "C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe"
ProcessID : 3688
ThreadCreationTime : 8-14-2005 5:48:36 PM
BasePriority : Normal
FileVersion : 5.6.7.asst_classic.smartbridge.20031210_035000
ProductVersion : 5.6.7.asst_classic.smartbridge
ProductName : Motive System
CompanyName : Motive Communications, Inc.
FileDescription : SBC Self Support Tool Alerts
InternalName : version
LegalCopyright : Copyright 1998-2003
OriginalFilename : version

#:17 [nslwsock.exe]
ModuleName : C:\WINNT\System32\nslwsock.exe
Command Line : "C:\WINNT\System32\nslwsock.exe"
ProcessID : 3960
ThreadCreationTime : 8-14-2005 5:48:49 PM
BasePriority : Normal


#:18 [hysksj.exe]
ModuleName : C:\WINNT\System32\hysksj.exe
Command Line : C:\WINNT\System32\hysksj.exe qmqwno r
ProcessID : 4056
ThreadCreationTime : 8-14-2005 5:48:52 PM
BasePriority : Normal
FileVersion : 1, 1, 0, 7
ProductVersion : 0, 0, 7, 0

SahAgent Object Recognized!
Type : Process
Data : bbhu6il4.dll
TAC Rating : 9
Category : Data Miner
Comment :
Object : C:\WINNT\System32\
FileVersion : 4, 0, 3, 0
ProductVersion : 4, 0, 3, 0


#:19 [msmsgs.exe]
ModuleName : C:\Program Files\Messenger\msmsgs.exe
Command Line : "C:\Program Files\Messenger\msmsgs.exe" /background
ProcessID : 192
ThreadCreationTime : 8-14-2005 5:48:53 PM
BasePriority : Normal
FileVersion : 4.7.2009
ProductVersion : Version 4.7
ProductName : Messenger
CompanyName : Microsoft Corporation
FileDescription : Messenger
InternalName : msmsgs
LegalCopyright : Copyright © Microsoft Corporation 1997-2003
LegalTrademarks : Microsoft® is a registered trademark of Microsoft Corporation in the U.S. and/or other countries.
OriginalFilename : msmsgs.exe

#:20 [money express.exe]
ModuleName : C:\Program Files\Microsoft Money\System\Money Express.exe
Command Line : "C:\Program Files\Microsoft Money\System\Money Express.exe"
ProcessID : 888
ThreadCreationTime : 8-14-2005 5:48:55 PM
BasePriority : Normal
FileVersion : 10.00.0809
ProductVersion : 10.00.0809
ProductName : Microsoft Money
CompanyName : Microsoft Corporation
FileDescription : Microsoft Money Express
InternalName : MoneyExpress
LegalCopyright : Copyright © Microsoft Corp. 1990-2001. All rights reserved.
OriginalFilename : MoneyExpress.EXE

#:21 [mpbtn.exe]
ModuleName : C:\Program Files\SBC Self Support Tool\bin\mpbtn.exe
Command Line : "C:\Program Files\SBC Self Support Tool\bin\mpbtn.exe"
ProcessID : 1860
ThreadCreationTime : 8-14-2005 5:49:19 PM
BasePriority : Normal


#:22 [ymsgr_tray.exe]
ModuleName : C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
Command Line : C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe -ymsgr
ProcessID : 2320
ThreadCreationTime : 8-14-2005 5:49:22 PM
BasePriority : Normal


#:23 [wuauclt.exe]
ModuleName : C:\WINNT\System32\wuauclt.exe
Command Line : "C:\WINNT\System32\wuauclt.exe"
ProcessID : 1380
ThreadCreationTime : 8-14-2005 6:01:34 PM
BasePriority : Normal
FileVersion : 5.4.3630.1106 (xpsp1.020828-1920)
ProductVersion : 5.4.3630.1106
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Windows Update AutoUpdate Client
InternalName : wuauclt.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : wuauclt.exe

#:24 [pib.exe]
ModuleName : C:\PROGRA~1\Toolbar\PIB.exe
Command Line : C:\PROGRA~1\Toolbar\PIB.exe
ProcessID : 3716
ThreadCreationTime : 8-14-2005 6:11:06 PM
BasePriority : Normal
FileVersion : 4.0.0.1500
ProductName : WebSearch Toolbar
CompanyName : WebSearch
FileDescription : WebSearch Toolbar Plugin Server
LegalCopyright : © WebSearch
OriginalFilename : TBPS.exe

#:25 [tbps.exe]
ModuleName : C:\PROGRA~1\Toolbar\TBPS.exe
Command Line : C:\PROGRA~1\Toolbar\TBPS.exe
ProcessID : 1096
ThreadCreationTime : 8-14-2005 6:11:11 PM
BasePriority : Normal
FileVersion : 4.0.0.1500
ProductName : WebSearch Toolbar
CompanyName : WebSearch
FileDescription : WebSearch Toolbar Plugin Server
LegalCopyright : © WebSearch
OriginalFilename : TBPS.exe

#:26 [radio.exe]
ModuleName : c:\PROGRA~1\Toolbar\radio.exe
Command Line : c:\PROGRA~1\Toolbar\radio.exe -Embedding
ProcessID : 2436
ThreadCreationTime : 8-14-2005 6:11:13 PM
BasePriority : Normal


#:27 [aurareco.exe]
ModuleName : C:\DOCUME~1\Owner\LOCALS~1\Temp\NFN\aurareco.exe
Command Line : C:\DOCUME~1\Owner\LOCALS~1\Temp\NFN\aurareco.exe
ProcessID : 1260
ThreadCreationTime : 8-14-2005 6:11:22 PM
BasePriority : Normal
FileVersion : 2, 0, 3, 1
ProductVersion : 2, 0, 3, 1
ProductName : Thinstaller
CompanyName : BetterInternet, Inc.
FileDescription : www.abetterinternet.com - Utility for downloading files and upgrading software.
InternalName : Install Utility
LegalCopyright : BetterInternet, Inc. © 2005
OriginalFilename : Thinstaller.exe
Comments : Utility for downloading files and upgrading software. Visit www.abetterinternet.com for more info.

#:28 [explorer.exe]
ModuleName : C:\WINNT\explorer.exe
Command Line : explorer.exe
ProcessID : 3260
ThreadCreationTime : 8-14-2005 6:11:28 PM
BasePriority : Normal
FileVersion : 6.00.2800.1106 (xpsp1.020828-1920)
ProductVersion : 6.00.2800.1106
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Windows Explorer
InternalName : explorer
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : EXPLORER.EXE

#:29 [ad-aware.exe]
ModuleName : C:\PROGRA~1\Lavasoft\AD-AWA~1\Ad-Aware.exe
Command Line : "C:\PROGRA~1\Lavasoft\AD-AWA~1\Ad-Aware.exe" /598853 +483832
ProcessID : 2044
ThreadCreationTime : 8-14-2005 6:13:46 PM
BasePriority : Normal
FileVersion : 6.2.0.236
ProductVersion : SE 106
ProductName : Lavasoft Ad-Aware SE
CompanyName : Lavasoft Sweden
FileDescription : Ad-Aware SE Core application
InternalName : Ad-Aware.exe
LegalCopyright : Copyright © Lavasoft AB Sweden
OriginalFilename : Ad-Aware.exe
Comments : All Rights Reserved

Memory scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 1


Started registry scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

IBIS Toolbar Object Recognized!
Type : Regkey
Data :
TAC Rating : 5
Category : Data Miner
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : clsid\{2c4e6d22-b71f-491f-aad3-b6972a650d50}

IBIS Toolbar Object Recognized!
Type : Regkey
Data :
TAC Rating : 5
Category : Data Miner
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : clsid\{310cc549-4541-46a9-940f-52b342a6e682}

IBIS Toolbar Object Recognized!
Type : Regkey
Data :
TAC Rating : 5
Category : Data Miner
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : clsid\{339bb23f-a864-48c0-a59f-29ea915965ec}

IBIS Toolbar Object Recognized!
Type : Regkey
Data :
TAC Rating : 5
Category : Data Miner
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : clsid\{6e21f428-5617-47f7-aed8-b2e1d8fba711}

IBIS Toolbar Object Recognized!
Type : Regkey
Data :
TAC Rating : 5
Category : Data Miner
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : clsid\{708be496-e202-497b-bc31-9cf47e3bf8d6}

IBIS Toolbar Object Recognized!
Type : Regkey
Data :
TAC Rating : 5
Category : Data Miner
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : clsid\{8952a998-1e7e-4716-b23d-3dbe03910972}

IBIS Toolbar Object Recognized!
Type : Regkey
Data :
TAC Rating : 5
Category : Data Miner
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : clsid\{8b0fa130-0c3d-4cb1-aeb7-2c29da5509a3}

IBIS Toolbar Object Recognized!
Type : Regkey
Data :
TAC Rating : 5
Category : Data Miner
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : clsid\{bbf122a7-8a4d-45b5-9e00-0f68bc87c904}

IBIS Toolbar Object Recognized!
Type : Regkey
Data :
TAC Rating : 5
Category : Data Miner
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : clsid\{cae0999f-78c5-49dc-9f30-13142aaaaba4}

IBIS Toolbar Object Recognized!
Type : Regkey
Data :
TAC Rating : 5
Category : Data Miner
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : clsid\{ff76a5da-6158-4439-99ff-edc1b3fe100c}

IBIS Toolbar Object Recognized!
Type : Regkey
Data :
TAC Rating : 5
Category : Data Miner
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : interface\{234f09fb-fe89-4c6d-9203-31832fc051c3}

IBIS Toolbar Object Recognized!
Type : Regkey
Data :
TAC Rating : 5
Category : Data Miner
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : interface\{365b9a54-e613-46e5-9db1-4f91a9de80bd}

IBIS Toolbar Object Recognized!
Type : Regkey
Data :
TAC Rating : 5
Category : Data Miner
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : interface\{618be527-b7f5-417c-bc51-98fdc2d6de61}

IBIS Toolbar Object Recognized!
Type : Regkey
Data :
TAC Rating : 5
Category : Data Miner
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : interface\{66c22569-f05c-4a70-a142-763b337e1002}

IBIS Toolbar Object Recognized!
Type : Regkey
Data :
TAC Rating : 5
Category : Data Miner
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : interface\{7b8bd940-b1ef-460c-85a2-9acaaf7f9303}

IBIS Toolbar Object Recognized!
Type : Regkey
Data :
TAC Rating : 5
Category : Data Miner
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : interface\{99aa88d1-d9d3-410a-be9e-044f94c183da}

IBIS Toolbar Object Recognized!
Type : Regkey
Data :
TAC Rating : 5
Category : Data Miner
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : interface\{c380566d-f343-42ab-987b-6b38a1a35747}

IBIS Toolbar Object Recognized!
Type : Regkey
Data :
TAC Rating : 5
Category : Data Miner
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : interface\{d1951679-1d52-43fc-9585-0737143585f5}

IBIS Toolbar Object Recognized!
Type : Regkey
Data :
TAC Rating : 5
Category : Data Miner
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : interface\{f273d4ea-2025-4410-8408-251a0cd46be7}

IBIS Toolbar Object Recognized!
Type : Regkey
Data :
TAC Rating : 5
Category : Data Miner
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : protocols\handler\tpro

IBIS Toolbar Object Recognized!
Type : RegValue
Data :
TAC Rating : 5
Category : Data Miner
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : protocols\handler\tpro
Value : CLSID

IBIS Toolbar Object Recognized!
Type : Regkey
Data :
TAC Rating : 5
Category : Data Miner
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : protocols\name-space handler\res\toolbar.resprotocol

IBIS Toolbar Object Recognized!
Type : Regkey
Data :
TAC Rating : 5
Category : Data Miner
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : tbps.pluginconfig

IBIS Toolbar Object Recognized!
Type : Regkey
Data :
TAC Rating : 5
Category : Data Miner
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : tbps.plugindown

IBIS Toolbar Object Recognized!
Type : Regkey
Data :
TAC Rating : 5
Category : Data Miner
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : tbps.plugindownadd

IBIS Toolbar Object Recognized!
Type : Regkey
Data :
TAC Rating : 5
Category : Data Miner
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : tbps.pluginevents

IBIS Toolbar Object Recognized!
Type : Regkey
Data :
TAC Rating : 5
Category : Data Miner
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : tbps.plugininst

IBIS Toolbar Object Recognized!
Type : Regkey
Data :
TAC Rating : 5
Category : Data Miner
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : tbps.pluginserver

IBIS Toolbar Object Recognized!
Type : Regkey
Data :
TAC Rating : 5
Category : Data Miner
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : tbps.toolbarscript

IBIS Toolbar Object Recognized!
Type : Regkey
Data :
TAC Rating : 5
Category : Data Miner
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : toolbar.resprotocol

IBIS Toolbar Object Recognized!
Type : Regkey
Data :
TAC Rating : 5
Category : Data Miner
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : typelib\{b23b3add-84b1-414a-92b9-0cabe5a781f4}

VX2 Object Recognized!
Type : Regkey
Data :
TAC Rating : 10
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-3894602836-1085806099-568186159-1003\software\aurora

VX2 Object Recognized!
Type : RegValue
Data :
TAC Rating : 10
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-3894602836-1085806099-568186159-1003\software\aurora
Value : AUC3n5trMsgSDisp

VX2 Object Recognized!
Type : RegValue
Data :
TAC Rating : 10
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-3894602836-1085806099-568186159-1003\software\aurora
Value : AUs3t5icky1S

VX2 Object Recognized!
Type : RegValue
Data :
TAC Rating : 10
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-3894602836-1085806099-568186159-1003\software\aurora
Value : AUs3t5icky2S

VX2 Object Recognized!
Type : RegValue
Data :
TAC Rating : 10
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-3894602836-1085806099-568186159-1003\software\aurora
Value : AUs3t5icky3S

VX2 Object Recognized!
Type : RegValue
Data :
TAC Rating : 10
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-3894602836-1085806099-568186159-1003\software\aurora
Value : AUs3t5icky4S

VX2 Object Recognized!
Type : RegValue
Data :
TAC Rating : 10
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-3894602836-1085806099-568186159-1003\software\aurora
Value : AUC1o3d5eOfSFinalAd

VX2 Object Recognized!
Type : RegValue
Data :
TAC Rating : 10
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-3894602836-1085806099-568186159-1003\software\aurora
Value : AUT3i5m7eOfSFinalAd

VX2 Object Recognized!
Type : RegValue
Data :
TAC Rating : 10
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-3894602836-1085806099-568186159-1003\software\aurora
Value : AUD3s5tSSEnd

VX2 Object Recognized!
Type : RegValue
Data :
TAC Rating : 10
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-3894602836-1085806099-568186159-1003\software\aurora
Value : AU3N5a7tionSCode

VX2 Object Recognized!
Type : RegValue
Data :
TAC Rating : 10
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-3894602836-1085806099-568186159-1003\software\aurora
Value : AUP3D5om

VX2 Object Recognized!
Type : RegValue
Data :
TAC Rating : 10
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-3894602836-1085806099-568186159-1003\software\aurora
Value : AUT3h5rshSCheckSIn

VX2 Object Recognized!
Type : RegValue
Data :
TAC Rating : 10
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-3894602836-1085806099-568186159-1003\software\aurora
Value : AUT3h5rshSMots

VX2 Object Recognized!
Type : RegValue
Data :
TAC Rating : 10
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-3894602836-1085806099-568186159-1003\software\aurora
Value : AUM3o5deSSync

VX2 Object Recognized!
Type : RegValue
Data :
TAC Rating : 10
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-3894602836-1085806099-568186159-1003\software\aurora
Value : AUI3n5ProgSCab

VX2 Object Recognized!
Type : RegValue
Data :
TAC Rating : 10
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-3894602836-1085806099-568186159-1003\software\aurora
Value : AUI3n5ProgSEx

VX2 Object Recognized!
Type : RegValue
Data :
TAC Rating : 10
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-3894602836-1085806099-568186159-1003\software\aurora
Value : AUI3n5ProgSLstest

VX2 Object Recognized!
Type : RegValue
Data :
TAC Rating : 10
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-3894602836-1085806099-568186159-1003\software\aurora
Value : AUB3D5om

VX2 Object Recognized!
Type : RegValue
Data :
TAC Rating : 10
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-3894602836-1085806099-568186159-1003\software\aurora
Value : AUE3v5nt

VX2 Object Recognized!
Type : RegValue
Data :
TAC Rating : 10
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-3894602836-1085806099-568186159-1003\software\aurora
Value : AUT3h5rshSBath

VX2 Object Recognized!
Type : RegValue
Data :
TAC Rating : 10
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-3894602836-1085806099-568186159-1003\software\aurora
Value : AUT3h5rshSysSInf

VX2 Object Recognized!
Type : RegValue
Data :
TAC Rating : 10
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-3894602836-1085806099-568186159-1003\software\aurora
Value : AUL3n5Title

VX2 Object Recognized!
Type : RegValue
Data :
TAC Rating : 10
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-3894602836-1085806099-568186159-1003\software\aurora
Value : AUC3u5rrentSMode

VX2 Object Recognized!
Type : RegValue
Data :
TAC Rating : 10
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-3894602836-1085806099-568186159-1003\software\aurora
Value : AUC3n5tFyl

VX2 Object Recognized!
Type : RegValue
Data :
TAC Rating : 10
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-3894602836-1085806099-568186159-1003\software\aurora
Value : AUI3g5noreS

IBIS Toolbar Object Recognized!
Type : Regkey
Data :
TAC Rating : 5
Category : Data Miner
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\windows\currentversion\explorer\browser helper objects\{8952a998-1e7e-4716-b23d-3dbe03910972}

IBIS Toolbar Object Recognized!
Type : RegValue
Data :
TAC Rating : 5
Category : Data Miner
Comment : "{339BB23F-A864-48C0-A59F-29EA915965EC}"
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\internet explorer\toolbar
Value : {339BB23F-A864-48C0-A59F-29EA915965EC}

Registry Scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 58
Objects found so far: 59


Started deep registry scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Deep registry scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 59


Started Tracking Cookie scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»


Tracking cookie scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 59



Deep scanning and examining files (C:)
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

SahAgent Object Recognized!
Type : File
Data : A0045129.exe
TAC Rating : 9
Category : Data Miner
Comment :
Object : C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP680\
FileVersion : 4, 1, 0, 0
ProductVersion : 4, 1, 0, 0


SahAgent Object Recognized!
Type : File
Data : bbhu6il4.dll
TAC Rating : 9
Category : Data Miner
Comment :
Object : C:\WINNT\system32\
FileVersion : 4, 0, 3, 0
ProductVersion : 4, 0, 3, 0


Disk Scan Result for C:\
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 61


Scanning Hosts file......
Hosts file location:"C:\WINNT\system32\drivers\etc\hosts".
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Hosts file scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
1 entries scanned.
New critical objects:0
Objects found so far: 61




Performing conditional scans...
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

IBIS Toolbar Object Recognized!
Type : Regkey
Data :
TAC Rating : 5
Category : Data Miner
Comment :
Rootkey : HKEY_CURRENT_USER
Object : software\toolbar

IBIS Toolbar Object Recognized!
Type : Regkey
Data :
TAC Rating : 5
Category : Data Miner
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\windows\currentversion\installer\userdata\sto

IBIS Toolbar Object Recognized!
Type : Regkey
Data :
TAC Rating : 5
Category : Data Miner
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\windows\currentversion\uninstall\ttool_uninstall

IBIS Toolbar Object Recognized!
Type : RegValue
Data :
TAC Rating : 5
Category : Data Miner
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\windows\currentversion\uninstall\ttool_uninstall
Value : UninstallString

IBIS Toolbar Object Recognized!
Type : RegValue
Data :
TAC Rating : 5
Category : Data Miner
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\windows\currentversion\uninstall\ttool_uninstall
Value : DisplayIcon

IBIS Toolbar Object Recognized!
Type : Regkey
Data :
TAC Rating : 5
Category : Data Miner
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\toolbar

IBIS Toolbar Object Recognized!
Type : RegValue
Data :
TAC Rating : 5
Category : Data Miner
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\toolbar
Value : AVGSEARCH

IBIS Toolbar Object Recognized!
Type : Regkey
Data :
TAC Rating : 5
Category : Data Miner
Comment : You will need to restart your computer and rescan in order to complete the removal of this item.
Rootkey : HKEY_LOCAL_MACHINE
Object : system\currentcontrolset\enum\root\legacy_tbpssvc

IBIS Toolbar Object Recognized!
Type : RegValue
Data :
TAC Rating : 5
Category : Data Miner
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\windows\currentversion\explorer
Value : ServerProc

IBIS Toolbar Object Recognized!
Type : RegValue
Data :
TAC Rating : 5
Category : Data Miner
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\windows\currentversion\run
Value : TBPS

IBIS Toolbar Object Recognized!
Type : Folder
TAC Rating : 5
Category : Data Miner
Comment : IBIS Toolbar
Object : C:\Program Files\Toolbar

IBIS Toolbar Object Recognized!
Type : File
Data : common.dll
TAC Rating : 5
Category : Data Miner
Comment :
Object : C:\Program Files\toolbar\
FileVersion : 4.0.0.296
ProductName : WebSearch Toolbar
CompanyName : WebSearch
FileDescription : WebSearch Toolbar Common Object
LegalCopyright : © WebSearch
OriginalFilename : common.dll


IBIS Toolbar Object Recognized!
Type : File
Data : gykhxlmu.rmr
TAC Rating : 5
Category : Data Miner
Comment :
Object : C:\Program Files\toolbar\



IBIS Toolbar Object Recognized!
Type : File
Data : nzqlihv.wzg
TAC Rating : 5
Category : Data Miner
Comment :
Object : C:\Program Files\toolbar\



IBIS Toolbar Object Recognized!
Type : File
Data : PIB.exe
TAC Rating : 5
Category : Data Miner
Comment :
Object : C:\Program Files\toolbar\
FileVersion : 4.0.0.1500
ProductName : WebSearch Toolbar
CompanyName : WebSearch
FileDescription : WebSearch Toolbar Plugin Server
LegalCopyright : © WebSearch
OriginalFilename : TBPS.exe


IBIS Toolbar Object Recognized!
Type : File
Data : radio.exe
TAC Rating : 5
Category : Data Miner
Comment :
Object : C:\Program Files\toolbar\



IBIS Toolbar Object Recognized!
Type : File
Data : TBPS.dat
TAC Rating : 5
Category : Data Miner
Comment :
Object : C:\Program Files\toolbar\



IBIS Toolbar Object Recognized!
Type : File
Data : TBPS.exe
TAC Rating : 5
Category : Data Miner
Comment :
Object : C:\Program Files\toolbar\
FileVersion : 4.0.0.1500
ProductName : WebSearch Toolbar
CompanyName : WebSearch
FileDescription : WebSearch Toolbar Plugin Server
LegalCopyright : © WebSearch
OriginalFilename : TBPS.exe


IBIS Toolbar Object Recognized!
Type : File
Data : toolbar.dll
TAC Rating : 5
Category : Data Miner
Comment :
Object : C:\Program Files\toolbar\
FileVersion : 4.0.0.405
ProductName : WebSearch Toolbar
CompanyName : WebSearch
FileDescription : WebSearch Toolbar Browser Object
LegalCopyright : © WebSearch
OriginalFilename : toolbar.dll


IBIS Toolbar Object Recognized!
Type : File
Data : zwipvbh.wzg
TAC Rating : 5
Category : Data Miner
Comment :
Object : C:\Program Files\toolbar\



VX2 Object Recognized!
Type : RegData
Data : explorer.exe
TAC Rating : 10
Category : Malware
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\windows nt\currentversion\winlogon
Value : Shell
Data : explorer.exe

Other Object Recognized!
Type : File
Data : PIB.EXE-04B1D98F.pf
TAC Rating : 7
Category : Malware
Comment :
Object : C:\WINNT\prefetch\



Other Object Recognized!
Type : File
Data : RADIO.EXE-03115944.pf
TAC Rating : 7
Category : Malware
Comment :
Object : C:\WINNT\prefetch\



Other Object Recognized!
Type : File
Data : TBPS.EXE-2F0D4C74.pf
TAC Rating : 7
Category : Malware
Comment :
Object : C:\WINNT\prefetch\



Conditional scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 24
Objects found so far: 85

1:39:05 PM Scan Complete

Summary Of This Scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Total scanning time:00:20:35.391
Objects scanned:98831
Objects identified:87
Objects ignored:0
New critical objects:87


* * * * * * * *

Here is the report from the Ewido Scan:

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 2:38:00 PM, 8/14/2005
+ Report-Checksum: 185D5288

+ Scan result:

HKLM\SOFTWARE\Classes\CLSID\{2C4E6D22-B71F-491F-AAD3-B6972A650D50} -> Spyware.IBIS : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{310CC549-4541-46A9-940F-52B342A6E682} -> Spyware.IBIS : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{339BB23F-A864-48C0-A59F-29EA915965EC} -> Spyware.HuntBar : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{69357D4E-BF4D-4651-91E9-52ECD45A0128} -> Spyware.IBIS : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{6E21F428-5617-47F7-AED8-B2E1D8FBA711} -> Spyware.IBIS : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{708BE496-E202-497B-BC31-9CF47E3BF8D6} -> Spyware.IBIS : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{8952A998-1E7E-4716-B23D-3DBE03910972} -> Spyware.HuntBar : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{8B0FA130-0C3D-4CB1-AEB7-2C29DA5509A3} -> Spyware.IBIS : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{B5AB638F-D76C-415B-A8F2-F3CEAC502212} -> Spyware.AproposMedia : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{BBF122A7-8A4D-45B5-9E00-0F68BC87C904} -> Spyware.IBIS : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{BC333116-6EA1-40A1-9D07-ECB192DB8CEA} -> Spyware.AproposMedia : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{CAE0999F-78C5-49DC-9F30-13142AAAABA4} -> Spyware.IBIS : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{FB45C451-B0E9-4407-BB6A-9361013F3E9A} -> Spyware.WebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{FF76A5DA-6158-4439-99FF-EDC1B3FE100C} -> Spyware.IBIS : Cleaned with backup
HKLM\SOFTWARE\Classes\Common.Buttons -> Spyware.WebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\Common.Buttons\Clsid -> Spyware.WebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{234F09FB-FE89-4C6D-9203-31832FC051C3} -> Spyware.IBIS : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{365B9A54-E613-46E5-9DB1-4F91A9DE80BD} -> Spyware.IBIS : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{618BE527-B7F5-417C-BC51-98FDC2D6DE61} -> Spyware.IBIS : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{66C22569-F05C-4A70-A142-763B337E1002} -> Spyware.IBIS : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{7B8BD940-B1EF-460C-85A2-9ACAAF7F9303} -> Spyware.IBIS : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{9603A736-05B9-4D78-BDD5-BDCB0914E522} -> Spyware.WurldMedia : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{99AA88D1-D9D3-410A-BE9E-044F94C183DA} -> Spyware.IBIS : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{BC12B055-C9F5-407D-9B66-1851973F32AF} -> Spyware.WurldMedia : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{BC333116-6EA1-40A1-9D07-ECB192DB8CEA} -> Spyware.AproposMedia : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{C380566D-F343-42AB-987B-6B38A1A35747} -> Spyware.IBIS : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{D1951679-1D52-43FC-9585-0737143585F5} -> Spyware.IBIS : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{F273D4EA-2025-4410-8408-251A0CD46BE7} -> Spyware.IBIS : Cleaned with backup
HKLM\SOFTWARE\Classes\PROTOCOLS\Handler\tpro -> Spyware.IBIS : Cleaned with backup
HKLM\SOFTWARE\Classes\PROTOCOLS\Name-Space Handler\res -> Spyware.WebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\PROTOCOLS\Name-Space Handler\res\toolbar.ResProtocol -> Spyware.WebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\Radio.RadioPlayer -> Spyware.WebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\Radio.RadioPlayer\Clsid -> Spyware.WebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\TBPS.PluginConfig -> Spyware.WebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\TBPS.PluginConfig\Clsid -> Spyware.WebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\TBPS.PluginDown -> Spyware.WebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\TBPS.PluginDown\Clsid -> Spyware.WebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\TBPS.PluginDownAdd -> Spyware.WebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\TBPS.PluginDownAdd\Clsid -> Spyware.WebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\TBPS.PluginEvents -> Spyware.WebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\TBPS.PluginEvents\Clsid -> Spyware.WebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\TBPS.PluginInst -> Spyware.WebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\TBPS.PluginInst\Clsid -> Spyware.WebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\TBPS.PluginServer -> Spyware.WebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\TBPS.PluginServer\Clsid -> Spyware.WebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\TBPS.ToolbarScript -> Spyware.WebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\TBPS.ToolbarScript\Clsid -> Spyware.WebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\toolbar.ResProtocol -> Spyware.WebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\toolbar.ResProtocol\Clsid -> Spyware.WebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\TypeLib\{37AC49E3-E906-4BD8-AE83-D0F7FB48FD17} -> Spyware.IBIS : Cleaned with backup
HKLM\SOFTWARE\Classes\TypeLib\{B23B3ADD-84B1-414A-92B9-0CABE5A781F4} -> Spyware.IBIS : Cleaned with backup
HKLM\SOFTWARE\Classes\TypeLib\{D8BD4DED-5BB2-4D4E-9A6A-F10244FED7D6} -> Spyware.IBIS : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Internet Explorer\Main\ins -> Spyware.WebRebates : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{8952A998-1E7E-4716-B23D-3DBE03910972} -> Spyware.HuntBar : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\STO -> Spyware.WebSearch : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\TTOOL_UNINSTALL -> Spyware.WebSearch : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WinDH -> Spyware.DealHelper : Cleaned with backup
HKLM\SOFTWARE\SecureWin -> Spyware.Adlogix : Cleaned with backup
HKLM\SOFTWARE\toolbar -> Spyware.WebSearch : Cleaned with backup
HKLM\SOFTWARE\toolbar\Install -> Spyware.WebSearch : Cleaned with backup
HKU\.DEFAULT\Software\toolbar -> Spyware.WebSearch : Cleaned with backup
HKU\S-1-5-21-3894602836-1085806099-568186159-1003\Software\Bundles -> Spyware.SecondThought : Cleaned with backup
HKU\S-1-5-21-3894602836-1085806099-568186159-1003\Software\Microsoft\Internet Explorer\Extensions\{6685509E-B47B-4f47-8E16-9A5F3A62F683} -> Spyware.MoneyMaker : Cleaned with backup
HKU\S-1-5-21-3894602836-1085806099-568186159-1003\Software\toolbar
  • 0

Advertisements

#2
Rawe
Posted 15 August 2005 - 10:40 AM

Rawe

    Visiting Staff

  • Member
  • PipPipPipPipPipPipPip
  • 4,746 posts
Hello and welcome!

Can you start off by doing the following;

1- Download CleanUp
Install the program, dont run it yet.

2- Now run the CleanUp program:

*IMPORTANT NOTE*
CleanUp deletes EVERYTHING out of your temp/temporary folders, it does not make backups.
If you have any documents or programs that are saved in any Temporary Folders, please make a backup of these before running CleanUp

Running CleanUp
  • Start CleanUp by double-clicking the icon on your desktop (or from the Start > All Programs menu).
  • When CleanUp starts go to the Options button (right side of CleanUp screen)
  • Move the arrow down to "Custom CleanUp!"
  • Now place a checkmark next to the following (Make sure nothing else is checked!):
    • Delete Cookies
      This is optional, if you leave the box checked it will remove all of your cookies, at this point removing cookies is a good idea
    • Empty Recycle Bins
    • Delete Prefetch files
    • Cleanup! All Users
  • Click OK
  • Then click on the CleanUp button. This will take a short while, let it do its thing.
  • When asked to reboot system select No
  • Close CleanUp
3- Update Ad-aware SE. After that, click on the gear to access the Configuration menu. Please make sure that this setting is applied;

Click on Tweak => Cleaning engine => UNcheck "Always try to unload modules before deletion". Click on "Finish". Run a Full System Scan. Remove ALL it finds.

4- Reboot.

5- Run a scan with HiJackThis and post me the logfile. Don't fix anything yet!

- Rawe :tazz:
  • 0

#3
bfaris
Posted 16 August 2005 - 01:30 AM

bfaris

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
Rawe:

Thanks so much for offering to help. (This is really a terrific thing you and others on this site are doing to help out the rest of us). The ewido viruses alerts are popping like crazy now.

I followed the steps as indicated. Here is the HijackThis Log:

Logfile of HijackThis v1.99.1
Scan saved at 2:25:53 AM, on 8/16/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\SK9910DM.EXE
C:\WINNT\System32\alg.exe
C:\WINNT\GWMDMMSG.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Microsoft Works\WksSb.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINNT\System32\nvsvc32.exe
C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
C:\PROGRA~1\Toolbar\TBPS.exe
C:\Program Files\Microsoft Money\System\Money Express.exe
C:\WINNT\System32\svchost.exe
C:\PROGRA~1\Toolbar\PIB.exe
C:\Program Files\SBC Self Support Tool\bin\mpbtn.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\WINNT\System32\wuauclt.exe
C:\PROGRA~1\Toolbar\TBPSSvc.exe
C:\WINNT\System32\ysuchi.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Owner\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.yoursearchbar.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://remote.lw.com/default.asp
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://rd.yahoo.com/...hoo.sbc.com/dsl
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://rd.yahoo.com/...//www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://rd.yahoo.com/...hoo.sbc.com/dsl
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - {8952A998-1E7E-4716-B23D-3DBE03910972} - C:\PROGRA~1\Toolbar\toolbar.dll
O2 - BHO: Bucket Class - {00000001-C003-4A2F-9142-7CB1D78DE6C1} - C:\WINNT\tct101.dll (file missing)
O2 - BHO: Band Class - {00F1D395-4744-40f0-A611-980F61AE2C59} - C:\WINNT\dsr.dll (file missing)
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: TChkBHO Class - {2C4748C9-8A53-4544-ACEB-82FB5091F493} - C:\WINNT\system32\jegkgs.dll (file missing)
O2 - BHO: SDWin32 Class - {2C58C45D-AB26-46F7-98F5-315F3A26954F} - C:\WINNT\System32\klxqi.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {8952A998-1E7E-4716-B23D-3DBE03910972} - C:\PROGRA~1\Toolbar\toolbar.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O3 - Toolbar: &WebSearch Toolbar - {339BB23F-A864-48C0-A59F-29EA915965EC} - C:\PROGRA~1\Toolbar\toolbar.dll
O4 - HKLM\..\Run: [Hot Key Kbd 9910 Daemon] SK9910DM.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe
O4 - HKLM\..\Run: [Keyboard Preload Check] C:\OEMDRVRS\KEYB\Preload.exe /DEVID: /CLASS:Keyboard /RunValue:"Keyboard Preload Check"
O4 - HKLM\..\Run: [GWMDMpi] C:\WINNT\GWMDMpi.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [MoneyStartUp10.0] "C:\Program Files\Microsoft Money\System\Activation.exe"
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [IPInSightMonitor 01] "C:\Program Files\SBC Yahoo!\Connection Manager\IP InSight\IPMon32.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O4 - HKLM\..\Run: [SurfAccuracy] C:\Program Files\SurfAccuracy\SAcc.exe
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKLM\..\Run: [TBPS] C:\PROGRA~1\Toolbar\TBPS.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe -quiet
O4 - HKCU\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O4 - Global Startup: SBC Self Support Tool.lnk = C:\Program Files\SBC Self Support Tool\bin\matcli.exe
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - ms-its:mhtml:file://c:\nosunel.mht!http://daemonlinks.n.../bridge-c46.cab
O16 - DPF: {15E31F81-702C-48F8-97B1-75AE9155B5E3} (TSWebCtl.UCTSWeb) - https://remote.lw.com/TSWebCtl.CAB
O16 - DPF: {20048BB3-DB68-11CF-9CAF-00AA006CB425} (007installer Control) - ms-its:mhtml:file://c:\nosunes.mht!http://daemonlinks.n...m::/website.cab
O16 - DPF: {30439117-02CA-4FBA-ADAF-84C2D8E2004D} (v3 silent install) - https://remote.lw.com/spv3rdpchk.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.c...nst20040510.cab
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterf...ds/Uploader.cab
O18 - Protocol: tpro - {FF76A5DA-6158-4439-99FF-EDC1B3FE100C} - C:\PROGRA~1\Toolbar\toolbar.dll
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe
O23 - Service: PictureTaker - Unknown owner - c:\fixit\pt\PCTKRNT.SYS (file missing)
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - c:\winnt\SvcProc.exe
O23 - Service: WebSeach Toolbar support NT service (TBPSSvc) - WebSearch - C:\PROGRA~1\Toolbar\TBPSSvc.exe

* * * * * * *

Thank you again for your help. :tazz:
  • 0

#4
Rawe
Posted 16 August 2005 - 01:57 AM

Rawe

    Visiting Staff

  • Member
  • PipPipPipPipPipPipPip
  • 4,746 posts
Since you have Ewido installed, can you first update it and make sure it's the latest version (3.5).

Launch Notepad, copy & paste the following text from the code box below, into a empty text file (Starting from @Echo);

@ECHO OFF
cd\windows
Nail.exe /FULLREMOVE
sc config SvcProc start= disabled
sc stop SvcProc
sc delete SvcProc
attrib -s -r -h nail.exe
attrib -s -r -h svcproc.exe
del nail.exe
del svcproc.exe
exit

Save the file to the desktop as remove.bat and make sure the "Save as type" field says "All files".

Do the following;

Next, please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode.

Once in Safe Mode, please double-click on remove.bat

A window should open and close very quickly --- this is normal.

Open Ewido and do a scan of your system.
  • Click on scanner
  • Click on Complete System Scan and the scan will begin.
  • Clean anything it finds.
  • Once the scan has completed, there will be a button located on the bottom of the screen named Save report
  • Click Save report.
  • Save the report .txt file to your desktop or a location where you can find it easily.
Close Ewido.

Reboot back into normal mode and post the Ewido log along with a fresh HiJackThis log.

- Rawe :tazz:
  • 0

#5
bfaris
Posted 16 August 2005 - 09:08 PM

bfaris

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
I made it through all of the steps and have the following scan reports.

Here is the Ewido scan log:

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 10:00:32 PM, 8/16/2005
+ Report-Checksum: 434E15B8

+ Scan result:

HKLM\SOFTWARE\Classes\CLSID\{2C4E6D22-B71F-491F-AAD3-B6972A650D50} -> Spyware.IBIS : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{310CC549-4541-46A9-940F-52B342A6E682} -> Spyware.IBIS : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{339BB23F-A864-48C0-A59F-29EA915965EC} -> Spyware.HuntBar : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{69357D4E-BF4D-4651-91E9-52ECD45A0128} -> Spyware.IBIS : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{6E21F428-5617-47F7-AED8-B2E1D8FBA711} -> Spyware.IBIS : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{708BE496-E202-497B-BC31-9CF47E3BF8D6} -> Spyware.IBIS : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{8952A998-1E7E-4716-B23D-3DBE03910972} -> Spyware.HuntBar : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{8B0FA130-0C3D-4CB1-AEB7-2C29DA5509A3} -> Spyware.IBIS : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{BBF122A7-8A4D-45B5-9E00-0F68BC87C904} -> Spyware.IBIS : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{CAE0999F-78C5-49DC-9F30-13142AAAABA4} -> Spyware.IBIS : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{FB45C451-B0E9-4407-BB6A-9361013F3E9A} -> Spyware.WebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{FF76A5DA-6158-4439-99FF-EDC1B3FE100C} -> Spyware.IBIS : Cleaned with backup
HKLM\SOFTWARE\Classes\Common.Buttons -> Spyware.WebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\Common.Buttons\Clsid -> Spyware.WebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{234F09FB-FE89-4C6D-9203-31832FC051C3} -> Spyware.IBIS : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{365B9A54-E613-46E5-9DB1-4F91A9DE80BD} -> Spyware.IBIS : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{618BE527-B7F5-417C-BC51-98FDC2D6DE61} -> Spyware.IBIS : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{66C22569-F05C-4A70-A142-763B337E1002} -> Spyware.IBIS : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{7B8BD940-B1EF-460C-85A2-9ACAAF7F9303} -> Spyware.IBIS : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{99AA88D1-D9D3-410A-BE9E-044F94C183DA} -> Spyware.IBIS : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{C380566D-F343-42AB-987B-6B38A1A35747} -> Spyware.IBIS : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{D1951679-1D52-43FC-9585-0737143585F5} -> Spyware.IBIS : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{F273D4EA-2025-4410-8408-251A0CD46BE7} -> Spyware.IBIS : Cleaned with backup
HKLM\SOFTWARE\Classes\PROTOCOLS\Handler\tpro -> Spyware.IBIS : Cleaned with backup
HKLM\SOFTWARE\Classes\PROTOCOLS\Name-Space Handler\res -> Spyware.WebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\PROTOCOLS\Name-Space Handler\res\toolbar.ResProtocol -> Spyware.WebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\Radio.RadioPlayer -> Spyware.WebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\Radio.RadioPlayer\Clsid -> Spyware.WebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\TBPS.PluginConfig -> Spyware.WebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\TBPS.PluginConfig\Clsid -> Spyware.WebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\TBPS.PluginDown -> Spyware.WebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\TBPS.PluginDown\Clsid -> Spyware.WebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\TBPS.PluginDownAdd -> Spyware.WebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\TBPS.PluginDownAdd\Clsid -> Spyware.WebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\TBPS.PluginEvents -> Spyware.WebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\TBPS.PluginEvents\Clsid -> Spyware.WebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\TBPS.PluginInst -> Spyware.WebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\TBPS.PluginInst\Clsid -> Spyware.WebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\TBPS.PluginServer -> Spyware.WebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\TBPS.PluginServer\Clsid -> Spyware.WebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\TBPS.ToolbarScript -> Spyware.WebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\TBPS.ToolbarScript\Clsid -> Spyware.WebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\toolbar.ResProtocol -> Spyware.WebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\toolbar.ResProtocol\Clsid -> Spyware.WebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\TypeLib\{37AC49E3-E906-4BD8-AE83-D0F7FB48FD17} -> Spyware.IBIS : Cleaned with backup
HKLM\SOFTWARE\Classes\TypeLib\{B23B3ADD-84B1-414A-92B9-0CABE5A781F4} -> Spyware.IBIS : Cleaned with backup
HKLM\SOFTWARE\Classes\TypeLib\{D8BD4DED-5BB2-4D4E-9A6A-F10244FED7D6} -> Spyware.IBIS : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{8952A998-1E7E-4716-B23D-3DBE03910972} -> Spyware.HuntBar : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\STO -> Spyware.WebSearch : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\TTOOL_UNINSTALL -> Spyware.WebSearch : Cleaned with backup
HKLM\SOFTWARE\toolbar -> Spyware.WebSearch : Cleaned with backup
HKLM\SOFTWARE\toolbar\Files -> Spyware.WebSearch : Cleaned with backup
HKLM\SOFTWARE\toolbar\Files\APP -> Spyware.WebSearch : Cleaned with backup
HKLM\SOFTWARE\toolbar\Files\BBDE -> Spyware.WebSearch : Cleaned with backup
HKLM\SOFTWARE\toolbar\Files\BBDHE -> Spyware.WebSearch : Cleaned with backup
HKLM\SOFTWARE\toolbar\Files\BBDI -> Spyware.WebSearch : Cleaned with backup
HKLM\SOFTWARE\toolbar\Files\COMMON -> Spyware.WebSearch : Cleaned with backup
HKLM\SOFTWARE\toolbar\Files\MAJORSE -> Spyware.WebSearch : Cleaned with backup
HKLM\SOFTWARE\toolbar\Files\RADIO -> Spyware.WebSearch : Cleaned with backup
HKLM\SOFTWARE\toolbar\Files\SVC -> Spyware.WebSearch : Cleaned with backup
HKLM\SOFTWARE\toolbar\Files\TBR -> Spyware.WebSearch : Cleaned with backup
HKLM\SOFTWARE\toolbar\Install -> Spyware.WebSearch : Cleaned with backup
HKLM\SOFTWARE\toolbar\PlugIns -> Spyware.WebSearch : Cleaned with backup
HKLM\SOFTWARE\toolbar\PlugIns\COMMON -> Spyware.WebSearch : Cleaned with backup
HKLM\SOFTWARE\toolbar\PlugIns\RADIO -> Spyware.WebSearch : Cleaned with backup
HKLM\SOFTWARE\toolbar\Server -> Spyware.WebSearch : Cleaned with backup
HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors\ZepMon -> Spyware.BetterInternet : Cleaned with backup
HKLM\SYSTEM\CurrentControlSet\Services\TBPSSvc -> Spyware.WebSearch : Cleaned with backup
HKLM\SYSTEM\CurrentControlSet\Services\TBPSSvc\Security -> Spyware.WebSearch : Cleaned with backup
HKLM\SYSTEM\CurrentControlSet\Services\TBPSSvc\Enum -> Spyware.WebSearch : Cleaned with backup
HKU\.DEFAULT\Software\toolbar -> Spyware.WebSearch : Cleaned with backup
HKU\S-1-5-21-3894602836-1085806099-568186159-1003\Software\toolbar -> Spyware.WebSearch : Cleaned with backup
HKU\S-1-5-21-3894602836-1085806099-568186159-1003\Software\toolbar\PlugIns -> Spyware.WebSearch : Cleaned with backup
HKU\S-1-5-21-3894602836-1085806099-568186159-1003\Software\toolbar\PlugIns\COMMON -> Spyware.WebSearch : Cleaned with backup
HKU\S-1-5-21-3894602836-1085806099-568186159-1003\Software\toolbar\Server -> Spyware.WebSearch : Cleaned with backup
HKU\S-1-5-21-3894602836-1085806099-568186159-1003\Software\toolbar\UrlSearchHooks -> Spyware.WebSearch : Cleaned with backup
HKU\S-1-5-18\Software\toolbar -> Spyware.WebSearch : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\owner@abetterinternet[1].txt -> Spyware.Cookie.Abetterinternet : Cleaned with backup
C:\Documents and Settings\Owner\Local Settings\Temp\temp.frE96F -> Spyware.IBIS : Cleaned with backup
C:\Program Files\Toolbar\gykhxlmu.rmr -> Spyware.IBIS : Cleaned with backup
C:\Program Files\Toolbar\nzqlihv.wzg -> Spyware.WebSearch : Cleaned with backup
C:\Program Files\Toolbar\radio.exe -> Spyware.WebSearch : Cleaned with backup
C:\Program Files\Toolbar\xlmurin.wzg -> Spyware.IBIS : Cleaned with backup
C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP681\A0045184.exe.tcf -> Spyware.2Search : Cleaned with backup
C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP681\A0045185.dll.tcf -> Spyware.2Search : Cleaned with backup
C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP681\A0045186.exe -> Spyware.SurfAccuracy : Cleaned with backup
C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP681\A0045187.exe -> Spyware.SurfSide : Cleaned with backup
C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP681\A0045188.dll -> Spyware.SurfSide : Cleaned with backup
C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP681\A0045189.dll -> Spyware.SurfSide : Cleaned with backup
C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP681\A0045190.exe.tcf -> Trojan.SecondThought.bf : Cleaned with backup
C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP681\A0045191.exe.tcf -> Trojan.SecondThought.bg : Cleaned with backup
C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP681\A0045192.exe -> Spyware.BookedSpace.c : Cleaned with backup
C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP681\A0045193.exe.tcf -> TrojanDropper.Small.mr : Cleaned with backup
C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP681\A0045194.EXE.tcf -> TrojanDownloader.Small.wk : Cleaned with backup
C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP681\A0045195.exe.tcf -> Backdoor.Agent.bg : Cleaned with backup
C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP681\A0045196.exe.tcf -> Spyware.AproposMedia : Cleaned with backup
C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP681\A0045197.exe -> TrojanDownloader.Intexp.d : Cleaned with backup
C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP681\A0045198.dll -> Spyware.Hijacker.Generic : Cleaned with backup
C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP681\A0045199.exe.tcf -> Trojan.Imiserv.c : Cleaned with backup
C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP681\A0045200.exe.tcf -> Backdoor.Agent.bg : Cleaned with backup
C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP681\A0045201.exe -> Adware.BetterInternet : Cleaned with backup
C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP681\A0045202.exe.tcf -> TrojanDownloader.Small.aak : Cleaned with backup
C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP681\A0045203.exe -> Spyware.Hijacker.Generic : Cleaned with backup
C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP681\A0045204.exe -> Adware.BetterInternet : Cleaned with backup
C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP681\A0045205.exe -> TrojanDropper.Small.qn : Cleaned with backup
C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP681\A0045206.exe.tcf/getst.exe -> Spyware.2Search : Cleaned with backup
C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP681\A0045207.exe -> Spyware.DealHelper : Cleaned with backup
C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP681\A0045208.exe -> Spyware.Apropos : Cleaned with backup
C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP681\A0045209.exe -> Adware.SAHA : Cleaned with backup
C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP681\A0045210.exe -> TrojanDownloader.QDown.v : Cleaned with backup
C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP681\A0045211.dll -> TrojanDownloader.Dyfuca.eg : Cleaned with backup
C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP681\A0045212.exe -> Adware.BetterInternet : Cleaned with backup
C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP682\A0048196.exe -> Trojan.Agent.cp : Cleaned with backup
C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP682\A0048206.exe -> Adware.BetterInternet : Cleaned with backup
C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP682\A0048234.exe -> Trojan.Agent.gp : Cleaned with backup
C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP682\A0048244.exe -> TrojanDownloader.VB.nh : Cleaned with backup
C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP683\A0048248.exe -> Adware.BetterInternet : Cleaned with backup
C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP683\A0048254.exe -> Trojan.Agent.gp : Cleaned with backup


::Report End

* * * * * * *

Here is the Hijackthis Scan Log:

Logfile of HijackThis v1.99.1
Scan saved at 10:03:17 PM, on 8/16/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\SK9910DM.EXE
C:\WINNT\GWMDMMSG.exe
C:\WINNT\GWMDMpi.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Microsoft Works\WksSb.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
C:\PROGRA~1\Toolbar\TBPS.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Microsoft Money\System\Money Express.exe
C:\PROGRA~1\Toolbar\PIB.exe
C:\Program Files\SBC Self Support Tool\bin\mpbtn.exe
C:\WINNT\System32\alg.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINNT\System32\nvsvc32.exe
C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
C:\WINNT\System32\svchost.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\PROGRA~1\Toolbar\TBPS.exe
C:\Documents and Settings\Owner\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.yoursearchbar.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://remote.lw.com/default.asp
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://rd.yahoo.com/...hoo.sbc.com/dsl
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://rd.yahoo.com/...//www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://rd.yahoo.com/...hoo.sbc.com/dsl
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - {8952A998-1E7E-4716-B23D-3DBE03910972} - C:\PROGRA~1\Toolbar\toolbar.dll
O2 - BHO: Bucket Class - {00000001-C003-4A2F-9142-7CB1D78DE6C1} - C:\WINNT\tct101.dll (file missing)
O2 - BHO: Band Class - {00F1D395-4744-40f0-A611-980F61AE2C59} - C:\WINNT\dsr.dll (file missing)
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: TChkBHO Class - {2C4748C9-8A53-4544-ACEB-82FB5091F493} - C:\WINNT\system32\jegkgs.dll (file missing)
O2 - BHO: SDWin32 Class - {2C58C45D-AB26-46F7-98F5-315F3A26954F} - C:\WINNT\System32\klxqi.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {8952A998-1E7E-4716-B23D-3DBE03910972} - C:\PROGRA~1\Toolbar\toolbar.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O3 - Toolbar: &WebSearch Toolbar - {339BB23F-A864-48C0-A59F-29EA915965EC} - C:\PROGRA~1\Toolbar\toolbar.dll
O4 - HKLM\..\Run: [Hot Key Kbd 9910 Daemon] SK9910DM.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe
O4 - HKLM\..\Run: [Keyboard Preload Check] C:\OEMDRVRS\KEYB\Preload.exe /DEVID: /CLASS:Keyboard /RunValue:"Keyboard Preload Check"
O4 - HKLM\..\Run: [GWMDMpi] C:\WINNT\GWMDMpi.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [MoneyStartUp10.0] "C:\Program Files\Microsoft Money\System\Activation.exe"
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [IPInSightMonitor 01] "C:\Program Files\SBC Yahoo!\Connection Manager\IP InSight\IPMon32.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O4 - HKLM\..\Run: [SurfAccuracy] C:\Program Files\SurfAccuracy\SAcc.exe
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKLM\..\Run: [TBPS] C:\PROGRA~1\Toolbar\TBPS.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe -quiet
O4 - HKCU\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O4 - Global Startup: SBC Self Support Tool.lnk = C:\Program Files\SBC Self Support Tool\bin\matcli.exe
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - ms-its:mhtml:file://c:\nosunel.mht!http://daemonlinks.n.../bridge-c46.cab
O16 - DPF: {15E31F81-702C-48F8-97B1-75AE9155B5E3} (TSWebCtl.UCTSWeb) - https://remote.lw.com/TSWebCtl.CAB
O16 - DPF: {20048BB3-DB68-11CF-9CAF-00AA006CB425} (007installer Control) - ms-its:mhtml:file://c:\nosunes.mht!http://daemonlinks.n...m::/website.cab
O16 - DPF: {30439117-02CA-4FBA-ADAF-84C2D8E2004D} (v3 silent install) - https://remote.lw.com/spv3rdpchk.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.c...nst20040510.cab
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterf...ds/Uploader.cab
O18 - Protocol: tpro - {FF76A5DA-6158-4439-99FF-EDC1B3FE100C} - C:\PROGRA~1\Toolbar\toolbar.dll
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe
O23 - Service: PictureTaker - Unknown owner - c:\fixit\pt\PCTKRNT.SYS (file missing)
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

* * * * * *

Thanks again for your help.
  • 0

#6
Rawe
Posted 17 August 2005 - 05:19 AM

Rawe

    Visiting Staff

  • Member
  • PipPipPipPipPipPipPip
  • 4,746 posts
Please download Trend Micro™ Anti-Spyware for the Web Utility (by clicking the "Scan and Clean your PC" button).
  • Save it to your desktop.
  • Double-click the new icon on your desktop (tmas-web-scan.exe)
  • It will say "Loading TrendMicro definitions".
  • Once the definitions are loaded, the program will appear to close then re-open.
  • Click "Start Scan"
  • After it's done scanning, click "Scan Results"
  • Make sure all items found have a check next to them, then click "Clean Threats Now".
  • Click Exit.
Reboot your computer. In place of the TrendMicro icon will be a text file called "Antispyware.log", please double-click that log and copy the entire contents and paste them here.

- Rawe :tazz:
  • 0

#7
bfaris
Posted 17 August 2005 - 10:26 PM

bfaris

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
Please see below the Antispyware log from the Trend Micro icon. This is quite a process, by the way ...

* * * * *

Started Scanning
Internet Cookies
Found 'abetterinternet.com' in 'Internet Explorer Cache'
Found 'offeroptimizer.com' in 'Internet Explorer Cache'
Found 'bluestreak.com' in 'Internet Explorer Cache'
Found 'cliks.org' in 'Internet Explorer Cache'
Found 'btg.btgrab.com' in 'Internet Explorer Cache'
Found 'maxserving.com' in 'Internet Explorer Cache'
Found 'go.com' in 'Internet Explorer Cache'
Found 'btg.btgrab.com' in 'Internet Explorer Cache'
Programs in Memory
Found 'TBPS.exe' in 'C:\Program Files\Toolbar'
Found 'PIB.exe' in 'C:\Program Files\Toolbar'
Found 'TBPSSvc.exe' in 'C:\Program Files\Toolbar'
Windows Registry
Found '' in 'SOFTWARE\Morpheus'
Found '' in 'SOFTWARE\Classes\.xmfg'
Found '' in 'SOFTWARE\Classes\CLSID\{21F16767-8DA7-4113-BEB0-F161B313407F}'
Found '' in 'SOFTWARE\Classes\CLSID\{21F16767-8DA7-4113-BEB0-F161B313407F}\Control'
Found '' in 'SOFTWARE\Classes\CLSID\{21F16767-8DA7-4113-BEB0-F161B313407F}\InprocServer32'
Found '' in 'SOFTWARE\Classes\CLSID\{21F16767-8DA7-4113-BEB0-F161B313407F}\MiscStatus'
Found '' in 'SOFTWARE\Classes\CLSID\{21F16767-8DA7-4113-BEB0-F161B313407F}\MiscStatus\1'
Found '' in 'SOFTWARE\Classes\CLSID\{21F16767-8DA7-4113-BEB0-F161B313407F}\ProgID'
Found '' in 'SOFTWARE\Classes\CLSID\{21F16767-8DA7-4113-BEB0-F161B313407F}\ToolboxBitmap32'
Found '' in 'SOFTWARE\Classes\CLSID\{21F16767-8DA7-4113-BEB0-F161B313407F}\TypeLib'
Found '' in 'SOFTWARE\Classes\CLSID\{21F16767-8DA7-4113-BEB0-F161B313407F}\Version'
Found '' in 'SOFTWARE\Classes\CLSID\{B666CF5A-B50A-49E4-8354-37AC595C5B7E}'
Found '' in 'SOFTWARE\Classes\CLSID\{B666CF5A-B50A-49E4-8354-37AC595C5B7E}\InprocServer32'
Found '' in 'SOFTWARE\Classes\TypeLib\{6043F8F5-4FBE-47DA-A789-146B02AE6FA0}\1.0'
Found '' in 'SOFTWARE\Classes\TypeLib\{6043F8F5-4FBE-47DA-A789-146B02AE6FA0}\1.0\0\win32'
Found '' in 'SOFTWARE\Classes\TypeLib\{6043F8F5-4FBE-47DA-A789-146B02AE6FA0}\1.0\FLAGS'
Found '' in 'SOFTWARE\Classes\TypeLib\{6043F8F5-4FBE-47DA-A789-146B02AE6FA0}\1.0\HELPDIR'
Found '' in 'SOFTWARE\Classes\XMIRAGE.XMirageCtrl.1'
Found '' in 'SOFTWARE\Classes\XMIRAGE.XMirageCtrl.1\CLSID'
Found '' in 'SOFTWARE\Morpheus\Matrix'
Found '' in 'Software\Toolbar'
Found '' in 'Software\Toolbar\UrlSearchHooks'
Found '' in 'SOFTWARE\Classes\CLSID\{339BB23F-A864-48C0-A59F-29EA915965EC}'
Found '' in 'SOFTWARE\Classes\CLSID\{339BB23F-A864-48C0-A59F-29EA915965EC}\InprocServer32'
Found '' in 'SOFTWARE\Classes\CLSID\{708BE496-E202-497B-BC31-9CF47E3BF8D6}'
Found '' in 'SOFTWARE\Classes\CLSID\{708BE496-E202-497B-BC31-9CF47E3BF8D6}\Implemented Categories'
Found '' in 'SOFTWARE\Classes\CLSID\{708BE496-E202-497B-BC31-9CF47E3BF8D6}\ProgID'
Found '' in 'SOFTWARE\Classes\CLSID\{708BE496-E202-497B-BC31-9CF47E3BF8D6}\TypeLib'
Found '' in 'SOFTWARE\Classes\CLSID\{708BE496-E202-497B-BC31-9CF47E3BF8D6}\Version'
Found '' in 'SOFTWARE\Classes\CLSID\{8952A998-1E7E-4716-B23D-3DBE03910972}'
Found '' in 'SOFTWARE\Classes\CLSID\{8952A998-1E7E-4716-B23D-3DBE03910972}\InprocServer32'
Found '' in 'SOFTWARE\Classes\CLSID\{FF76A5DA-6158-4439-99FF-EDC1B3FE100C}'
Found '' in 'SOFTWARE\Classes\CLSID\{FF76A5DA-6158-4439-99FF-EDC1B3FE100C}\InprocServer32'
Found '' in 'SOFTWARE\Classes\CLSID\{FF76A5DA-6158-4439-99FF-EDC1B3FE100C}\ProgID'
Found '' in 'SOFTWARE\Classes\toolbar.ResProtocol'
Found '' in 'SOFTWARE\Classes\toolbar.ResProtocol\Clsid'
Found '' in 'SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\TTOOL_UNINSTALL'
Found '' in 'SOFTWARE\Toolbar'
Found '' in 'software\classes\CLSID\{339BB23F-A864-48C0-A59F-29EA915965EC}'
Found '' in 'software\classes\CLSID\{339BB23F-A864-48C0-A59F-29EA915965EC}\InprocServer32'
Found '' in 'software\classes\CLSID\{708BE496-E202-497B-BC31-9CF47E3BF8D6}'
Found '' in 'software\classes\CLSID\{708BE496-E202-497B-BC31-9CF47E3BF8D6}\Implemented Categories'
Found '' in 'software\classes\CLSID\{708BE496-E202-497B-BC31-9CF47E3BF8D6}\Implemented Categories\{7DD95801-9882-11CF-9FA9-00AA006C42C4}'
Found '' in 'software\classes\CLSID\{708BE496-E202-497B-BC31-9CF47E3BF8D6}\Implemented Categories\{7DD95802-9882-11CF-9FA9-00AA006C42C4}'
Found '' in 'software\classes\CLSID\{708BE496-E202-497B-BC31-9CF47E3BF8D6}\ProgID'
Found '' in 'software\classes\CLSID\{708BE496-E202-497B-BC31-9CF47E3BF8D6}\TypeLib'
Found '' in 'software\classes\CLSID\{708BE496-E202-497B-BC31-9CF47E3BF8D6}\Version'
Found '' in 'software\classes\CLSID\{8952A998-1E7E-4716-B23D-3DBE03910972}'
Found '' in 'software\classes\CLSID\{8952A998-1E7E-4716-B23D-3DBE03910972}\InprocServer32'
Found '' in 'software\classes\CLSID\{FF76A5DA-6158-4439-99FF-EDC1B3FE100C}'
Found '' in 'software\classes\CLSID\{FF76A5DA-6158-4439-99FF-EDC1B3FE100C}\InprocServer32'
Found '' in 'software\classes\CLSID\{FF76A5DA-6158-4439-99FF-EDC1B3FE100C}\ProgID'
Found '' in 'software\classes\PROTOCOLS\Handler\tpro'
Found '' in 'software\classes\PROTOCOLS\Name-Space Handler\res\toolbar.ResProtocol'
Found '' in 'software\classes\toolbar.ResProtocol'
Found '' in 'software\classes\toolbar.ResProtocol\Clsid'
Found '' in 'SOFTWARE\Classes\CLSID\{708BE496-E202-497B-BC31-9CF47E3BF8D6}\Implemented Categories\{7DD95801-9882-11CF-9FA9-00AA006C42C4}'
Found '' in 'SOFTWARE\Classes\CLSID\{708BE496-E202-497B-BC31-9CF47E3BF8D6}\Implemented Categories\{7DD95802-9882-11CF-9FA9-00AA006C42C4}'
Found '' in 'SOFTWARE\Classes\PROTOCOLS\Handler\tpro'
Found '' in 'SOFTWARE\Classes\PROTOCOLS\Name-Space Handler\res\toolbar.ResProtocol'
Found '' in 'SOFTWARE\Classes\CLSID\{69357D4E-BF4D-4651-91E9-52ECD45A0128}'
Found '' in 'SOFTWARE\Classes\CLSID\{69357D4E-BF4D-4651-91E9-52ECD45A0128}\InprocServer32'
Found '' in 'SOFTWARE\Classes\CLSID\{69357D4E-BF4D-4651-91E9-52ECD45A0128}\ProgID'
Found '' in 'SOFTWARE\Classes\CLSID\{69357D4E-BF4D-4651-91E9-52ECD45A0128}\TypeLib'
Found '' in 'SOFTWARE\Classes\CLSID\{69357D4E-BF4D-4651-91E9-52ECD45A0128}\Version'
Found '' in 'SOFTWARE\Classes\CLSID\{6E21F428-5617-47F7-AED8-B2E1D8FBA711}'
Found '' in 'SOFTWARE\Classes\CLSID\{6E21F428-5617-47F7-AED8-B2E1D8FBA711}\Implemented Categories'
Found '' in 'SOFTWARE\Classes\CLSID\{6E21F428-5617-47F7-AED8-B2E1D8FBA711}\LocalServer32'
Found '' in 'SOFTWARE\Classes\CLSID\{6E21F428-5617-47F7-AED8-B2E1D8FBA711}\ProgID'
Found '' in 'SOFTWARE\Classes\CLSID\{6E21F428-5617-47F7-AED8-B2E1D8FBA711}\TypeLib'
Found '' in 'SOFTWARE\Classes\CLSID\{6E21F428-5617-47F7-AED8-B2E1D8FBA711}\Version'
Found '' in 'SOFTWARE\Classes\CLSID\{708BE496-E202-497B-BC31-9CF47E3BF8D6}\LocalServer32'
Found '' in 'SOFTWARE\Classes\CLSID\{BBF122A7-8A4D-45B5-9E00-0F68BC87C904}'
Found '' in 'SOFTWARE\Classes\CLSID\{BBF122A7-8A4D-45B5-9E00-0F68BC87C904}\LocalServer32'
Found '' in 'SOFTWARE\Classes\CLSID\{BBF122A7-8A4D-45B5-9E00-0F68BC87C904}\ProgID'
Found '' in 'SOFTWARE\Classes\CLSID\{BBF122A7-8A4D-45B5-9E00-0F68BC87C904}\TypeLib'
Found '' in 'SOFTWARE\Classes\CLSID\{BBF122A7-8A4D-45B5-9E00-0F68BC87C904}\Version'
Found '' in 'SOFTWARE\Classes\CLSID\{CAE0999F-78C5-49DC-9F30-13142AAAABA4}'
Found '' in 'SOFTWARE\Classes\CLSID\{CAE0999F-78C5-49DC-9F30-13142AAAABA4}\LocalServer32'
Found '' in 'SOFTWARE\Classes\CLSID\{CAE0999F-78C5-49DC-9F30-13142AAAABA4}\ProgID'
Found '' in 'SOFTWARE\Classes\CLSID\{CAE0999F-78C5-49DC-9F30-13142AAAABA4}\TypeLib'
Found '' in 'SOFTWARE\Classes\CLSID\{CAE0999F-78C5-49DC-9F30-13142AAAABA4}\Version'
Found '' in 'SOFTWARE\Classes\Common.Buttons'
Found '' in 'SOFTWARE\Classes\Common.Buttons\Clsid'
Found '' in 'SOFTWARE\Classes\TBPS.PluginConfig'
Found '' in 'SOFTWARE\Classes\TBPS.PluginConfig\Clsid'
Found '' in 'SOFTWARE\Classes\TBPS.PluginEvents'
Found '' in 'SOFTWARE\Classes\TBPS.PluginEvents\Clsid'
Found '' in 'SOFTWARE\Classes\TBPS.PluginServer'
Found '' in 'SOFTWARE\Classes\TBPS.PluginServer\Clsid'
Found '' in 'SOFTWARE\Classes\TBPS.ToolbarScript'
Found '' in 'SOFTWARE\Classes\TBPS.ToolbarScript\Clsid'
Found '' in 'SOFTWARE\Classes\TypeLib\{37AC49E3-E906-4BD8-AE83-D0F7FB48FD17}\1.0'
Found '' in 'SOFTWARE\Classes\TypeLib\{37AC49E3-E906-4BD8-AE83-D0F7FB48FD17}\1.0\0\win32'
Found '' in 'SOFTWARE\Classes\TypeLib\{37AC49E3-E906-4BD8-AE83-D0F7FB48FD17}\1.0\FLAGS'
Found '' in 'SOFTWARE\Classes\TypeLib\{37AC49E3-E906-4BD8-AE83-D0F7FB48FD17}\1.0\HELPDIR'
Found '' in 'SOFTWARE\Classes\TypeLib\{B23B3ADD-84B1-414A-92B9-0CABE5A781F4}\1.0'
Found '' in 'SOFTWARE\Classes\TypeLib\{B23B3ADD-84B1-414A-92B9-0CABE5A781F4}\1.0\0\win32'
Found '' in 'SOFTWARE\Classes\TypeLib\{B23B3ADD-84B1-414A-92B9-0CABE5A781F4}\1.0\FLAGS'
Found '' in 'SOFTWARE\Classes\TypeLib\{B23B3ADD-84B1-414A-92B9-0CABE5A781F4}\1.0\HELPDIR'
Found 'ThreadingModel' in 'SOFTWARE\Classes\CLSID\{69357D4E-BF4D-4651-91E9-52ECD45A0128}\InprocServer32'
Found 'ThreadingModel' in 'SOFTWARE\Classes\CLSID\{6E21F428-5617-47F7-AED8-B2E1D8FBA711}\LocalServer32'
Found 'ThreadingModel' in 'SOFTWARE\Classes\CLSID\{708BE496-E202-497B-BC31-9CF47E3BF8D6}\LocalServer32'
Found 'ThreadingModel' in 'SOFTWARE\Classes\CLSID\{BBF122A7-8A4D-45B5-9E00-0F68BC87C904}\LocalServer32'
Found 'ThreadingModel' in 'SOFTWARE\Classes\CLSID\{CAE0999F-78C5-49DC-9F30-13142AAAABA4}\LocalServer32'
Found 'TBPS' in 'SOFTWARE\Microsoft\Windows\CurrentVersion\Run'
Found '' in 'SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{8952A998-1E7E-4716-B23D-3DBE03910972}'
Found '' in 'SOFTWARE\Classes\CLSID\{6E21F428-5617-47F7-AED8-B2E1D8FBA711}\Implemented Categories\{7DD95801-9882-11CF-9FA9-00AA006C42C4}'
Found '' in 'SOFTWARE\Classes\CLSID\{6E21F428-5617-47F7-AED8-B2E1D8FBA711}\Implemented Categories\{7DD95802-9882-11CF-9FA9-00AA006C42C4}'
Found '' in 'SOFTWARE\Classes\Interface\{234F09FB-FE89-4C6D-9203-31832FC051C3}'
Found '' in 'SOFTWARE\Classes\Interface\{234F09FB-FE89-4C6D-9203-31832FC051C3}\ProxyStubClsid'
Found '' in 'SOFTWARE\Classes\Interface\{234F09FB-FE89-4C6D-9203-31832FC051C3}\ProxyStubClsid32'
Found '' in 'SOFTWARE\Classes\Interface\{234F09FB-FE89-4C6D-9203-31832FC051C3}\TypeLib'
Found '' in 'SOFTWARE\Classes\Interface\{365B9A54-E613-46E5-9DB1-4F91A9DE80BD}'
Found '' in 'SOFTWARE\Classes\Interface\{365B9A54-E613-46E5-9DB1-4F91A9DE80BD}\ProxyStubClsid'
Found '' in 'SOFTWARE\Classes\Interface\{365B9A54-E613-46E5-9DB1-4F91A9DE80BD}\ProxyStubClsid32'
Found '' in 'SOFTWARE\Classes\Interface\{365B9A54-E613-46E5-9DB1-4F91A9DE80BD}\TypeLib'
Found '' in 'SOFTWARE\Classes\Interface\{66C22569-F05C-4A70-A142-763B337E1002}'
Found '' in 'SOFTWARE\Classes\Interface\{66C22569-F05C-4A70-A142-763B337E1002}\ProxyStubClsid'
Found '' in 'SOFTWARE\Classes\Interface\{66C22569-F05C-4A70-A142-763B337E1002}\ProxyStubClsid32'
Found '' in 'SOFTWARE\Classes\Interface\{66C22569-F05C-4A70-A142-763B337E1002}\TypeLib'
Found '' in 'SOFTWARE\Classes\Interface\{7B8BD940-B1EF-460C-85A2-9ACAAF7F9303}'
Found '' in 'SOFTWARE\Classes\Interface\{7B8BD940-B1EF-460C-85A2-9ACAAF7F9303}\ProxyStubClsid'
Found '' in 'SOFTWARE\Classes\Interface\{7B8BD940-B1EF-460C-85A2-9ACAAF7F9303}\ProxyStubClsid32'
Found '' in 'SOFTWARE\Classes\Interface\{7B8BD940-B1EF-460C-85A2-9ACAAF7F9303}\TypeLib'
Found '' in 'SOFTWARE\Classes\Interface\{99AA88D1-D9D3-410A-BE9E-044F94C183DA}'
Found '' in 'SOFTWARE\Classes\Interface\{99AA88D1-D9D3-410A-BE9E-044F94C183DA}\ProxyStubClsid'
Found '' in 'SOFTWARE\Classes\Interface\{99AA88D1-D9D3-410A-BE9E-044F94C183DA}\ProxyStubClsid32'
Found '' in 'SOFTWARE\Classes\Interface\{99AA88D1-D9D3-410A-BE9E-044F94C183DA}\TypeLib'
Found '' in 'SOFTWARE\Classes\Interface\{F273D4EA-2025-4410-8408-251A0CD46BE7}'
Found '' in 'SOFTWARE\Classes\Interface\{F273D4EA-2025-4410-8408-251A0CD46BE7}\ProxyStubClsid'
Found '' in 'SOFTWARE\Classes\Interface\{F273D4EA-2025-4410-8408-251A0CD46BE7}\ProxyStubClsid32'
Found '' in 'SOFTWARE\Classes\Interface\{F273D4EA-2025-4410-8408-251A0CD46BE7}\TypeLib'
Found '' in 'SOFTWARE\Classes\CLSID\{310CC549-4541-46A9-940F-52B342A6E682}'
Found '' in 'SOFTWARE\Classes\CLSID\{310CC549-4541-46A9-940F-52B342A6E682}\LocalServer32'
Found '' in 'SOFTWARE\Classes\CLSID\{310CC549-4541-46A9-940F-52B342A6E682}\ProgID'
Found '' in 'SOFTWARE\Classes\CLSID\{310CC549-4541-46A9-940F-52B342A6E682}\TypeLib'
Found '' in 'SOFTWARE\Classes\CLSID\{310CC549-4541-46A9-940F-52B342A6E682}\Version'
Found '' in 'SOFTWARE\Classes\CLSID\{8B0FA130-0C3D-4CB1-AEB7-2C29DA5509A3}'
Found '' in 'SOFTWARE\Classes\CLSID\{8B0FA130-0C3D-4CB1-AEB7-2C29DA5509A3}\Implemented Categories'
Found '' in 'SOFTWARE\Classes\CLSID\{8B0FA130-0C3D-4CB1-AEB7-2C29DA5509A3}\LocalServer32'
Found '' in 'SOFTWARE\Classes\CLSID\{8B0FA130-0C3D-4CB1-AEB7-2C29DA5509A3}\ProgID'
Found '' in 'SOFTWARE\Classes\CLSID\{8B0FA130-0C3D-4CB1-AEB7-2C29DA5509A3}\TypeLib'
Found '' in 'SOFTWARE\Classes\CLSID\{8B0FA130-0C3D-4CB1-AEB7-2C29DA5509A3}\Version'
Found '' in 'SOFTWARE\Classes\TBPS.PluginDown'
Found '' in 'SOFTWARE\Classes\TBPS.PluginDown\Clsid'
Found '' in 'SOFTWARE\Classes\TBPS.PluginInst'
Found '' in 'SOFTWARE\Classes\TBPS.PluginInst\Clsid'
Found 'ThreadingModel' in 'SOFTWARE\Classes\CLSID\{310CC549-4541-46A9-940F-52B342A6E682}\LocalServer32'
Found 'ThreadingModel' in 'SOFTWARE\Classes\CLSID\{8B0FA130-0C3D-4CB1-AEB7-2C29DA5509A3}\LocalServer32'
Found '' in 'SOFTWARE\Classes\CLSID\{8B0FA130-0C3D-4CB1-AEB7-2C29DA5509A3}\Implemented Categories\{7DD95801-9882-11CF-9FA9-00AA006C42C4}'
Found '' in 'SOFTWARE\Classes\CLSID\{8B0FA130-0C3D-4CB1-AEB7-2C29DA5509A3}\Implemented Categories\{7DD95802-9882-11CF-9FA9-00AA006C42C4}'
Found '' in 'SOFTWARE\Classes\Interface\{D1951679-1D52-43FC-9585-0737143585F5}'
Found '' in 'SOFTWARE\Classes\Interface\{D1951679-1D52-43FC-9585-0737143585F5}\ProxyStubClsid'
Found '' in 'SOFTWARE\Classes\Interface\{D1951679-1D52-43FC-9585-0737143585F5}\ProxyStubClsid32'
Found '' in 'SOFTWARE\Classes\Interface\{D1951679-1D52-43FC-9585-0737143585F5}\TypeLib'
Found '' in 'SYSTEM\CurrentControlSet\Services\TBPSSvc'
Found '' in 'SYSTEM\CurrentControlSet\Services\TBPSSvc\Enum'
Found '' in 'SYSTEM\CurrentControlSet\Services\TBPSSvc\Security'
Found 'DisplayIcon' in 'SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\TTOOL_UNINSTALL'
Found 'DisplayName' in 'SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\TTOOL_UNINSTALL'
Found 'UninstallString' in 'SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\TTOOL_UNINSTALL'
Found '' in 'Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\Range1'
Found '' in 'SOFTWARE\Classes\Interface\{618BE527-B7F5-417C-BC51-98FDC2D6DE61}'
Found '' in 'SOFTWARE\Classes\Interface\{618BE527-B7F5-417C-BC51-98FDC2D6DE61}\ProxyStubClsid'
Found '' in 'SOFTWARE\Classes\Interface\{618BE527-B7F5-417C-BC51-98FDC2D6DE61}\ProxyStubClsid32'
Found '' in 'SOFTWARE\Classes\Interface\{618BE527-B7F5-417C-BC51-98FDC2D6DE61}\TypeLib'
Found '' in 'SOFTWARE\Classes\TypeLib\{37AC49E3-E906-4BD8-AE83-D0F7FB48FD17}'
Found '' in 'SOFTWARE\Classes\TypeLib\{37AC49E3-E906-4BD8-AE83-D0F7FB48FD17}\1.0\0'
Found '' in 'SOFTWARE\Classes\TypeLib\{B23B3ADD-84B1-414A-92B9-0CABE5A781F4}'
Found '' in 'SOFTWARE\Classes\TypeLib\{B23B3ADD-84B1-414A-92B9-0CABE5A781F4}\1.0\0'
Found '{339BB23F-A864-48C0-A59F-29EA915965EC}' in 'SOFTWARE\Microsoft\Internet Explorer\Toolbar'
Found '{339BB23F-A864-48C0-A59F-29EA915965EC}' in 'Software\Microsoft\Internet Explorer\Toolbar\WebBrowser'
Found '{8952A998-1E7E-4716-B23D-3DBE03910972}' in 'Software\Microsoft\Internet Explorer\URLSearchHooks'
Found '' in 'SOFTWARE\Classes\Remove'
Found '' in 'SYSTEM\CurrentControlSet\Enum\Root\LEGACY_TBPSSVC'
Found '' in 'SYSTEM\CurrentControlSet\Enum\Root\LEGACY_TBPSSVC\0000\Control'
Found '' in 'SYSTEM\CurrentControlSet\Enum\Root\LEGACY_TBPSSVC\0000'
Found '' in 'SOFTWARE\Toolbar\Install'
Found '' in 'SOFTWARE\Classes\Radio.RadioPlayer\Clsid'
Found '' in 'SOFTWARE\Classes\Radio.RadioPlayer'
Found 'Count' in 'SYSTEM\CurrentControlSet\Services\TBPSSvc\Enum'
Found '0' in 'SYSTEM\CurrentControlSet\Services\TBPSSvc\Enum'
Found 'Type' in 'SYSTEM\CurrentControlSet\Services\TBPSSvc'
Found 'Start' in 'SYSTEM\CurrentControlSet\Services\TBPSSvc'
Found 'ObjectName' in 'SYSTEM\CurrentControlSet\Services\TBPSSvc'
Found 'ImagePath' in 'SYSTEM\CurrentControlSet\Services\TBPSSvc'
Found 'ErrorControl' in 'SYSTEM\CurrentControlSet\Services\TBPSSvc'
Found 'DisplayName' in 'SYSTEM\CurrentControlSet\Services\TBPSSvc'
Found 'Description' in 'SYSTEM\CurrentControlSet\Services\TBPSSvc'
Found 'ActiveService' in 'SYSTEM\CurrentControlSet\Enum\Root\LEGACY_TBPSSVC\0000\Control'
Found 'Service' in 'SYSTEM\CurrentControlSet\Enum\Root\LEGACY_TBPSSVC\0000'
Found 'Legacy' in 'SYSTEM\CurrentControlSet\Enum\Root\LEGACY_TBPSSVC\0000'
Found 'DeviceDesc' in 'SYSTEM\CurrentControlSet\Enum\Root\LEGACY_TBPSSVC\0000'
Found 'ConfigFlags' in 'SYSTEM\CurrentControlSet\Enum\Root\LEGACY_TBPSSVC\0000'
Found 'ClassGUID' in 'SYSTEM\CurrentControlSet\Enum\Root\LEGACY_TBPSSVC\0000'
Found 'Class' in 'SYSTEM\CurrentControlSet\Enum\Root\LEGACY_TBPSSVC\0000'
Found 'NextInstance' in 'SYSTEM\CurrentControlSet\Enum\Root\LEGACY_TBPSSVC'
Found 'PluginLevel' in 'SYSTEM\CurrentControlSet\Control\Session Manager'
Found '' in 'SOFTWARE\Classes\TypeLib\{D8BD4DED-5BB2-4D4E-9A6A-F10244FED7D6}\1.0\HELPDIR'
Found '' in 'SOFTWARE\Classes\TypeLib\{D8BD4DED-5BB2-4D4E-9A6A-F10244FED7D6}\1.0\FLAGS'
Found '' in 'SOFTWARE\Classes\TypeLib\{D8BD4DED-5BB2-4D4E-9A6A-F10244FED7D6}\1.0\0\win32'
Found '' in 'SOFTWARE\Classes\TypeLib\{D8BD4DED-5BB2-4D4E-9A6A-F10244FED7D6}\1.0\0'
Found '' in 'SOFTWARE\Classes\TypeLib\{D8BD4DED-5BB2-4D4E-9A6A-F10244FED7D6}\1.0'
Found '' in 'SOFTWARE\Classes\CLSID\{FB45C451-B0E9-4407-BB6A-9361013F3E9A}\Version'
Found '' in 'SOFTWARE\Classes\CLSID\{FB45C451-B0E9-4407-BB6A-9361013F3E9A}\TypeLib'
Found '' in 'SOFTWARE\Classes\CLSID\{FB45C451-B0E9-4407-BB6A-9361013F3E9A}\ProgID'
Found '' in 'SOFTWARE\Classes\CLSID\{FB45C451-B0E9-4407-BB6A-9361013F3E9A}\LocalServer32'
Found 'Security' in 'SYSTEM\CurrentControlSet\Services\TBPSSvc\Security'
Found 'NextInstance' in 'SYSTEM\CurrentControlSet\Services\TBPSSvc\Enum'
Found '' in 'SOFTWARE\Classes\TypeLib\{D8BD4DED-5BB2-4D4E-9A6A-F10244FED7D6}'
Internet URL Shortcuts
Files and Directories
Found '' in 'C:\Documents and Settings\All Users\Start Menu\Programs\Web Search Tools'
Found '' in 'C:\Documents and Settings\Owner\Start Menu\Programs\Morpheus'
Found 'data.bin' in 'C:\Program Files\Aprps'
Found '' in 'C:\Program Files\Toolbar'
Found '' in 'C:\Program Files\Toolbar\Cursors'
Found 'cursors.xml' in 'C:\Program Files\Toolbar\Cursors'
Found 'gykhxlmu.rmr' in 'C:\Program Files\Toolbar'
Found 'nzqlihv.wzg' in 'C:\Program Files\Toolbar'
Found 'PIB.exe' in 'C:\Program Files\Toolbar'
Found 'TBPS.exe' in 'C:\Program Files\Toolbar'
Found 'TBPSSvc.exe' in 'C:\Program Files\Toolbar'
Found 'index.htm' in 'C:\Program Files\Yahoo!\YPSR\Quarantine\ppqCD.tmp\UI1'
Found 'ASIFA15376.bsx' in 'C:\Program Files\Yahoo!\YPSR\Quarantine\ppqCF.tmp'
Found 'ASIH21180.bsx' in 'C:\Program Files\Yahoo!\YPSR\Quarantine\ppqCF.tmp'
Found 'ASIM9740.bsx' in 'C:\Program Files\Yahoo!\YPSR\Quarantine\ppqCF.tmp'
Found 'FMND1.bsx' in 'C:\Program Files\Yahoo!\YPSR\Quarantine\ppqCF.tmp'
Found 'TRVL6.bsx' in 'C:\Program Files\Yahoo!\YPSR\Quarantine\ppqCF.tmp'
Found 'shopinst.exe' in 'C:\windows\bundles'
Found 'conscorr.inf' in 'C:\WINNT\inf'
Found 'Decln.dll' in 'C:\WINNT\system32'
Found 'Declw.dll' in 'C:\WINNT\system32'
Finished Scanning
Started Backup
Unable to create the registry key HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_TBPSSVC\0000\Control for restore. [SCANMODS] Error=5.
Unable to create the registry key HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_TBPSSVC\0000 for restore. [SCANMODS] Error=5.
Unable to create the registry key HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_TBPSSVC\0000\Control for restore. [SCANMODS] Error=5.
Unable to create the registry key HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_TBPSSVC\0000 for restore. [SCANMODS] Error=5.
Unable to create the registry key HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_TBPSSVC\0000 for restore. [SCANMODS] Error=5.
Unable to create the registry key HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_TBPSSVC\0000 for restore. [SCANMODS] Error=5.
Unable to create the registry key HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_TBPSSVC\0000 for restore. [SCANMODS] Error=5.
Unable to create the registry key HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_TBPSSVC\0000 for restore. [SCANMODS] Error=5.
Unable to create the registry key HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_TBPSSVC\0000 for restore. [SCANMODS] Error=5.
Finished Backup
Started Cleaning
Checking for 'C:\Program Files\Toolbar\TBPS.exe' in shortcut areas.
Checking for 'C:\Program Files\Toolbar\TBPS.exe' in startup areas.
Cleaning 'C:\Program Files\Toolbar\TBPS.exe'
[SCANMODS] WARNING: Deletion of the file 'C:\Program Files\Toolbar\TBPS.exe' requires a reboot.
Checking for 'C:\Program Files\Toolbar\PIB.exe' in shortcut areas.
Checking for 'C:\Program Files\Toolbar\PIB.exe' in startup areas.
Cleaning 'C:\Program Files\Toolbar\PIB.exe'
Checking for 'C:\Program Files\Toolbar\TBPSSvc.exe' in shortcut areas.
Checking for 'C:\Program Files\Toolbar\TBPSSvc.exe' in startup areas.
Cleaning 'C:\Program Files\Toolbar\TBPSSvc.exe'
[SCANMODS] WARNING: Unable to remove registry keys under 'HKLM\'SYSTEM\CurrentControlSet\Enum\Root\LEGACY_TBPSSVC'. Error=5.
[SCANMODS] WARNING: Unable to remove registry keys under 'HKLM\'SYSTEM\CurrentControlSet\Enum\Root\LEGACY_TBPSSVC\0000\Control'. Error=5.
[SCANMODS] WARNING: Unable to remove registry keys under 'HKLM\'SYSTEM\CurrentControlSet\Enum\Root\LEGACY_TBPSSVC\0000'. Error=5.
Checking for 'C:\Documents and Settings\All Users\Start Menu\Programs\Web Search Tools' in shortcut areas.
Checking for 'C:\Documents and Settings\All Users\Start Menu\Programs\Web Search Tools' in startup areas.
Cleaning 'C:\Documents and Settings\All Users\Start Menu\Programs\Web Search Tools'
Checking for 'C:\Documents and Settings\All Users\Start Menu\Programs\Web Search Tools\Frequently Asked Questions.url' in shortcut areas.
Checking for 'C:\Documents and Settings\All Users\Start Menu\Programs\Web Search Tools\Frequently Asked Questions.url' in startup areas.
Cleaning 'C:\Documents and Settings\All Users\Start Menu\Programs\Web Search Tools\Frequently Asked Questions.url'
Checking for 'C:\Documents and Settings\All Users\Start Menu\Programs\Web Search Tools\Home.url' in shortcut areas.
Checking for 'C:\Documents and Settings\All Users\Start Menu\Programs\Web Search Tools\Home.url' in startup areas.
Cleaning 'C:\Documents and Settings\All Users\Start Menu\Programs\Web Search Tools\Home.url'
Checking for 'C:\Documents and Settings\All Users\Start Menu\Programs\Web Search Tools\Privacy Policy.url' in shortcut areas.
Checking for 'C:\Documents and Settings\All Users\Start Menu\Programs\Web Search Tools\Privacy Policy.url' in startup areas.
Cleaning 'C:\Documents and Settings\All Users\Start Menu\Programs\Web Search Tools\Privacy Policy.url'
Checking for 'C:\Documents and Settings\All Users\Start Menu\Programs\Web Search Tools\Terms of Use.url' in shortcut areas.
Checking for 'C:\Documents and Settings\All Users\Start Menu\Programs\Web Search Tools\Terms of Use.url' in startup areas.
Cleaning 'C:\Documents and Settings\All Users\Start Menu\Programs\Web Search Tools\Terms of Use.url'
Checking for 'C:\Documents and Settings\Owner\Start Menu\Programs\Morpheus' in shortcut areas.
Checking for 'C:\Documents and Settings\Owner\Start Menu\Programs\Morpheus' in startup areas.
Cleaning 'C:\Documents and Settings\Owner\Start Menu\Programs\Morpheus'
Checking for 'C:\Documents and Settings\Owner\Start Menu\Programs\Morpheus\Morpheus 2.0.lnk' in shortcut areas.
Checking for 'C:\Documents and Settings\Owner\Start Menu\Programs\Morpheus\Morpheus 2.0.lnk' in startup areas.
Cleaning 'C:\Documents and Settings\Owner\Start Menu\Programs\Morpheus\Morpheus 2.0.lnk'
Checking for 'C:\Documents and Settings\Owner\Start Menu\Programs\Morpheus\My Shared Folder.lnk' in shortcut areas.
Checking for 'C:\Documents and Settings\Owner\Start Menu\Programs\Morpheus\My Shared Folder.lnk' in startup areas.
Cleaning 'C:\Documents and Settings\Owner\Start Menu\Programs\Morpheus\My Shared Folder.lnk'
Checking for 'C:\Program Files\Aprps\data.bin' in shortcut areas.
Checking for 'C:\Program Files\Aprps\data.bin' in startup areas.
Cleaning 'C:\Program Files\Aprps\data.bin'
Checking for 'C:\Program Files\Toolbar' in shortcut areas.
Checking for 'C:\Program Files\Toolbar' in startup areas.
Cleaning 'C:\Program Files\Toolbar'
Checking for 'C:\Program Files\Toolbar\common.dll' in shortcut areas.
Checking for 'C:\Program Files\Toolbar\common.dll' in startup areas.
Cleaning 'C:\Program Files\Toolbar\common.dll'
[SCANMODS] WARNING: Deletion of the file 'C:\Program Files\Toolbar\common.dll' requires a reboot.
Checking for 'C:\Program Files\Toolbar\Cursors\cursors.xml' in shortcut areas.
Checking for 'C:\Program Files\Toolbar\Cursors\cursors.xml' in startup areas.
Cleaning 'C:\Program Files\Toolbar\Cursors\cursors.xml'
Checking for 'C:\Program Files\Toolbar\gykhxlmu.rmr' in shortcut areas.
Checking for 'C:\Program Files\Toolbar\gykhxlmu.rmr' in startup areas.
Cleaning 'C:\Program Files\Toolbar\gykhxlmu.rmr'
Checking for 'C:\Program Files\Toolbar\nzqlihv.wzg' in shortcut areas.
Checking for 'C:\Program Files\Toolbar\nzqlihv.wzg' in startup areas.
Cleaning 'C:\Program Files\Toolbar\nzqlihv.wzg'
[SCANMODS] WARNING: Deletion of the file 'C:\Program Files\Toolbar\nzqlihv.wzg' requires a reboot.
Checking for 'C:\Program Files\Toolbar\PIB.exe' in shortcut areas.
Checking for 'C:\Program Files\Toolbar\PIB.exe' in startup areas.
Cleaning 'C:\Program Files\Toolbar\PIB.exe'
[SCANMODS] WARNING: Deletion of the file 'C:\Program Files\Toolbar\PIB.exe' requires a reboot.
Checking for 'C:\Program Files\Toolbar\radio.exe' in shortcut areas.
Checking for 'C:\Program Files\Toolbar\radio.exe' in startup areas.
Cleaning 'C:\Program Files\Toolbar\radio.exe'
[SCANMODS] WARNING: Deletion of the file 'C:\Program Files\Toolbar\radio.exe' requires a reboot.
Checking for 'C:\Program Files\Toolbar\rw.wzg' in shortcut areas.
Checking for 'C:\Program Files\Toolbar\rw.wzg' in startup areas.
Cleaning 'C:\Program Files\Toolbar\rw.wzg'
Checking for 'C:\Program Files\Toolbar\TBPS.dat' in shortcut areas.
Checking for 'C:\Program Files\Toolbar\TBPS.dat' in startup areas.
Cleaning 'C:\Program Files\Toolbar\TBPS.dat'
[SCANMODS] WARNING: Deletion of the file 'C:\Program Files\Toolbar\TBPS.dat' requires a reboot.
Checking for 'C:\Program Files\Toolbar\TBPS.exe' in shortcut areas.
Checking for 'C:\Program Files\Toolbar\TBPS.exe' in startup areas.
Cleaning 'C:\Program Files\Toolbar\TBPS.exe'
[SCANMODS] WARNING: Deletion of the file 'C:\Program Files\Toolbar\TBPS.exe' requires a reboot.
Checking for 'C:\Program Files\Toolbar\toolbar.dll' in shortcut areas.
Checking for 'C:\Program Files\Toolbar\toolbar.dll' in startup areas.
Cleaning 'C:\Program Files\Toolbar\toolbar.dll'
[SCANMODS] WARNING: Deletion of the file 'C:\Program Files\Toolbar\toolbar.dll' requires a reboot.
Checking for 'C:\Program Files\Toolbar\xlmurin.wzg' in shortcut areas.
Checking for 'C:\Program Files\Toolbar\xlmurin.wzg' in startup areas.
Cleaning 'C:\Program Files\Toolbar\xlmurin.wzg'
Checking for 'C:\Program Files\Toolbar\xzxsv.wzg' in shortcut areas.
Checking for 'C:\Program Files\Toolbar\xzxsv.wzg' in startup areas.
Cleaning 'C:\Program Files\Toolbar\xzxsv.wzg'
Checking for 'C:\Program Files\Toolbar\yildhvi.olt' in shortcut areas.
Checking for 'C:\Program Files\Toolbar\yildhvi.olt' in startup areas.
Cleaning 'C:\Program Files\Toolbar\yildhvi.olt'
Checking for 'C:\Program Files\Toolbar\yywr.wzg' in shortcut areas.
Checking for 'C:\Program Files\Toolbar\yywr.wzg' in startup areas.
Cleaning 'C:\Program Files\Toolbar\yywr.wzg'
[SCANMODS] WARNING: Deletion of the file 'C:\Program Files\Toolbar\yywr.wzg' requires a reboot.
Checking for 'C:\Program Files\Toolbar\yywsv.wzg' in shortcut areas.
Checking for 'C:\Program Files\Toolbar\yywsv.wzg' in startup areas.
Cleaning 'C:\Program Files\Toolbar\yywsv.wzg'
[SCANMODS] WARNING: Deletion of the file 'C:\Program Files\Toolbar\yywsv.wzg' requires a reboot.
Checking for 'C:\Program Files\Toolbar\zwipvbh.wzg' in shortcut areas.
Checking for 'C:\Program Files\Toolbar\zwipvbh.wzg' in startup areas.
Cleaning 'C:\Program Files\Toolbar\zwipvbh.wzg'
[SCANMODS] WARNING: Deletion of the file 'C:\Program Files\Toolbar' requires a reboot.
Checking for 'C:\Program Files\Toolbar\Cursors' in shortcut areas.
Checking for 'C:\Program Files\Toolbar\Cursors' in startup areas.
Cleaning 'C:\Program Files\Toolbar\Cursors'
Checking for 'C:\Program Files\Toolbar\Cursors\cursors.xml' in shortcut areas.
Checking for 'C:\Program Files\Toolbar\Cursors\cursors.xml' in startup areas.
Cleaning 'C:\Program Files\Toolbar\Cursors\cursors.xml'
[SCANMODS] The file 'C:\Program Files\Toolbar\Cursors\cursors.xml' was not found. Most likely already cleaned by another scanner module.
Checking for 'C:\Program Files\Toolbar\gykhxlmu.rmr' in shortcut areas.
Checking for 'C:\Program Files\Toolbar\gykhxlmu.rmr' in startup areas.
Cleaning 'C:\Program Files\Toolbar\gykhxlmu.rmr'
[SCANMODS] The file 'C:\Program Files\Toolbar\gykhxlmu.rmr' was not found. Most likely already cleaned by another scanner module.
Checking for 'C:\Program Files\Toolbar\nzqlihv.wzg' in shortcut areas.
Checking for 'C:\Program Files\Toolbar\nzqlihv.wzg' in startup areas.
Cleaning 'C:\Program Files\Toolbar\nzqlihv.wzg'
[SCANMODS] WARNING: Deletion of the file 'C:\Program Files\Toolbar\nzqlihv.wzg' requires a reboot.
Checking for 'C:\Program Files\Toolbar\PIB.exe' in shortcut areas.
Checking for 'C:\Program Files\Toolbar\PIB.exe' in startup areas.
Cleaning 'C:\Program Files\Toolbar\PIB.exe'
[SCANMODS] WARNING: Deletion of the file 'C:\Program Files\Toolbar\PIB.exe' requires a reboot.
Checking for 'C:\Program Files\Toolbar\TBPS.exe' in shortcut areas.
Checking for 'C:\Program Files\Toolbar\TBPS.exe' in startup areas.
Cleaning 'C:\Program Files\Toolbar\TBPS.exe'
[SCANMODS] WARNING: Deletion of the file 'C:\Program Files\Toolbar\TBPS.exe' requires a reboot.
Checking for 'C:\Program Files\Toolbar\TBPSSvc.exe' in shortcut areas.
Checking for 'C:\Program Files\Toolbar\TBPSSvc.exe' in startup areas.
Cleaning 'C:\Program Files\Toolbar\TBPSSvc.exe'
[SCANMODS] The file 'C:\Program Files\Toolbar\TBPSSvc.exe' was not found. Most likely already cleaned by another scanner module.
Checking for 'C:\Program Files\Yahoo!\YPSR\Quarantine\ppqCD.tmp\UI1\index.htm' in shortcut areas.
Checking for 'C:\Program Files\Yahoo!\YPSR\Quarantine\ppqCD.tmp\UI1\index.htm' in startup areas.
Cleaning 'C:\Program Files\Yahoo!\YPSR\Quarantine\ppqCD.tmp\UI1\index.htm'
Checking for 'C:\Program Files\Yahoo!\YPSR\Quarantine\ppqCF.tmp\ASIFA15376.bsx' in shortcut areas.
Checking for 'C:\Program Files\Yahoo!\YPSR\Quarantine\ppqCF.tmp\ASIFA15376.bsx' in startup areas.
Cleaning 'C:\Program Files\Yahoo!\YPSR\Quarantine\ppqCF.tmp\ASIFA15376.bsx'
Checking for 'C:\Program Files\Yahoo!\YPSR\Quarantine\ppqCF.tmp\ASIH21180.bsx' in shortcut areas.
Checking for 'C:\Program Files\Yahoo!\YPSR\Quarantine\ppqCF.tmp\ASIH21180.bsx' in startup areas.
Cleaning 'C:\Program Files\Yahoo!\YPSR\Quarantine\ppqCF.tmp\ASIH21180.bsx'
Checking for 'C:\Program Files\Yahoo!\YPSR\Quarantine\ppqCF.tmp\ASIM9740.bsx' in shortcut areas.
Checking for 'C:\Program Files\Yahoo!\YPSR\Quarantine\ppqCF.tmp\ASIM9740.bsx' in startup areas.
Cleaning 'C:\Program Files\Yahoo!\YPSR\Quarantine\ppqCF.tmp\ASIM9740.bsx'
Checking for 'C:\Program Files\Yahoo!\YPSR\Quarantine\ppqCF.tmp\FMND1.bsx' in shortcut areas.
Checking for 'C:\Program Files\Yahoo!\YPSR\Quarantine\ppqCF.tmp\FMND1.bsx' in startup areas.
Cleaning 'C:\Program Files\Yahoo!\YPSR\Quarantine\ppqCF.tmp\FMND1.bsx'
Checking for 'C:\Program Files\Yahoo!\YPSR\Quarantine\ppqCF.tmp\TRVL6.bsx' in shortcut areas.
Checking for 'C:\Program Files\Yahoo!\YPSR\Quarantine\ppqCF.tmp\TRVL6.bsx' in startup areas.
Cleaning 'C:\Program Files\Yahoo!\YPSR\Quarantine\ppqCF.tmp\TRVL6.bsx'
Checking for 'C:\windows\bundles\shopinst.exe' in shortcut areas.
Checking for 'C:\windows\bundles\shopinst.exe' in startup areas.
Cleaning 'C:\windows\bundles\shopinst.exe'
Checking for 'C:\WINNT\inf\conscorr.inf' in shortcut areas.
Checking for 'C:\WINNT\inf\conscorr.inf' in startup areas.
Cleaning 'C:\WINNT\inf\conscorr.inf'
Checking for 'C:\WINNT\system32\Decln.dll' in shortcut areas.
Checking for 'C:\WINNT\system32\Decln.dll' in startup areas.
Cleaning 'C:\WINNT\system32\Decln.dll'
Checking for 'C:\WINNT\system32\Declw.dll' in shortcut areas.
Checking for 'C:\WINNT\system32\Declw.dll' in startup areas.
Cleaning 'C:\WINNT\system32\Declw.dll'
Finished Cleaning

* * * * * * *

Thank you. :tazz:
  • 0

#8
Rawe
Posted 17 August 2005 - 10:59 PM

Rawe

    Visiting Staff

  • Member
  • PipPipPipPipPipPipPip
  • 4,746 posts
Can you post a fresh HiJackThis log
  • 0

#9
bfaris
Posted 18 August 2005 - 06:21 AM

bfaris

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
Here is the fresh Hijackthis Log:

Logfile of HijackThis v1.99.1
Scan saved at 7:20:31 AM, on 8/18/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\SK9910DM.EXE
C:\WINNT\GWMDMMSG.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Microsoft Works\WksSb.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Microsoft Money\System\Money Express.exe
C:\Program Files\SBC Self Support Tool\bin\mpbtn.exe
C:\WINNT\System32\alg.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\wuauclt.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\Program Files\Grisoft\AVG Free\avgemc.exe
C:\Program Files\Grisoft\AVG Free\avgcc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Owner\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.yoursearchbar.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://remote.lw.com/default.asp
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://rd.yahoo.com/...hoo.sbc.com/dsl
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://rd.yahoo.com/...//www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://rd.yahoo.com/...hoo.sbc.com/dsl
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O2 - BHO: Bucket Class - {00000001-C003-4A2F-9142-7CB1D78DE6C1} - C:\WINNT\tct101.dll (file missing)
O2 - BHO: Band Class - {00F1D395-4744-40f0-A611-980F61AE2C59} - C:\WINNT\dsr.dll (file missing)
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: TChkBHO Class - {2C4748C9-8A53-4544-ACEB-82FB5091F493} - C:\WINNT\system32\jegkgs.dll (file missing)
O2 - BHO: SDWin32 Class - {2C58C45D-AB26-46F7-98F5-315F3A26954F} - C:\WINNT\System32\klxqi.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O4 - HKLM\..\Run: [Hot Key Kbd 9910 Daemon] SK9910DM.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe
O4 - HKLM\..\Run: [Keyboard Preload Check] C:\OEMDRVRS\KEYB\Preload.exe /DEVID: /CLASS:Keyboard /RunValue:"Keyboard Preload Check"
O4 - HKLM\..\Run: [GWMDMpi] C:\WINNT\GWMDMpi.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [MoneyStartUp10.0] "C:\Program Files\Microsoft Money\System\Activation.exe"
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [IPInSightMonitor 01] "C:\Program Files\SBC Yahoo!\Connection Manager\IP InSight\IPMon32.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O4 - HKLM\..\Run: [SurfAccuracy] C:\Program Files\SurfAccuracy\SAcc.exe
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe -quiet
O4 - HKCU\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O4 - Global Startup: SBC Self Support Tool.lnk = C:\Program Files\SBC Self Support Tool\bin\matcli.exe
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - ms-its:mhtml:file://c:\nosunel.mht!http://daemonlinks.n.../bridge-c46.cab
O16 - DPF: {15E31F81-702C-48F8-97B1-75AE9155B5E3} (TSWebCtl.UCTSWeb) - https://remote.lw.com/TSWebCtl.CAB
O16 - DPF: {20048BB3-DB68-11CF-9CAF-00AA006CB425} (007installer Control) - ms-its:mhtml:file://c:\nosunes.mht!http://daemonlinks.n...m::/website.cab
O16 - DPF: {30439117-02CA-4FBA-ADAF-84C2D8E2004D} (v3 silent install) - https://remote.lw.com/spv3rdpchk.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.c...nst20040510.cab
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterf...ds/Uploader.cab
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe
O23 - Service: PictureTaker - Unknown owner - c:\fixit\pt\PCTKRNT.SYS (file missing)
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

* * * * *
  • 0

#10
Rawe
Posted 18 August 2005 - 06:30 AM

Rawe

    Visiting Staff

  • Member
  • PipPipPipPipPipPipPip
  • 4,746 posts
Run a scan with HiJackThis and check the following objects for removal (Don't click "Fix Checked" yet!):

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.yoursearchbar.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://remote.lw.com/default.asp
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://rd.yahoo.com/...hoo.sbc.com/dsl
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://rd.yahoo.com/...//www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://rd.yahoo.com/...hoo.sbc.com/dsl
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O2 - BHO: Bucket Class - {00000001-C003-4A2F-9142-7CB1D78DE6C1} - C:\WINNT\tct101.dll (file missing)
O2 - BHO: Band Class - {00F1D395-4744-40f0-A611-980F61AE2C59} - C:\WINNT\dsr.dll (file missing)
O2 - BHO: TChkBHO Class - {2C4748C9-8A53-4544-ACEB-82FB5091F493} - C:\WINNT\system32\jegkgs.dll (file missing)
O2 - BHO: SDWin32 Class - {2C58C45D-AB26-46F7-98F5-315F3A26954F} - C:\WINNT\System32\klxqi.dll (file missing)
O4 - HKLM\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O4 - HKLM\..\Run: [SurfAccuracy] C:\Program Files\SurfAccuracy\SAcc.exe
O4 - HKCU\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - ms-its:mhtml:file://c:\nosunel.mht!http://daemonlinks.n.../bridge-c46.cab
O16 - DPF: {20048BB3-DB68-11CF-9CAF-00AA006CB425} (007installer Control) - ms-its:mhtml:file://c:\nosunes.mht!http://daemonlinks.n...m::/website.cab

Close all open windows except for HijackThis, then click the FIX CHECKED. Close HijackThis.

Reboot.

Delete the following files if present:
C:\WINNT\tct101.dll
C:\WINNT\dsr.dll
C:\WINNT\system32\jegkgs.dll
C:\WINNT\System32\klxqi.dll
C:\Program Files\SurfSideKick 3\ <= Entire Folder
C:\Program Files\SurfAccuracy\ <= Entire Folder

Empty recycle bin. Post a fresh HiJackThis log.

- Rawe :tazz:
  • 0

Advertisements

#11
bfaris
Posted 20 August 2005 - 10:29 AM

bfaris

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
Sorry it took a few days to get back to this. It has been a hectic week. I completed all of the steps and here is the fresh HijackThis Log:

Logfile of HijackThis v1.99.1
Scan saved at 11:27:05 AM, on 8/20/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\SK9910DM.EXE
C:\WINNT\GWMDMMSG.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Microsoft Works\WksSb.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Microsoft Money\System\Money Express.exe
C:\WINNT\System32\alg.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\SBC Self Support Tool\bin\mpbtn.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\WINNT\System32\msiexec.exe
C:\WINNT\System32\wuauclt.exe
C:\Documents and Settings\Owner\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O4 - HKLM\..\Run: [Hot Key Kbd 9910 Daemon] SK9910DM.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe
O4 - HKLM\..\Run: [Keyboard Preload Check] C:\OEMDRVRS\KEYB\Preload.exe /DEVID: /CLASS:Keyboard /RunValue:"Keyboard Preload Check"
O4 - HKLM\..\Run: [GWMDMpi] C:\WINNT\GWMDMpi.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [MoneyStartUp10.0] "C:\Program Files\Microsoft Money\System\Activation.exe"
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [IPInSightMonitor 01] "C:\Program Files\SBC Yahoo!\Connection Manager\IP InSight\IPMon32.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe -quiet
O4 - Global Startup: SBC Self Support Tool.lnk = C:\Program Files\SBC Self Support Tool\bin\matcli.exe
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {15E31F81-702C-48F8-97B1-75AE9155B5E3} (TSWebCtl.UCTSWeb) - https://remote.lw.com/TSWebCtl.CAB
O16 - DPF: {30439117-02CA-4FBA-ADAF-84C2D8E2004D} (v3 silent install) - https://remote.lw.com/spv3rdpchk.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.c...nst20040510.cab
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterf...ds/Uploader.cab
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe
O23 - Service: PictureTaker - Unknown owner - c:\fixit\pt\PCTKRNT.SYS (file missing)

* * * * *

Thank you.
  • 0

#12
Rawe
Posted 21 August 2005 - 09:26 AM

Rawe

    Visiting Staff

  • Member
  • PipPipPipPipPipPipPip
  • 4,746 posts
Can you run this online scan and post it's results here:

Panda Activescan

- Rawe :tazz:
  • 0

#13
bfaris
Posted 22 August 2005 - 10:35 PM

bfaris

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
Please see results of Panda search below:


Incident Status Location

Spyware:spyware/surfsidekick No disinfected C:\DOCUMENTS AND SETTINGS\OWNER\APPLICATION DATA\Sskcwrd.dll
Adware:adware/tvmedia No disinfected C:\DOCUMENTS AND SETTINGS\OWNER\APPLICATION DATA\tvmcwrd.dll
Adware:adware/aurora No disinfected C:\WINNT\SYSTEM32\DrPMon.dll
Adware:adware/virtualbouncer No disinfected C:\WINNT\SYSTEM32\INNERADINSTALL.LOG
Adware:adware/shoppingcommunityNo disinfected C:\WINNT\SYSTEM32\mobupd.exe
Adware:adware/transponder No disinfected C:\WINNT\abiuninst.htm
Adware:adware/dealhelper No disinfected C:\WINNT\dsearch1.bin
Adware:adware/apropos No disinfected C:\PROGRAM FILES\Aprps
Adware:adware/surfaccuracy No disinfected Windows Registry
Adware:Adware/WinTools No disinfected C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\LC4JGVJO\radio[1].cab[radio.exe]
Adware:Adware/MyWebSearch No disinfected C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\ULOT4PC9\newmajorse2[1].cab
Adware:Adware/MyWebSearch No disinfected C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\ULOT4PC9\newmajorse2[1].cab[newmajorse2.txt]
Adware:Adware/Apropos No disinfected C:\Program Files\Aprps\ProxyStub.dll
Possible Virus. No disinfected C:\Program Files\TrojanHunter 4.2\Tools\Process Viewer\ProcessViewer.exe
Adware:Adware/PortalScan No disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq2D.tmp\bundles.exe
Adware:Adware/AdDestroyer No disinfected C:\windows\bundles\2504040901.exe
Adware:Adware/TopRebates No disinfected C:\windows\bundles\WebRebates_Auto_InstallSilent.exe
Virus:Trj/Downloader.AE Disinfected C:\WINNT\iocpog.exe
Adware:Adware/WurldMedia No disinfected C:\WINNT\system32\winbpupd.exe
Possible Virus. No disinfected C:\WINNT\Temp\ASHeuristic\ProcessViewer.exe.vir
* * * * *

The pop-up adds seem to have stopped for now, for what it is worth ... Thank you.
  • 0

#14
Rawe
Posted 22 August 2005 - 11:51 PM

Rawe

    Visiting Staff

  • Member
  • PipPipPipPipPipPipPip
  • 4,746 posts
Ok, first delete this entire folder and empty recycle bin:

C:\Program Files\Aprps\

Next,

1) Please download the Killbox.
Unzip it to the desktop but do NOT run it yet.

2) Then please reboot into Safe Mode by restarting your computer and pressing F8 as your computer is booting up. Then select the Safe Mode option.

3) Once in Safe Mode, please run Killbox.

4) Select "Delete on Reboot".

5) Open the text file with these instructions in it, and copy the file names below to the clipboard by highlighting them and pressing Control-C:

C:\DOCUMENTS AND SETTINGS\OWNER\APPLICATION DATA\Sskcwrd.dll
C:\DOCUMENTS AND SETTINGS\OWNER\APPLICATION DATA\tvmcwrd.dll
C:\WINNT\SYSTEM32\DrPMon.dll
C:\WINNT\SYSTEM32\INNERADINSTALL.LOG
C:\WINNT\SYSTEM32\mobupd.exe
C:\WINNT\abiuninst.htm
C:\WINNT\dsearch1.bin
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq2D.tmp\bundles.exe
C:\windows\bundles\2504040901.exe
C:\windows\bundles\WebRebates_Auto_InstallSilent.exe
C:\WINNT\iocpog.exe
C:\WINNT\system32\winbpupd.exe

6) Return to Killbox, go to the File menu, and choose "Paste from Clipboard".

7) Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt.

If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run TheKillbox, click here to download and run missingfilesetup.exe. Then try TheKillbox again..

Let the system reboot.

Then post a fresh HijackThis log.

- Rawe :tazz:
  • 0

#15
bfaris
Posted 24 August 2005 - 10:25 PM

bfaris

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
Did it. Here is the latest HijackThis log. :tazz:

* * * * * * * *

Logfile of HijackThis v1.99.1
Scan saved at 11:24:00 PM, on 8/24/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\SK9910DM.EXE
C:\WINNT\GWMDMMSG.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Microsoft Works\WksSb.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Microsoft Money\System\Money Express.exe
C:\WINNT\System32\alg.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\SBC Self Support Tool\bin\mpbtn.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\System32\svchost.exe
C:\Documents and Settings\Owner\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://remote.lw.com/default.asp
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O4 - HKLM\..\Run: [Hot Key Kbd 9910 Daemon] SK9910DM.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe
O4 - HKLM\..\Run: [Keyboard Preload Check] C:\OEMDRVRS\KEYB\Preload.exe /DEVID: /CLASS:Keyboard /RunValue:"Keyboard Preload Check"
O4 - HKLM\..\Run: [GWMDMpi] C:\WINNT\GWMDMpi.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [MoneyStartUp10.0] "C:\Program Files\Microsoft Money\System\Activation.exe"
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [IPInSightMonitor 01] "C:\Program Files\SBC Yahoo!\Connection Manager\IP InSight\IPMon32.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe -quiet
O4 - Global Startup: SBC Self Support Tool.lnk = C:\Program Files\SBC Self Support Tool\bin\matcli.exe
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {15E31F81-702C-48F8-97B1-75AE9155B5E3} (TSWebCtl.UCTSWeb) - https://remote.lw.com/TSWebCtl.CAB
O16 - DPF: {30439117-02CA-4FBA-ADAF-84C2D8E2004D} (v3 silent install) - https://remote.lw.com/spv3rdpchk.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.c...nst20040510.cab
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterf...ds/Uploader.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft...free/asinst.cab
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe
O23 - Service: PictureTaker - Unknown owner - c:\fixit\pt\PCTKRNT.SYS (file missing)
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP