Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Spyware in Registry [RESOLVED]

Started by Northside , Sep 09 2005 12:22 PM

  • This topic is locked This topic is locked

#16
Northside
Posted 20 September 2005 - 12:01 PM

Northside

    Member

  • Topic Starter
  • Member
  • PipPip
  • 17 posts
I ran Spybot and Adaware this morning after sending you the previous note. Spybot found a security problem to disable antivirus with registry changes which is the same message I received a while back. The Ad-aware find mentioned "search assistant". It is the 8th MRU List Object Recognized.

I hope this is not a new find but the same problem resurfacing. As I mentioned in my first note today, I was able to locate 5 "hits" runing the Regsrch.vbs. You may want to read that note first, but I also thought I should let you know about this find.

Windows Security Center.AntiVirusDisableNotify: Settings (Registry change, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify!=dword:0

MRU List Object Recognized!
Location: : S-1-5-21-2989832804-2161733268-2457680295-1005\software\microsoft\search assistant\acmru
Description : list of recent search terms used with the search assistant
------------------------------------
Full Spybot Results:
Windows Security Center.AntiVirusDisableNotify: Settings (Registry change, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify!=dword:0

--- Spybot - Search && Destroy version: 1.3 ---
2005-04-26 Includes\Cookies.sbi
2005-08-26 Includes\Dialer.sbi
2005-09-01 Includes\Hijackers.sbi
2005-08-16 Includes\Keyloggers.sbi
2004-11-29 Includes\LSP.sbi
2005-09-01 Includes\Malware.sbi
2005-08-12 Includes\PUPS.sbi
2005-04-27 Includes\Revision.sbi
2005-08-25 Includes\Security.sbi
2005-09-01 Includes\Spybots.sbi
2005-02-17 Includes\Tracks.uti
2005-09-01 Includes\Trojans.sbi
----------------------------------------
Ad-aware Results

Ad-Aware SE Build 1.06r1
Logfile Created on:Tuesday, September 20, 2005 1:06:00 PM
Created with Ad-Aware SE Personal, free for private use.
Using definitions file:SE1R67 20.09.2005
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

References detected during the scan:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
MRU List(TAC index:0):14 total references
Tracking Cookie(TAC index:3):5 total references
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Definition File:
=========================
Definitions File Loaded:
Reference Number : SE1R64 31.08.2005
Internal build : 75
File location : C:\Program Files\Lavasoft\Ad-Aware SE Personal\defs.ref
File size : 515324 Bytes
Total size : 1551493 Bytes
Signature data size : 1518382 Bytes
Reference data size : 32599 Bytes
Signatures total : 43181
CSI Fingerprints total : 1032
CSI data size : 36709 Bytes
Target categories : 15
Target families : 740

9-20-2005 12:50:12 PM Performing WebUpdate...

Installing Update...
Definitions File Loaded:
Reference Number : SE1R67 20.09.2005
Internal build : 79
File location : C:\Program Files\Lavasoft\Ad-Aware SE Personal\defs.ref
File size : 524443 Bytes
Total size : 1576182 Bytes
Signature data size : 1543004 Bytes
Reference data size : 32666 Bytes
Signatures total : 43850
CSI Fingerprints total : 1047
CSI data size : 37307 Bytes
Target categories : 15
Target families : 746


9-20-2005 12:52:25 PM Success
Update successfully downloaded and installed.


Memory + processor status:
==========================
Number of processors : 1
Processor architecture : Intel Pentium IV
Memory available:70 %
Total physical memory:1046620 kb
Available physical memory:726732 kb
Total page file size:2516572 kb
Available on page file:2209120 kb
Total virtual memory:2097024 kb
Available virtual memory:2043316 kb
OS:Microsoft Windows XP Professional Service Pack 2 (Build 2600)

Ad-Aware SE Settings
===========================
Set : Search for negligible risk entries
Set : Safe mode (always request confirmation)
Set : Scan active processes
Set : Scan registry
Set : Deep-scan registry
Set : Scan my IE Favorites for banned URLs
Set : Scan within archives
Set : Scan my Hosts file

Extended Ad-Aware SE Settings
===========================
Set : Unload recognized processes & modules during scan
Set : Obtain command line of scanned processes
Set : Scan registry for all users instead of current user only
Set : Always try to unload modules before deletion
Set : During removal, unload Explorer and IE if necessary
Set : Let Windows remove files in use at next reboot
Set : Delete quarantined objects after restoring
Set : Write-protect system files after repair (Hosts file, etc.)
Set : Include basic Ad-Aware settings in log file
Set : Include additional Ad-Aware settings in log file
Set : Include reference summary in log file
Set : Include alternate data stream details in log file
Set : Play sound at scan completion if scan locates critical objects


9-20-2005 1:06:00 PM - Scan started. (Custom mode)

Listing running processes
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

#:1 [smss.exe]
ModuleName : \SystemRoot\System32\smss.exe
Command Line : n/a
ProcessID : 644
ThreadCreationTime : 9-20-2005 12:51:12 PM
BasePriority : Normal


#:2 [csrss.exe]
ModuleName : \??\C:\WINDOWS\system32\csrss.exe
Command Line : C:\WINDOWS\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,3072,512 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ProfileControl=Off MaxRequestTh
ProcessID : 712
ThreadCreationTime : 9-20-2005 12:51:15 PM
BasePriority : Normal


#:3 [winlogon.exe]
ModuleName : \??\C:\WINDOWS\system32\winlogon.exe
Command Line : winlogon.exe
ProcessID : 736
ThreadCreationTime : 9-20-2005 12:51:16 PM
BasePriority : High


#:4 [services.exe]
ModuleName : C:\WINDOWS\system32\services.exe
Command Line : C:\WINDOWS\system32\services.exe
ProcessID : 784
ThreadCreationTime : 9-20-2005 12:51:17 PM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Services and Controller app
InternalName : services.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : services.exe

#:5 [lsass.exe]
ModuleName : C:\WINDOWS\system32\lsass.exe
Command Line : C:\WINDOWS\system32\lsass.exe
ProcessID : 796
ThreadCreationTime : 9-20-2005 12:51:17 PM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : LSA Shell (Export Version)
InternalName : lsass.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : lsass.exe

#:6 [ati2evxx.exe]
ModuleName : C:\WINDOWS\system32\Ati2evxx.exe
Command Line : C:\WINDOWS\system32\Ati2evxx.exe
ProcessID : 984
ThreadCreationTime : 9-20-2005 12:51:17 PM
BasePriority : Normal


#:7 [svchost.exe]
ModuleName : C:\WINDOWS\system32\svchost.exe
Command Line : C:\WINDOWS\system32\svchost -k DcomLaunch
ProcessID : 996
ThreadCreationTime : 9-20-2005 12:51:17 PM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:8 [svchost.exe]
ModuleName : C:\WINDOWS\system32\svchost.exe
Command Line : C:\WINDOWS\system32\svchost -k rpcss
ProcessID : 1052
ThreadCreationTime : 9-20-2005 12:51:18 PM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:9 [svchost.exe]
ModuleName : C:\WINDOWS\System32\svchost.exe
Command Line : C:\WINDOWS\System32\svchost.exe -k netsvcs
ProcessID : 1092
ThreadCreationTime : 9-20-2005 12:51:18 PM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:10 [svchost.exe]
ModuleName : C:\WINDOWS\system32\svchost.exe
Command Line : C:\WINDOWS\system32\svchost.exe -k NetworkService
ProcessID : 1200
ThreadCreationTime : 9-20-2005 12:51:19 PM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:11 [svchost.exe]
ModuleName : C:\WINDOWS\system32\svchost.exe
Command Line : C:\WINDOWS\system32\svchost.exe -k LocalService
ProcessID : 1272
ThreadCreationTime : 9-20-2005 12:51:19 PM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:12 [ccsetmgr.exe]
ModuleName : C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
Command Line : n/a
ProcessID : 1352
ThreadCreationTime : 9-20-2005 12:51:20 PM
BasePriority : Normal
FileVersion : 103.0.5.2
ProductVersion : 103.0.5.2
ProductName : Client and Host Security Platform
CompanyName : Symantec Corporation
FileDescription : Symantec Settings Manager Service
InternalName : ccSetMgr
LegalCopyright : Copyright © 2000-2004 Symantec Corporation. All rights reserved.
OriginalFilename : ccSetMgr.exe

#:13 [sndsrvc.exe]
ModuleName : C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
Command Line : n/a
ProcessID : 1364
ThreadCreationTime : 9-20-2005 12:51:20 PM
BasePriority : Normal
FileVersion : 5.5.1.6
ProductVersion : 5.5
ProductName : Symantec Security Drivers
CompanyName : Symantec Corporation
FileDescription : Network Driver Service
InternalName : SndSrvc
LegalCopyright : Copyright 2002, 2003, 2004 Symantec Corporation
OriginalFilename : SndSrvc.exe

#:14 [spbbcsvc.exe]
ModuleName : C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
Command Line : n/a
ProcessID : 1376
ThreadCreationTime : 9-20-2005 12:51:20 PM
BasePriority : Normal
FileVersion : 1,0,1,47
ProductVersion : 1,0,1,47
ProductName : SPBBC
CompanyName : Symantec Corporation
FileDescription : SPBBC Service
InternalName : SPBBCSvc
LegalCopyright : Copyright © 2004 Symantec Corporation. All rights reserved.
OriginalFilename : SPBBCSvc.exe

#:15 [ccevtmgr.exe]
ModuleName : C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
Command Line : n/a
ProcessID : 1420
ThreadCreationTime : 9-20-2005 12:51:21 PM
BasePriority : Normal
FileVersion : 103.0.5.2
ProductVersion : 103.0.5.2
ProductName : Client and Host Security Platform
CompanyName : Symantec Corporation
FileDescription : Symantec Event Manager Service
InternalName : ccEvtMgr
LegalCopyright : Copyright © 2000-2004 Symantec Corporation. All rights reserved.
OriginalFilename : ccEvtMgr.exe

#:16 [spoolsv.exe]
ModuleName : C:\WINDOWS\system32\spoolsv.exe
Command Line : C:\WINDOWS\system32\spoolsv.exe
ProcessID : 1580
ThreadCreationTime : 9-20-2005 12:51:21 PM
BasePriority : Normal
FileVersion : 5.1.2600.2696 (xpsp_sp2_gdr.050610-1519)
ProductVersion : 5.1.2600.2696
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Spooler SubSystem App
InternalName : spoolsv.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : spoolsv.exe

#:17 [aolacsd.exe]
ModuleName : C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
Command Line : C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
ProcessID : 1680
ThreadCreationTime : 9-20-2005 12:51:21 PM
BasePriority : Normal


#:18 [ewidoctrl.exe]
ModuleName : C:\Program Files\ewido\security suite\ewidoctrl.exe
Command Line : "C:\Program Files\ewido\security suite\ewidoctrl.exe"
ProcessID : 1712
ThreadCreationTime : 9-20-2005 12:51:21 PM
BasePriority : Normal
FileVersion : 3, 0, 0, 1
ProductVersion : 3, 0, 0, 1
ProductName : ewido control
CompanyName : ewido networks
FileDescription : ewido control
InternalName : ewido control
LegalCopyright : Copyright © 2004
OriginalFilename : ewidoctrl.exe

#:19 [iaantmon.exe]
ModuleName : C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
Command Line : "C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe"
ProcessID : 1728
ThreadCreationTime : 9-20-2005 12:51:21 PM
BasePriority : Normal
FileVersion : 4.0.0.6211
ProductVersion : 4.0.0.6211
ProductName : Intel IAANTmon
CompanyName : Intel Corporation
FileDescription : Intel Application Accelerator RAID Monitor
InternalName : IAANTmon
LegalCopyright : Copyright© Intel Corporation 2003-04
OriginalFilename : IAANTmon.exe

#:20 [kodakccs.exe]
ModuleName : C:\WINDOWS\system32\drivers\KodakCCS.exe
Command Line : C:\WINDOWS\system32\drivers\KodakCCS.exe
ProcessID : 1740
ThreadCreationTime : 9-20-2005 12:51:21 PM
BasePriority : Normal
FileVersion : 1.1.5100.4
ProductVersion : 4.4.0.0
ProductName : Kodak DC File System Driver (Win32)
CompanyName : Eastman Kodak Company
FileDescription : Kodak DC Ring 3 Conduit (Win32)
InternalName : KodakCCS.exe
LegalCopyright : Copyright © Eastman Kodak Co. 2000-2004
OriginalFilename : DcFsSvc.exe

#:21 [sqlservr.exe]
ModuleName : C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
Command Line : "C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe" -sMICROSOFTBCM
ProcessID : 1772
ThreadCreationTime : 9-20-2005 12:51:21 PM
BasePriority : Normal
FileVersion : 2000.080.0818.00
ProductVersion : 8.00.818
ProductName : Microsoft SQL Server
CompanyName : Microsoft Corporation
FileDescription : SQL Server Windows NT
InternalName : SQLSERVR
LegalCopyright : © 1988-2003 Microsoft Corp. All rights reserved.
LegalTrademarks : Microsoft® is a registered trademark of Microsoft Corporation. Windows™ is a trademark of Microsoft Corporation
OriginalFilename : SQLSERVR.EXE
Comments : NT INTEL X86

#:22 [navapsvc.exe]
ModuleName : C:\Program Files\Norton AntiVirus\navapsvc.exe
Command Line : n/a
ProcessID : 1848
ThreadCreationTime : 9-20-2005 12:51:22 PM
BasePriority : Normal
FileVersion : 11.0.9.16
ProductVersion : 11.0.9
ProductName : Norton AntiVirus
CompanyName : Symantec Corporation
FileDescription : Norton AntiVirus Auto-Protect Service
InternalName : NAVAPSVC
LegalCopyright : Norton AntiVirus 2005 for Windows 98/ME/2000/XP Copyright © 2004 Symantec Corporation. All rights reserved.
OriginalFilename : NAVAPSVC.EXE

#:23 [npfmntor.exe]
ModuleName : C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
Command Line : n/a
ProcessID : 1864
ThreadCreationTime : 9-20-2005 12:51:22 PM
BasePriority : Normal
FileVersion : 11.0.9.16
ProductVersion : 11.0.9
ProductName : Norton AntiVirus
CompanyName : Symantec Corporation
FileDescription : Norton AntiVirus Firewall Install Monitor
InternalName : NPFMonitor
LegalCopyright : Norton AntiVirus 2005 for Windows 98/ME/2000/XP Copyright © 2004 Symantec Corporation. All rights reserved.
OriginalFilename : NPFMonitor.EXE

#:24 [svchost.exe]
ModuleName : C:\WINDOWS\system32\svchost.exe
Command Line : C:\WINDOWS\system32\svchost.exe -k imgsvc
ProcessID : 1980
ThreadCreationTime : 9-20-2005 12:51:22 PM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:25 [wrsssdk.exe]
ModuleName : C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
Command Line : "C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe"
ProcessID : 2000
ThreadCreationTime : 9-20-2005 12:51:22 PM
BasePriority : Normal
FileVersion : 1,0,4,289
ProductVersion : 1, 0
ProductName : Spy Sweeper SDK
CompanyName : Webroot Software, Inc.
FileDescription : Spy Sweeper SDK
LegalCopyright : Copyright © 2002 - 2004, All Rights Reserved.
LegalTrademarks : Spy Sweeper is a trademark of Webroot Software, Inc.
OriginalFilename : SpySweeper.exe

#:26 [explorer.exe]
ModuleName : C:\WINDOWS\Explorer.EXE
Command Line : C:\WINDOWS\Explorer.EXE
ProcessID : 520
ThreadCreationTime : 9-20-2005 12:51:24 PM
BasePriority : Normal
FileVersion : 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 6.00.2900.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Windows Explorer
InternalName : explorer
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : EXPLORER.EXE

#:27 [symlcsvc.exe]
ModuleName : C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
Command Line : n/a
ProcessID : 636
ThreadCreationTime : 9-20-2005 12:51:24 PM
BasePriority : Normal
FileVersion : 1, 8, 54, 419
ProductVersion : 1, 8, 54, 419
ProductName : Symantec Core Component
CompanyName : Symantec Corporation
FileDescription : Symantec Core Component
InternalName : symlcsvc
LegalCopyright : Copyright © 2003
OriginalFilename : symlcsvc.exe

#:28 [wdfmgr.exe]
ModuleName : C:\WINDOWS\system32\wdfmgr.exe
Command Line : C:\WINDOWS\system32\wdfmgr.exe
ProcessID : 692
ThreadCreationTime : 9-20-2005 12:51:24 PM
BasePriority : Normal
FileVersion : 5.2.3790.1230 built by: DNSRV(bld4act)
ProductVersion : 5.2.3790.1230
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Windows User Mode Driver Manager
InternalName : WdfMgr
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : WdfMgr.exe

#:29 [ccapp.exe]
ModuleName : C:\Program Files\Common Files\Symantec Shared\ccApp.exe
Command Line : n/a
ProcessID : 2312
ThreadCreationTime : 9-20-2005 12:51:31 PM
BasePriority : Normal
FileVersion : 103.0.5.2
ProductVersion : 103.0.5.2
ProductName : Client and Host Security Platform
CompanyName : Symantec Corporation
FileDescription : Symantec User Session
InternalName : ccApp
LegalCopyright : Copyright © 2000-2004 Symantec Corporation. All rights reserved.
OriginalFilename : ccApp.exe

#:30 [spysweeper.exe]
ModuleName : C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
Command Line : "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
ProcessID : 2344
ThreadCreationTime : 9-20-2005 12:51:31 PM
BasePriority : Normal
FileVersion : 4,0,4,430
ProductVersion : 4, 0
ProductName : Spy Sweeper Retail
CompanyName : Webroot Software, Inc.
FileDescription : Spy Sweeper Retail Executable
LegalCopyright : Copyright © 2002 - 2005, All Rights Reserved.
OriginalFilename : SpySweeper.exe

#:31 [easyshare.exe]
ModuleName : C:\Program Files\Kodak\Kodak EasyShare Software\bin\EasyShare.exe
Command Line : "C:\Program Files\Kodak\Kodak EasyShare Software\bin\EasyShare.exe" -h
ProcessID : 2376
ThreadCreationTime : 9-20-2005 12:51:32 PM
BasePriority : Normal
FileVersion : 5, 0, 4, 167
ProductVersion : 4, 0, 4, 177
ProductName : Kodak EasyShare software
CompanyName : Eastman Kodak Company
FileDescription : Kodak EasyShare software
InternalName : EasyShare
LegalCopyright : Copyright © Eastman Kodak Company 2002
LegalTrademarks : EasyShare
OriginalFilename : EasyShare.exe

#:32 [alg.exe]
ModuleName : C:\WINDOWS\System32\alg.exe
Command Line : C:\WINDOWS\System32\alg.exe
ProcessID : 3872
ThreadCreationTime : 9-20-2005 12:52:58 PM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Application Layer Gateway Service
InternalName : ALG.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : ALG.exe

#:33 [ntvdm.exe]
ModuleName : C:\WINDOWS\system32\ntvdm.exe
Command Line : "C:\WINDOWS\system32\ntvdm.exe" -f -i1 -w -a C:\WINDOWS\system32\krnl386.exe
ProcessID : 204
ThreadCreationTime : 9-20-2005 2:02:49 PM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : NTVDM.EXE
InternalName : NTVDM.EXE
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : NTVDM.EXE

#:34 [ad-aware.exe]
ModuleName : C:\Program Files\Lavasoft\Ad-Aware SE Personal\Ad-Aware.exe
Command Line : "C:\Program Files\Lavasoft\Ad-Aware SE Personal\Ad-Aware.exe"
ProcessID : 2832
ThreadCreationTime : 9-20-2005 4:50:02 PM
BasePriority : Normal
FileVersion : 6.2.0.236
ProductVersion : SE 106
ProductName : Lavasoft Ad-Aware SE
CompanyName : Lavasoft Sweden
FileDescription : Ad-Aware SE Core application
InternalName : Ad-Aware.exe
LegalCopyright : Copyright © Lavasoft AB Sweden
OriginalFilename : Ad-Aware.exe
Comments : All Rights Reserved

#:35 [spybotsd.exe]
ModuleName : C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
Command Line : "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe"
ProcessID : 3152
ThreadCreationTime : 9-20-2005 4:52:38 PM
BasePriority : Normal
FileVersion : 1, 3, 0, 12
ProductVersion : 1, 3, 0, 12
ProductName : SpyBot-S&D
CompanyName : Safer Networking Limited
FileDescription : Spybot - Search & Destroy
InternalName : SpybotSD
LegalCopyright : © 2000-2004 Patrick M. Kolla / Safer Networking Limited. Alle Rechte vorbehalten.
LegalTrademarks : "Spybot" und "Spybot - Search & Destroy" sind registrierte Warenzeichen.
OriginalFilename : SpyBotSD.exe
Comments : Software zum Entfernen von Spyware und ähnlichen Bedrohungen.

Memory scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 0


Started registry scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Registry Scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 0

Started deep registry scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Deep registry scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 0

MRU List Object Recognized!
Location: : C:\Documents and Settings\Shirley\Application Data\microsoft\office\recent
Description : list of recently opened documents using microsoft office

MRU List Object Recognized!
Location: : C:\Documents and Settings\Shirley\recent
Description : list of recently opened documents

MRU List Object Recognized!
Location: : software\microsoft\direct3d\mostrecentapplication
Description : most recent application to use microsoft direct3d

MRU List Object Recognized!
Location: : software\microsoft\direct3d\mostrecentapplication
Description : most recent application to use microsoft direct X

MRU List Object Recognized!
Location: : software\microsoft\directdraw\mostrecentapplication
Description : most recent application to use microsoft directdraw

MRU List Object Recognized!
Location: : S-1-5-21-2989832804-2161733268-2457680295-1005\software\microsoft\office\11.0\common\open find\microsoft office word\settings\save as\file name mru
Description : list of recent documents saved by microsoft word

MRU List Object Recognized!
Location: : S-1-5-21-2989832804-2161733268-2457680295-1005\software\microsoft\office\11.0\publisher\recent file list
Description : list of recent files used by microsoft publisher

MRU List Object Recognized!
Location: : S-1-5-21-2989832804-2161733268-2457680295-1005\software\microsoft\search assistant\acmru
Description : list of recent search terms used with the search assistant

MRU List Object Recognized!
Location: : S-1-5-21-2989832804-2161733268-2457680295-1005\software\microsoft\windows\currentversion\applets\regedit
Description : last key accessed using the microsoft registry editor

MRU List Object Recognized!
Location: : S-1-5-21-2989832804-2161733268-2457680295-1005\software\microsoft\windows\currentversion\applets\wordpad\recent file list
Description : list of recent files opened using wordpad

MRU List Object Recognized!
Location: : S-1-5-21-2989832804-2161733268-2457680295-1005\software\microsoft\windows\currentversion\explorer\comdlg32\lastvisitedmru
Description : list of recent programs opened

MRU List Object Recognized!
Location: : S-1-5-21-2989832804-2161733268-2457680295-1005\software\microsoft\windows\currentversion\explorer\comdlg32\opensavemru
Description : list of recently saved files, stored according to file extension

MRU List Object Recognized!
Location: : S-1-5-21-2989832804-2161733268-2457680295-1005\software\microsoft\windows\currentversion\explorer\recentdocs
Description : list of recent documents opened

MRU List Object Recognized!
Location: : S-1-5-21-2989832804-2161733268-2457680295-1005\software\microsoft\windows\currentversion\explorer\runmru
Description : mru list for items opened in start | run

Started Tracking Cookie scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Tracking Cookie Object Recognized!
Type : IECache Entry
Data : shirley@2o7[2].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:36
Value : Cookie:[email protected]/
Expires : 9-19-2010 12:48:22 PM
LastSync : Hits:36
UseCount : 0
Hits : 36

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : shirley@doubleclick[1].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:4
Value : Cookie:[email protected]/
Expires : 9-19-2008 12:48:24 PM
LastSync : Hits:4
UseCount : 0
Hits : 4

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : [email protected][2].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:2
Value : Cookie:[email protected]/
Expires : 9-17-2005 9:18:28 PM
LastSync : Hits:2
UseCount : 0
Hits : 2

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : shirley@questionmarket[1].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:1
Value : Cookie:[email protected]/
Expires : 11-11-2006 1:29:00 AM
LastSync : Hits:1
UseCount : 0
Hits : 1

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : shirley@atdmt[2].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:2
Value : Cookie:[email protected]/
Expires : 9-18-2010 8:00:00 PM
LastSync : Hits:2
UseCount : 0
Hits : 2

Tracking cookie scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 5
Objects found so far: 19

Deep scanning and examining files (C:)
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Disk Scan Result for C:\
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 19

Scanning Hosts file......
Hosts file location:"C:\WINDOWS\system32\drivers\etc\hosts".
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Hosts file scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
1 entries scanned.
New critical objects:0
Objects found so far: 19

Performing conditional scans...
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Conditional scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 19

1:13:28 PM Scan Complete

Summary Of This Scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Total scanning time:00:07:27.641
Objects scanned:133147
Objects identified:5
Objects ignored:0
New critical objects:5
  • 0

Advertisements

#17
greyknight17
Posted 20 September 2005 - 05:56 PM

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Try not to post the Ad-aware log unless I ask for it :tazz:

Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should 'not' have any open browsers when you are following the procedures below.

Go to Start->Run and type in regedit and hit OK. Go to File->Export and save the registry somewhere as a backup. While in the Registry Editor, navigate to:

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Products\ and delete 7D449D87B79A4004BAA05BDA60389904

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\ and delete 7D449D87B79A4004BAA05BDA60389904

If any of the above registry keys are giving you problems deleting, right click on them and click on Permissions. Then click on the Advanced button. Make sure the first box (Inherit from parent...) is checked. Click OK and OK. Then try deleting the entry again. Once you're done, close the Registry Editor.

Fix that entry in Spybot. Restart and run those scans again. Any problems now?
  • 0

#18
Northside
Posted 20 September 2005 - 07:04 PM

Northside

    Member

  • Topic Starter
  • Member
  • PipPip
  • 17 posts
I was able to successfully delete the files you mentioned. Regarding the Spybot entry, ...\AntivirusDisableNotify, I fixed (or at least I intended to) it earlier but I ran it again and it was there again with a registry change with two other "hits". I fixed all three. Just to check I restarted the computer and ran Spybot again which was clean. I noticed Norton was running before I started Spybot, disabled during the run, and enabled again when finished. I don't remember this happening before. Does Spybot turn off antivirus to run the scan?

I noticed when I restarted the computer after deleting the files you requested, Norton was disabled. While I ran Spybot Norton disabled, I left the room and returned before the scan finished and Norton was enabled again. I'm questioning should this happen? how do I know if the problem is solved now, and does Spybot fix a registry change? I hope I didn't just confuse you. I hope the problem is solved now. Thank you.
  • 0

#19
greyknight17
Posted 21 September 2005 - 04:15 PM

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
No. Something else must have disabled that registry entry but Spybot fixed it now. If Spybot's TeaTimer program is running, it may ask you if you want to accept or deny a change.

If we are fixing items and it's asking you if you want to allow a change (for something I asked you to fix), then ALLOW the change. If it keeps asking this on every reboot, just check the box to remember it.

It shouldn't disable Norton. I want you to restart and see if Norton is on/running now. Now run Spybot scan. Does it disable Norton?
  • 0

#20
Northside
Posted 21 September 2005 - 07:41 PM

Northside

    Member

  • Topic Starter
  • Member
  • PipPip
  • 17 posts
I rebooted the computer and ran Spybot. Norton disabled shortly after starting and then enabled again about 3/4 through the scan. Weird, it didn't used to do that. Spybot has not asked me to allow a change. I have always just fixed the problem.

When I ran RegSrch.vbs Norton saw this as a malicious script. I tried to allow it one time and it would not allow me to run the program. I ran it in safe mode expecting that Norton was not running, but at this point Norton again saw this program as a malicious script. Norton did allow me to do what I needed this time. I selected allow all changes or something like that, the bottom choice. I don't know if this means anything or not.

After I ran regedit and deleted the two lines you requested, I ran Spybot and rebooted again as you requested. When I attempted to log onto AOL Norton disabled and I enabled it to go on-line. Could my Norton be corrupt? Except for disabling I think it is working. I'm not sure it automatically updates, but I may not be on line long enough. Well let me rephrase, I'm not always getting a pop-up message shows that it has updated, but I am periodically manually updating to make sure I'm current.

Thank you for your help!
  • 0

#21
greyknight17
Posted 22 September 2005 - 01:49 PM

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
OK, I'm going to try converting another user to AVG (you :tazz:). I don't like Norton at all. It's a main cause for many pc problems when it's not spyware or virus related anymore. So I'm thinking Norton is the culprit here.

Boot into Safe Mode. Make sure Norton is not running at all. Check the system tray (near the time) to make sure it's closed. Then go to your Add/Remove panel and uninstall everything that's related to Norton. Install Grisoft AVG (antivirus) and ZoneAlarm (firewall). Both are free for personal use and I have found it much more reliable and less resource hogging than Norton.

Restart and see if Spybot disables AVG at startup.
  • 0

#22
Northside
Posted 26 September 2005 - 06:54 PM

Northside

    Member

  • Topic Starter
  • Member
  • PipPip
  • 17 posts
I suspect I am not really having trouble with Norton. Let me explain to you why I thought Norton was disabling. First, the Spybot finding of: Windows Security Center.AntiVirusDisableNotify: Settings (Registry change, fixed)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify!=dword:0.

Secondly, I noticed the Norton icon in the lower right corner Taskbar (system tray) had a red x in the icon. I assumed this to mean Norton was disabled. At this time when I opened Norton the Auto-Protect was On. I was confused and and at some point thought my Norton was disabling itself. Norton Status at no time has shown Auto-protect to be off.

Over the weekened while purchasing a new scanner because my scanner was not XP compatible we were discussing XP as a good system. It came up that my Norton icon in my Taskbar (system tray) would get a red x through it. He told me that this did not mean that my Norton was disabled but that at that point in time Microsoft did not recognize that my antivirus was running. When it detected it again the red x would disappear. I’m thinking this is where Microsoft communicates with me such as when there are windows updates, the shield appears to notify me updates are available.

If I go into Taskbar > Properties > Customize I can choose when I want these icons to show. Norton is set to Always Show. Below this section are “Past Items.” In this section are two icons for Norton, the regular and one with the red x. Next to each icon is the description Java ™ 2 Platform and both are set to “hide when inactive.”

I have four questions: Is the gentleman in the store correct in that Microsoft is communicating not identifying antivirus running at that time, 2) should these "Past Items" icons be showing Java ™ 2 Platform, (I have heard of Java but do not know what it is), 3) is it as simple as changing it to “always hide”, and 4) can and should these icons be deleted? Norton is correctly listed under "Current Names."

I should add I have not seen the Norton red x icon in two days. Coincidentally just previous to this I ran CleanUp.

Am I correct in that maybe I don't really have an problem with Norton.

Thank you for your help.
  • 0

#23
greyknight17
Posted 26 September 2005 - 07:48 PM

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
1. He could be correct about that. I personally don't have SP2 installed because of some hardware issues (so no Security Center). But I think that the Security Center might be able to cause problems like that since it should detect a antivirus and firewall program if you have one. So is it detected again sometimes?

2. I wouldn't worry about those Past Items entries. Those are just used to tell Windows whether they should show them in your system tray (you see those icons there near the time?). If it's set to Never, then they will never show up in the tray unless you click that arrow button on the tray (you'll see it when some icons become inactive). Java is a program that most computers should have now. It's used to run some programs properly (more specifically, Java related programs - this could be online or offline).

3. Is the Java icon (it's a picture of a coffee mug/cup) showing up in your system tray (near time/clock)? If not, it's either disabled from startup or uninstalled already. You may set it to Always Hide if you wish, but if it doesn't exist anymore (meaning it's disabled or uninstalled) then there's no difference. You can set any program you want to any of those options (like Always Hide, Always Show, etc.). Try it out yourself. Set Norton to Always Hide and you will immediately see that Norton's icon will be gone. Click on the arrow in the system tray and then you will see it listed there :tazz:

4. Deleted? Not sure if you can delete them (at least not from there). It's usually programs that were running in the system tray before. They don't cause any problems, so I say don't worry about them being there :)

Oh, so no more problems? :) Yay. Yes, it should be all clear in that case. If you want, give it a day or so and post back on the status.

To help prevent future spyware installations/infections, please read the Anti-Spyware Tutorial and use the tools provided.

Are there any problems now? If not, you should be set to go.
  • 0

#24
greyknight17
Posted 10 October 2005 - 01:16 PM

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :tazz:

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP