Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

w32/downloader.gia; elitebar.c; agent.xj; etc. [RESOLVED]

Started by md2o2o , Oct 03 2005 04:56 PM

  • This topic is locked This topic is locked

#1
md2o2o
Posted 03 October 2005 - 04:56 PM

md2o2o

    New Member

  • Member
  • Pip
  • 7 posts
I use Command Antivirus by authenium. I'm not sure how good it is, but everytime I reboot it shows some detected trojans:
w32/downloader.gia
w32/trojan.wa
w32/elitebar.c
etc.

It says it deletes them but every reboot they return. When I start trying to look for the infected files, it starts going crazy with a bunch of different ones. Unfortunately, I share this PC with my girlfriend and who knows what she's clicking on. Maybe someone can help me. I downloaded and ran all of the items you ask in the start here post and I have attached my HJT log below:

Logfile of HijackThis v1.99.1
Scan saved at 5:50:33 PM, on 10/03/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Command Software\Command AntiVirus\avinitnt.exe
C:\Program Files\BullGuard Software\BullGuard\BullGuardUpdate.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Command Software\dvpapi.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\Program Files\Command Software\Command AntiVirus\schscnt.exe
C:\WINDOWS\system32\svchost.exe
c:\program files\verizon wireless\venturi\Client\ventc.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\PROGRA~1\COMMAN~1\COMMAN~1\avtray.exe
C:\PROGRA~1\COMMAN~1\COMMAN~1\untray.exe
C:\PROGRA~1\COMMAN~1\COMMAN~1\dvprpt.exe
C:\PROGRA~1\ZANGOA~1\ZANGOM~1\em2.exe
C:\Program Files\Wireless Sync\Client\ClientShell.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\Documents and Settings\Phyllis Dunn\Desktop\Spyware removal Tools\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.1stsearchportal.com/sp2.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SEENUS/SAOS01
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://my.msn.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.h...ilion&pf=laptop
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.my.msn.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.h...ilion&pf=laptop
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - Default URLSearchHook is missing
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [avtray] C:\PROGRA~1\COMMAN~1\COMMAN~1\avtray.exe
O4 - HKLM\..\Run: [CSAV_CheckViruses] C:\PROGRA~1\COMMAN~1\COMMAN~1\vchk.exe
O4 - HKLM\..\Run: [untray] C:\PROGRA~1\COMMAN~1\COMMAN~1\untray.exe
O4 - HKLM\..\Run: [dvprpt] C:\PROGRA~1\COMMAN~1\COMMAN~1\dvprpt.exe
O4 - HKLM\..\Run: [EasyMessage] "C:\PROGRA~1\ZANGOA~1\ZANGOM~1\em2.exe" -wait
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - Global Startup: Wireless Sync Client.lnk = C:\Program Files\Wireless Sync\Client\ClientShell.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q105&bd=pavilion&pf=laptop
O16 - DPF: {2B55B5F0-9D95-48CF-96A1-FEAF74CEC150} (portLoader Class) - http://a248.g.akamai...g2/download.cab
O16 - DPF: {470A6E01-15A3-49B3-B8B9-8EDF4AC1A480} - http://sp.ask.com/do...teomab-inst.cab
O16 - DPF: {5F3B3060-09E0-44C6-86F7-BC7B02B57BEE} - http://downloads.sho...inc1001_sp2.cab
O16 - DPF: {670821E0-76D1-11D4-9F60-009027A966BF} (YouBet Secure Data Transfer Control) - http://racing.youbet...s/ybrequest.cab
O16 - DPF: {72C23FEC-3AF9-48FC-9597-241A8EBDFE0A} (InstallShield International Setup Player) - http://software.news...k1/isetupml.cab
O16 - DPF: {8C875948-9C60-4381-9248-0DF180542D53} (SbInstObj) - http://installs.spam...ckerutility.cab
O16 - DPF: {9E72D9D4-4DC3-429C-A4D5-EFF3AC5CC606} (InstallerAX Class) - http://chevy.a.conte...installerAX.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://freetrial.we...bex/ieatgpc.cab
O16 - DPF: {FC67BB52-AAB6-4282-9D51-2DAFFE73AFD0} - http://download.spys...rCabInstall.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{CD3B6305-5C82-4D9C-90B5-4E5F4F53B8B1}: NameServer = 65.169.169.5,204.117.214.10
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AdobeVersionCue - Adobe Sytems - C:\Program Files\Adobe\Adobe Photoshop CS\service\VersionCue.exe
O23 - Service: avinitnt - Command Software Systems, Inc. - C:\Program Files\Command Software\Command AntiVirus\avinitnt.exe
O23 - Service: BullGuard LiveUpdate Service (BGLiveSvc) - BullGuard, Ltd. - C:\Program Files\BullGuard Software\BullGuard\BullGuardUpdate.exe
O23 - Service: DvpApi (dvpapi) - Command Software Systems, Inc. - C:\Program Files\Common Files\Command Software\dvpapi.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: HP WMI Interface (hpqwmi) - Unknown owner - C:\Program Files\HPQ\SHARED\HPQWMI.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Macromedia - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: schscnt - Command Software Systems, Inc. - C:\Program Files\Command Software\Command AntiVirus\schscnt.exe
O23 - Service: Venturi Client (Venturi2) - Venturi Wireless - c:\program files\verizon wireless\venturi\Client\ventc.exe


I'm sure there must be an army of stuff in here, so please help if you can. I would hate to have to zero out the hard drive and reinstall everything :tazz: .

Thanks,

Matt
  • 0

Advertisements

#2
tampabelle
Posted 04 October 2005 - 12:29 PM

tampabelle

    Member 5k

  • Retired Staff
  • 6,363 posts
Hi Matt,


Your logs dont show anything. So lets do a scan.

You have Ewido installed on your PC.

  • Run ewido
  • You will need to update ewido to the latest definition files.
    • On the left hand side of the main screen click update.
    • Then click on Start Update.
  • The update will start and a progress bar will show the updates being installed.
    (the status bar at the bottom will display ("Update successful")
  • Exit ewido. DO NOT scan yet.
Reboot the PC in Safe Mode.

  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, start tapping press F8 key.
  • Instead of Windows loading as normal, a menu should appear
  • Select the first option, to run Windows in Safe Mode.

Now open ewido and do a scan of your system.
  • Click on scanner
  • Click on Complete System Scan and the scan will begin.
  • You will be prompted to clean the first infection.
  • Select "Perform action on all infections", then proceed.
  • Once the scan has completed, there will be a button located on the bottom of the screen named Save report
  • Click Save report.
  • Save the report .txt file to your desktop or a location where you can find it easily.
Finally, restart your computer back into Normal Mode and please post a new HJT log, as well as the ewido report log from the Ewido scan by using Add Reply
  • 0

#3
md2o2o
Posted 05 October 2005 - 12:29 PM

md2o2o

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
Hey thanks for helping me. I ran Ewido and it found 88 items. I will post the ewido log and my HJT log after (below). Please let me know what I will need to do from there.

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 1:50:14 PM, 10/05/2005
+ Report-Checksum: CD37CE77

+ Scan result:

HKLM\SOFTWARE\Classes\CLSID\{0AB71193-EC19-4D70-85C2-E46E2FF02755}\TypeLib\\ -> Spyware.HotBar : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{31A59636-0FA3-4A56-954D-DB7AD02840D8}\TypeLib\\ -> Spyware.HotBar : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{3FA917B9-DF69-477F-9E4F-B60D929DE79F}\TypeLib\\ -> Spyware.HotBar : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{66B90ADB-0BE3-40AE-8680-84A6F0577CA0}\TypeLib\\ -> Spyware.HotBar : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{A14C0D8D-E753-4E73-9E2B-4070791D8940}\TypeLib\\ -> Spyware.HotBar : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{C2BAA4C9-AE1E-4605-AE2F-A1C49A30D881}\TypeLib\\ -> Spyware.HotBar : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{ED8525EA-2BFC-4440-BD8A-20EFB9D5E541}\TypeLib\\ -> Spyware.HotBar : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{F78B32D6-D6D8-4137-A18F-91EBE1A4AEDB}\TreatAs\\ -> Spyware.Need2Find : Cleaned with backup
HKLM\SOFTWARE\Classes\Contact.Contacts.1 -> Spyware.HotBar : Cleaned with backup
HKLM\SOFTWARE\Classes\Contact.Contacts.1\CLSID\\ -> Spyware.HotBar : Cleaned with backup
HKLM\SOFTWARE\Classes\HbCoreSrv.DynamicProp.1 -> Spyware.HotBar : Cleaned with backup
HKLM\SOFTWARE\Classes\HbCoreSrv.DynamicProp.1\CLSID\\ -> Spyware.HotBar : Cleaned with backup
HKLM\SOFTWARE\Classes\HbHostOL.HbElementFocus.1 -> Spyware.HotBar : Cleaned with backup
HKLM\SOFTWARE\Classes\HbHostOL.HbElementFocus.1\CLSID\\ -> Spyware.HotBar : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{023A4648-601A-4C30-8A2E-C72EBFA99AF6}\TypeLib\\ -> Spyware.HotBar : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{175816A5-219E-4079-B2F9-53C501C409BA}\TypeLib\\ -> Spyware.HotBar : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{19EBCBE0-9245-4397-BC5D-883D34782043}\TypeLib\\ -> Spyware.HotBar : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{27C4569F-8728-4958-A920-A607CAE8153C}\TypeLib\\ -> Spyware.HotBar : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{397A208B-3D09-4B3E-93E8-CA171886612E}\TypeLib\\ -> Spyware.HotBar : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{3C1A06CC-3981-4DB9-B5B6-B4B8ECB1D7F2}\TypeLib\\ -> Spyware.HotBar : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{421745E9-16DF-4EE4-A758-D51F939C49CB}\TypeLib\\ -> Spyware.HotBar : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{4331EC56-0AAB-499E-8757-DD2EE44AD671}\TypeLib\\ -> Spyware.HotBar : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{4921DB9C-64EA-430A-ABD2-D016DB5A0AC4}\ProxyStubClsid32\\ -> Spyware.HotBar : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{54286C3A-E044-4E65-BD44-528D6AE28A18}\TypeLib\\ -> Spyware.HotBar : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{5D16197A-1EAA-45AF-B29A-69F1AA055E87}\TypeLib\\ -> Spyware.HotBar : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{5F2B9DE7-F878-4762-8CFE-E9C58F082F0E}\TypeLib\\ -> Spyware.HotBar : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{8654592E-952A-4E7C-A960-304763B35FA6}\TypeLib\\ -> Spyware.HotBar : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{8A61A950-C325-4F44-BA64-273180FF3464}\TypeLib\\ -> Spyware.HotBar : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{8D5C4EC6-AF8E-4B85-BA27-64BABE410510}\TypeLib\\ -> Spyware.HotBar : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{8E98FAF8-794F-47F9-AF90-15305564ED81}\TypeLib\\ -> Spyware.HotBar : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{9387EAA3-66DC-4DA5-B40B-C9D080D6F818}\TypeLib\\ -> Spyware.HotBar : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{9CDDFBC2-8DC8-4F01-9143-9685D6E16DFC}\TypeLib\\ -> Spyware.HotBar : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{AF15975B-1498-4740-8E6C-90AF78E4198C}\TypeLib\\ -> Spyware.HotBar : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{B53D4CD4-406D-43CC-8244-7893D72236DD}\TypeLib\\ -> Spyware.HotBar : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{B9BB3219-F84C-4060-966B-4A1E73E24226}\TypeLib\\ -> Spyware.HotBar : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{BC8C2E5F-D8B4-4997-BCE3-8775C3707956}\TypeLib\\ -> Spyware.HotBar : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{CC9AA028-D639-442F-B97D-A2DAD8F293A2}\TypeLib\\ -> Spyware.HotBar : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{D082721F-4BD4-4B8B-BB82-06753EE6174F}\TypeLib\\ -> Spyware.HotBar : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{D24F9D3C-5D4C-47F8-9AB7-632B44AD6A0D}\TypeLib\\ -> Spyware.HotBar : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{F43EC88B-B6C8-4969-A763-E2BF55602CCE}\TypeLib\\ -> Spyware.HotBar : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{F786CB18-3809-4E49-BC99-9A66DA47DB8B}\TypeLib\\ -> Spyware.HotBar : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{F814BE58-1BF9-4B50-829A-E889F86127AD}\TypeLib\\ -> Spyware.HotBar : Cleaned with backup
HKLM\SOFTWARE\Classes\Need2FindBar.SettingsPlugin.1 -> Spyware.Need2Find : Cleaned with backup
HKLM\SOFTWARE\Classes\Need2FindBar.SettingsPlugin.1\CLSID\\ -> Spyware.Need2Find : Cleaned with backup
HKLM\SOFTWARE\Classes\Need2FindBar.ToolbarPlugin.1 -> Spyware.Need2Find : Cleaned with backup
HKLM\SOFTWARE\Classes\Need2FindBar.ToolbarPlugin.1\CLSID\\ -> Spyware.Need2Find : Cleaned with backup
HKLM\SOFTWARE\Classes\SbHostIE.Bho\CLSID\\ -> Spyware.HotBar : Cleaned with backup
HKLM\SOFTWARE\Classes\SbHostIE.Bho.1\CLSID\\ -> Spyware.HotBar : Cleaned with backup
HKLM\SOFTWARE\Classes\SbSrv.CoreServices\CLSID\\ -> Spyware.HotBar : Cleaned with backup
HKLM\SOFTWARE\Classes\SbSrv.CoreServices.1\CLSID\\ -> Spyware.HotBar : Cleaned with backup
HKLM\SOFTWARE\Classes\SbToolbar.HtmlMenuUI\CLSID\\ -> Spyware.HotBar : Cleaned with backup
HKLM\SOFTWARE\Classes\SbToolbar.HtmlMenuUI.1\CLSID\\ -> Spyware.HotBar : Cleaned with backup
HKLM\SOFTWARE\Classes\SpamBlockerConfig.Application\Clsid\\ -> Spyware.HotBar : Cleaned with backup
HKLM\SOFTWARE\Classes\SpamBlockerConfig.Application.1\Clsid\\ -> Spyware.HotBar : Cleaned with backup
HKLM\SOFTWARE\Classes\SpamBlockerUtility.CommBand\CLSID\\ -> Spyware.HotBar : Cleaned with backup
HKLM\SOFTWARE\Classes\SpamBlockerUtility.CommBand.1\CLSID\\ -> Spyware.HotBar : Cleaned with backup
HKLM\SOFTWARE\Classes\TopSearch.TSLink -> Spyware.Altnet : Cleaned with backup
HKLM\SOFTWARE\Classes\TopSearch.TSLink\CLSID -> Spyware.Altnet : Cleaned with backup
HKLM\SOFTWARE\Classes\TopSearch.TSLink\CurVer -> Spyware.Altnet : Cleaned with backup
HKLM\SOFTWARE\Classes\TopSearch.TSLink.1 -> Spyware.Altnet : Cleaned with backup
HKU\S-1-5-21-3690246030-55483478-2430187249-1006\Software\Microsoft\Internet Explorer\Extensions\CmdMapping\\{6685509E-B47B-4f47-8E16-9A5F3A62F683} -> Spyware.MoneyMaker : Cleaned with backup
HKU\S-1-5-21-3690246030-55483478-2430187249-1006\Software\Microsoft\Internet Explorer\Extensions\CmdMapping\\{946B3E9E-E21A-49c8-9F63-900533FAFE14} -> Spyware.HotBar : Cleaned with backup
HKU\S-1-5-21-3690246030-55483478-2430187249-1006\Software\Microsoft\Internet Explorer\Extensions\CmdMapping\\{E77EDA01-3C56-4a96-8D08-02B42891C169} -> Spyware.HotBar : Cleaned with backup
HKU\S-1-5-21-3690246030-55483478-2430187249-1006\Software\Classes\CLSID\\ -> Spyware.AproposMedia : Cleaned with backup
HKU\S-1-5-21-3690246030-55483478-2430187249-1006_Classes\CLSID\\ -> Spyware.AproposMedia : Error during cleaning
C:\Documents and Settings\Phyllis Dunn\Cookies\phyllis dunn@2o7[2].txt -> Spyware.Cookie.2o7 : Cleaned with backup
C:\Documents and Settings\Phyllis Dunn\Cookies\phyllis dunn@atdmt[2].txt -> Spyware.Cookie.Atdmt : Cleaned with backup
C:\Documents and Settings\Phyllis Dunn\Cookies\phyllis dunn@com[2].txt -> Spyware.Cookie.Com : Cleaned with backup
C:\Documents and Settings\Phyllis Dunn\Cookies\phyllis [email protected][1].txt -> Spyware.Cookie.Hitslink : Cleaned with backup
C:\Documents and Settings\Phyllis Dunn\Cookies\phyllis dunn@doubleclick[2].txt -> Spyware.Cookie.Doubleclick : Cleaned with backup
C:\Documents and Settings\Phyllis Dunn\Cookies\phyllis [email protected][1].txt -> Spyware.Cookie.Hitbox : Cleaned with backup
C:\Documents and Settings\Phyllis Dunn\Cookies\phyllis dunn@hitbox[2].txt -> Spyware.Cookie.Hitbox : Cleaned with backup
C:\Documents and Settings\Phyllis Dunn\Cookies\phyllis [email protected][1].txt -> Spyware.Cookie.Overture : Cleaned with backup
C:\Documents and Settings\Phyllis Dunn\Cookies\phyllis dunn@questionmarket[1].txt -> Spyware.Cookie.Questionmarket : Cleaned with backup
C:\Documents and Settings\Phyllis Dunn\Cookies\phyllis dunn@revenue[2].txt -> Spyware.Cookie.Revenue : Cleaned with backup
C:\Documents and Settings\Phyllis Dunn\Cookies\phyllis [email protected][2].txt -> Spyware.Cookie.Liveperson : Cleaned with backup
C:\Documents and Settings\Phyllis Dunn\Cookies\phyllis dunn@serving-sys[1].txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
C:\Documents and Settings\Phyllis Dunn\Local Settings\Temp\temp.fr84BA -> Spyware.180Solutions : Cleaned with backup
C:\Program Files\Aprps\CxtPls.dll -> TrojanDownloader.Apropo.ag : Cleaned with backup
C:\Program Files\Aprps\CxtPls.exe -> TrojanDownloader.Apropo.ag : Cleaned with backup
C:\Program Files\Verizon Wireless\VZAccess Manager\VZAccess Manager.exe -> Heuristic.Win32.Dialer : Cleaned with backup
C:\Program Files\Zango Applications\Zango Messenger\ZangoInstaller.exe/clientax.dll -> Spyware.180Solutions : Cleaned with backup
C:\Program Files\Zango Applications\Zango Messenger\ZangoInstaller.exe/clientax.dll -> Spyware.180Solutions : Cleaned with backup
C:\Program Files\ZangoClient\zanu.exe -> Spyware.180Solutions : Cleaned with backup
C:\WINDOWS\Downloaded Program Files\ClientAX.dll -> Spyware.180Solutions : Cleaned with backup
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\X6LCDVSE\pre[1].exe -> TrojanDropper.Small.aeq : Cleaned with backup
C:\WINDOWS\system32\csrss_log.dat -> Spyware.Hijacker.Generic : Cleaned with backup
C:\WINDOWS\system32\kalvmkw32.exe -> Spyware.Hijacker.Generic : Cleaned with backup


::Report End


Logfile of HijackThis v1.99.1
Scan saved at 1:56:53 PM, on 10/05/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\PROGRA~1\COMMAN~1\COMMAN~1\avtray.exe
C:\PROGRA~1\COMMAN~1\COMMAN~1\untray.exe
C:\PROGRA~1\COMMAN~1\COMMAN~1\dvprpt.exe
C:\Program Files\Command Software\Command AntiVirus\avinitnt.exe
C:\Program Files\BullGuard Software\BullGuard\BullGuardUpdate.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Common Files\Command Software\dvpapi.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\Program Files\Command Software\Command AntiVirus\schscnt.exe
C:\Program Files\Wireless Sync\Client\ClientShell.exe
C:\PROGRA~1\CENTAL~4\centaleim.exe
C:\WINDOWS\system32\svchost.exe
c:\program files\verizon wireless\venturi\Client\ventc.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Phyllis Dunn\Desktop\Spyware removal Tools\hijackthis\HijackThis.exe
\?\C:\WINDOWS\system32\WBEM\WMIADAP.EXE
C:\WINDOWS\system32\taskmgr.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.1stsearchportal.com/sp2.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SEENUS/SAOS01
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://my.msn.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.h...ilion&pf=laptop
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.my.msn.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.h...ilion&pf=laptop
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - Default URLSearchHook is missing
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [avtray] C:\PROGRA~1\COMMAN~1\COMMAN~1\avtray.exe
O4 - HKLM\..\Run: [CSAV_CheckViruses] C:\PROGRA~1\COMMAN~1\COMMAN~1\vchk.exe
O4 - HKLM\..\Run: [untray] C:\PROGRA~1\COMMAN~1\COMMAN~1\untray.exe
O4 - HKLM\..\Run: [dvprpt] C:\PROGRA~1\COMMAN~1\COMMAN~1\dvprpt.exe
O4 - HKLM\..\Run: [EasyMessage] "C:\PROGRA~1\ZANGOA~1\ZANGOM~1\em2.exe" -wait
O4 - HKLM\..\Run: [CentaleD1] C:\PROGRA~1\CENTAL~3\Cntld1.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Startup: Centale IM.lnk = C:\Program Files\Centale IM\UNWISE.EXE
O4 - Startup: Check for updates.lnk = C:\Program Files\Centale IM\UNWISE.EXE
O4 - Startup: MOD Updates.lnk = C:\Program Files\MusicOnDemand\update.EXE
O4 - Global Startup: Wireless Sync Client.lnk = C:\Program Files\Wireless Sync\Client\ClientShell.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q105&bd=pavilion&pf=laptop
O16 - DPF: {2B55B5F0-9D95-48CF-96A1-FEAF74CEC150} (portLoader Class) - http://a248.g.akamai...g2/download.cab
O16 - DPF: {470A6E01-15A3-49B3-B8B9-8EDF4AC1A480} - http://sp.ask.com/do...teomab-inst.cab
O16 - DPF: {5F3B3060-09E0-44C6-86F7-BC7B02B57BEE} - http://downloads.sho...inc1001_sp2.cab
O16 - DPF: {670821E0-76D1-11D4-9F60-009027A966BF} (YouBet Secure Data Transfer Control) - http://racing.youbet...s/ybrequest.cab
O16 - DPF: {72C23FEC-3AF9-48FC-9597-241A8EBDFE0A} (InstallShield International Setup Player) - http://software.news...k1/isetupml.cab
O16 - DPF: {8C875948-9C60-4381-9248-0DF180542D53} (SbInstObj) - http://installs.spam...ckerutility.cab
O16 - DPF: {9E72D9D4-4DC3-429C-A4D5-EFF3AC5CC606} (InstallerAX Class) - http://chevy.a.conte...installerAX.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://freetrial.we...bex/ieatgpc.cab
O16 - DPF: {FC67BB52-AAB6-4282-9D51-2DAFFE73AFD0} - http://download.spys...rCabInstall.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{CD3B6305-5C82-4D9C-90B5-4E5F4F53B8B1}: NameServer = 65.169.169.5,204.117.214.10
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AdobeVersionCue - Adobe Sytems - C:\Program Files\Adobe\Adobe Photoshop CS\service\VersionCue.exe
O23 - Service: avinitnt - Command Software Systems, Inc. - C:\Program Files\Command Software\Command AntiVirus\avinitnt.exe
O23 - Service: BullGuard LiveUpdate Service (BGLiveSvc) - BullGuard, Ltd. - C:\Program Files\BullGuard Software\BullGuard\BullGuardUpdate.exe
O23 - Service: DvpApi (dvpapi) - Command Software Systems, Inc. - C:\Program Files\Common Files\Command Software\dvpapi.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: HP WMI Interface (hpqwmi) - Unknown owner - C:\Program Files\HPQ\SHARED\HPQWMI.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Macromedia - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: schscnt - Command Software Systems, Inc. - C:\Program Files\Command Software\Command AntiVirus\schscnt.exe
O23 - Service: Venturi Client (Venturi2) - Venturi Wireless - c:\program files\verizon wireless\venturi\Client\ventc.exe

I notice references to Zango and 180 solutions in the ewido report which is funny because I read the news on this site about those companies being in trouble for using spyware. Ironically, my AdAware Se Plus didn't pick them up even after updating.

Anyway, please let me know what I need to Clean, remove, kill.

Thanks
  • 0

#4
tampabelle
Posted 05 October 2005 - 02:02 PM

tampabelle

    Member 5k

  • Retired Staff
  • 6,363 posts
Please download RootKitRevealer from here:
http://www.sysintern...kitrevealer.zip

Unzip it to the desktop, run it, and click Scan.

This will generate a log file; please post the entire contents of the log file here for me to see.
  • 0

#5
md2o2o
Posted 05 October 2005 - 05:50 PM

md2o2o

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
OK here is the rootkit revealer log file:

C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}(2)\RP187\A0022446.exe 8/19/2001 7:30 AM 11.32 KB Visible in Windows API, but not in MFT or directory index.
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}(2)\RP187\A0022447.exe 8/19/2001 7:30 AM 11.32 KB Visible in Windows API, but not in MFT or directory index.
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}(2)\RP187\A0022448.exe 8/19/2001 7:30 AM 11.32 KB Visible in Windows API, but not in MFT or directory index.
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}(2)\RP187\A0022449.exe 8/19/2001 7:30 AM 11.32 KB Visible in Windows API, but not in MFT or directory index.
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}(2)\RP187\A0022450.exe 8/19/2001 7:30 AM 11.32 KB Visible in Windows API, but not in MFT or directory index.
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}(2)\RP213\A0035976.exe 9/2/2005 9:20 AM 154.00 KB Visible in Windows API, but not in MFT or directory index.
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}(2)\RP215\A0036026.dll 9/5/2005 12:54 PM 9.50 KB Visible in Windows API, but not in MFT or directory index.
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}(2)\RP215\A0036071.dll 9/5/2005 5:24 PM 9.50 KB Visible in Windows API, but not in MFT or directory index.
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}(2)\RP215\A0036086.dll 9/5/2005 5:37 PM 9.50 KB Visible in Windows API, but not in MFT or directory index.
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}(2)\RP215\A0037086.dll 9/7/2005 8:57 AM 9.50 KB Visible in Windows API, but not in MFT or directory index.
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}(2)\RP218\A0039113.dll 9/7/2005 9:01 PM 9.50 KB Visible in Windows API, but not in MFT or directory index.
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}(2)\RP218\A0039236.dll 9/7/2005 9:10 PM 9.50 KB Visible in Windows API, but not in MFT or directory index.
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}(2)\RP220\A0039342.dll 9/8/2005 8:40 AM 9.50 KB Visible in Windows API, but not in MFT or directory index.
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}(2)\RP220\A0039346.exe 9/8/2005 8:40 AM 154.00 KB Visible in Windows API, but not in MFT or directory index.
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}(2)\RP220\A0039377.dll 9/8/2005 8:03 PM 9.50 KB Visible in Windows API, but not in MFT or directory index.
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}(2)\RP222\A0040441.dll 9/12/2005 9:16 PM 9.50 KB Visible in Windows API, but not in MFT or directory index.
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}(2)\RP222\A0041493.dll 9/12/2005 9:32 PM 9.50 KB Visible in Windows API, but not in MFT or directory index.
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}(2)\RP222\A0041613.dll 9/13/2005 8:35 AM 9.50 KB Visible in Windows API, but not in MFT or directory index.
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}(2)\RP222\A0042613.dll 9/13/2005 9:42 AM 9.50 KB Visible in Windows API, but not in MFT or directory index.
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}(2)\RP223\A0042950.dll 9/13/2005 5:24 PM 9.50 KB Visible in Windows API, but not in MFT or directory index.
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}(2)\RP223\A0043950.dll 9/13/2005 6:47 PM 9.50 KB Visible in Windows API, but not in MFT or directory index.
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}(2)\RP246\A0046190.exe 8/19/2001 7:30 AM 11.09 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\Prefetch\DEFRAG.EXE-273F131E.pf 10/5/2005 7:19 PM 48.81 KB Hidden from Windows API.
C:\WINDOWS\Prefetch\DFRGNTFS.EXE-269967DF.pf 10/5/2005 7:19 PM 32.47 KB Hidden from Windows API.
  • 0

#6
tampabelle
Posted 05 October 2005 - 06:18 PM

tampabelle

    Member 5k

  • Retired Staff
  • 6,363 posts
Everything looks fine.


Lets do one final thing.




Please download WebRoot SpySweeper from here:
http://www.webroot.c...6d6f87b866d2848
(It's a 2 week trial)

Click the "Free Trial" link on the right - next to "SpySweeper for Home Computers".
On the next page, click the "Free Trial" button.
Download it and install it.
When you open the program, it will prompt you to update to the latest definitions.
Please do so, then click "Sweep Now"
Then click the "Start" button.
When it's done scanning, click the "Next" button.
Remove everything it finds, then save the log - copy the log and paste it here for me.
  • 0

#7
md2o2o
Posted 06 October 2005 - 12:21 PM

md2o2o

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
Sorry it takes a while to get back to you. I work crazy hours. Anyway, before your last response I went ahead and uninstalled Command Antivirus because I think it had been corrupted. I installed Trojan Hunter instead and it found and removed some of the item that were showing up in Command. I also ran spysweeper which removed several thing. Below is the report from trojan hunter, spysweeper, and a new HJT log.

Trojan Hunter Log

Files\SpamBlockerUtility\bin\4.6.1.0\SbShprRprt.exe.tcf
Renamed file C:\Program Files\SpamBlockerUtility\bin\4.6.1.0\sbuinst.exe to C:\Program Files\SpamBlockerUtility\bin\4.6.1.0\sbuinst.exe.tcf
Renamed file C:\Program Files\SpamBlockerUtility\bin\SbUninst.exe to C:\Program Files\SpamBlockerUtility\bin\SbUninst.exe.tcf
Renamed file C:\RECYCLER\S-1-5-21-3690246030-55483478-2430187249-1006\Dc139.dll to C:\RECYCLER\S-1-5-21-3690246030-55483478-2430187249-1006\Dc139.dll.tcf
Renamed file C:\WINDOWS\Downloaded Program Files\ybuictrl.dll to C:\WINDOWS\Downloaded Program Files\ybuictrl.dll.tcf
Renamed file C:\WINDOWS\system32\a_i_037.dll to C:\WINDOWS\system32\a_i_037.dll.tcf
Renamed file C:\WINDOWS\system32\a_i_037.exe to C:\WINDOWS\system32\a_i_037.exe.tcf
Renamed file C:\WINDOWS\system32\gfzzdqpb.exe to C:\WINDOWS\system32\gfzzdqpb.exe.tcf
Trojan cleaning finished.

********
1:09 PM: |··· Start of Session, Thursday, October 06, 2005 ···|
1:09 PM: Spy Sweeper started
1:09 PM: Sweep initiated using definitions version 551
1:09 PM: Starting Memory Sweep
1:11 PM: Memory Sweep Complete, Elapsed Time: 00:02:57
1:11 PM: Starting Registry Sweep
1:12 PM: Found Adware: altnet
1:12 PM: HKLM\software\classes\clsid\{b7156514-a76c-4545-9d5b-a4e1d02c7aec}\ (23 subtraces) (ID = 103494)
1:12 PM: Found Adware: apropos
1:12 PM: HKU\S-1-5-21-3690246030-55483478-2430187249-1006\software\aprps\ (7 subtraces) (ID = 103740)
1:12 PM: HKLM\software\aprps\ (8 subtraces) (ID = 103741)
1:12 PM: Found Adware: elitebar
1:12 PM: HKLM\software\microsoft\windows\currentversion\internet settings\user agent\post platform\ || iebar (ID = 125752)
1:12 PM: Found Adware: hotbar
1:12 PM: HKCR\asapcom.asapmain\ (5 subtraces) (ID = 127224)
1:12 PM: HKCR\clsid\{0ab71193-ec19-4d70-85c2-e46e2ff02755}\ (19 subtraces) (ID = 127227)
1:12 PM: HKCR\clsid\{3fa917b9-df69-477f-9e4f-b60d929de79f}\ (22 subtraces) (ID = 127235)
1:12 PM: HKCR\clsid\{8c875948-9c60-4381-9248-0df180542d53}\ (11 subtraces) (ID = 127241)
1:12 PM: HKCR\clsid\{31a59636-0fa3-4a56-954d-db7ad02840d8}\ (13 subtraces) (ID = 127242)
1:12 PM: HKCR\clsid\{66b90adb-0be3-40ae-8680-84a6f0577ca0}\ (16 subtraces) (ID = 127246)
1:12 PM: HKCR\clsid\{a14c0d8d-e753-4e73-9e2b-4070791d8940}\ (9 subtraces) (ID = 127261)
1:12 PM: HKCR\clsid\{c2baa4c9-ae1e-4605-ae2f-a1c49a30d881}\ (10 subtraces) (ID = 127267)
1:12 PM: HKLM\software\classes\asapcom.asapclass.1\ (3 subtraces) (ID = 127385)
1:12 PM: HKLM\software\classes\asapcom.asapmain\ (5 subtraces) (ID = 127388)
1:12 PM: HKLM\software\classes\clsid\{0ab71193-ec19-4d70-85c2-e46e2ff02755}\ (19 subtraces) (ID = 127393)
1:12 PM: HKLM\software\classes\clsid\{3fa917b9-df69-477f-9e4f-b60d929de79f}\ (22 subtraces) (ID = 127399)
1:12 PM: HKLM\software\classes\clsid\{8c875948-9c60-4381-9248-0df180542d53}\ (11 subtraces) (ID = 127404)
1:12 PM: HKLM\software\classes\clsid\{31a59636-0fa3-4a56-954d-db7ad02840d8}\ (13 subtraces) (ID = 127405)
1:12 PM: HKLM\software\classes\clsid\{66b90adb-0be3-40ae-8680-84a6f0577ca0}\ (16 subtraces) (ID = 127409)
1:12 PM: HKLM\software\classes\clsid\{460ac4db-b0de-4626-a0f0-175dd84dcb9b}\ (2 subtraces) (ID = 127416)
1:12 PM: HKLM\software\classes\clsid\{a14c0d8d-e753-4e73-9e2b-4070791d8940}\ (9 subtraces) (ID = 127425)
1:12 PM: HKLM\software\classes\clsid\{c2baa4c9-ae1e-4605-ae2f-a1c49a30d881}\ (10 subtraces) (ID = 127431)
1:12 PM: HKLM\software\classes\clsid\{ed8525ea-2bfc-4440-bd8a-20efb9d5e541}\ (10 subtraces) (ID = 127436)
1:12 PM: HKLM\software\classes\spamblockerconfig.application\ (2 subtraces) (ID = 127536)
1:12 PM: HKLM\software\classes\typelib\{4cf5a3c1-07a2-4336-9b54-6870452ebde1}\ (9 subtraces) (ID = 127537)
1:12 PM: HKU\S-1-5-21-3690246030-55483478-2430187249-1006\software\microsoft\internet explorer\explorer bars\{66b90adb-0be3-40ae-8680-84a6f0577ca0}\ (2 subtraces) (ID = 127570)
1:12 PM: HKCR\spamblockerconfig.application\ (2 subtraces) (ID = 127634)
1:12 PM: HKCR\typelib\{4cf5a3c1-07a2-4336-9b54-6870452ebde1}\ (9 subtraces) (ID = 127635)
1:12 PM: Found Adware: search fast communicator toolbar
1:12 PM: HKCR\communicator.communicator\ (3 subtraces) (ID = 140680)
1:12 PM: HKCR\clsid\{4e7bd74f-2b8d-469e-8dbc-a42eb79cb428}\ (6 subtraces) (ID = 140681)
1:12 PM: HKCR\clsid\{4e7bd74f-2b8d-469e-8dbc-a42eb79cb429}\ (6 subtraces) (ID = 140682)
1:12 PM: HKCR\clsid\{4e7bd74f-2b8d-469e-8dbc-a42eb79cb42a}\ (6 subtraces) (ID = 140683)
1:12 PM: HKCR\communicator.communicatormenu button\ (3 subtraces) (ID = 140684)
1:12 PM: HKCR\communicator.communicatortoggle button\ (3 subtraces) (ID = 140685)
1:12 PM: HKLM\software\classes\communicator.communicatormenu button\ (3 subtraces) (ID = 140686)
1:12 PM: HKLM\software\classes\communicator.communicatortoggle button\ (3 subtraces) (ID = 140687)
1:12 PM: HKU\S-1-5-21-3690246030-55483478-2430187249-1006\software\communicator toolbar\ (9 subtraces) (ID = 140688)
1:12 PM: HKU\S-1-5-21-3690246030-55483478-2430187249-1006\software\microsoft\internet explorer\toolbar\webbrowser\ || {4e7bd74f-2b8d-469e-8dbc-a42eb79cb428} (ID = 140689)
1:12 PM: HKLM\software\classes\communicator.communicator\ (3 subtraces) (ID = 140691)
1:12 PM: HKLM\software\classes\clsid\{4e7bd74f-2b8d-469e-8dbc-a42eb79cb428}\ (6 subtraces) (ID = 140692)
1:12 PM: HKLM\software\classes\clsid\{4e7bd74f-2b8d-469e-8dbc-a42eb79cb429}\ (6 subtraces) (ID = 140693)
1:12 PM: HKLM\software\classes\clsid\{4e7bd74f-2b8d-469e-8dbc-a42eb79cb42a}\ (6 subtraces) (ID = 140694)
1:12 PM: Found Adware: searchforit
1:12 PM: HKCR\ca.cas\ (5 subtraces) (ID = 141009)
1:12 PM: HKCR\ca.cas.1\ (3 subtraces) (ID = 141010)
1:12 PM: HKCR\clsid\{b5f3970b-745e-46ac-b890-e08f69777d80}\ (11 subtraces) (ID = 141018)
1:12 PM: HKLM\software\classes\ca.cas\ (5 subtraces) (ID = 141027)
1:12 PM: HKLM\software\classes\ca.cas.1\ (3 subtraces) (ID = 141028)
1:12 PM: HKLM\software\classes\clsid\{b5f3970b-745e-46ac-b890-e08f69777d80}\ (11 subtraces) (ID = 141036)
1:12 PM: HKLM\software\classes\typelib\{919f8a8d-135d-44fc-a809-b36083eeae35}\ (9 subtraces) (ID = 141045)
1:12 PM: HKCR\typelib\{919f8a8d-135d-44fc-a809-b36083eeae35}\ (9 subtraces) (ID = 141065)
1:12 PM: Found Adware: topsearch
1:12 PM: HKCR\clsid\{b7156514-a76c-4545-9d5b-a4e1d02c7aec}\ (23 subtraces) (ID = 143925)
1:12 PM: HKLM\software\classes\typelib\{edd3b3e9-3ffd-4836-a6de-d4a9c473a971}\ (9 subtraces) (ID = 143928)
1:12 PM: HKCR\typelib\{edd3b3e9-3ffd-4836-a6de-d4a9c473a971}\ (9 subtraces) (ID = 143930)
1:12 PM: Found System Monitor: visual log
1:12 PM: HKU\S-1-5-21-3690246030-55483478-2430187249-1006\software\qsetup_dyn_data\ (2 subtraces) (ID = 145736)
1:12 PM: Found Adware: delfin
1:12 PM: HKLM\software\wincin\ (2 subtraces) (ID = 359317)
1:12 PM: Found Adware: shopathomeselect
1:12 PM: HKLM\software\microsoft\code store database\distribution units\{5f3b3060-09e0-44c6-86f7-bc7b02b57bee}\ (11 subtraces) (ID = 629042)
1:12 PM: HKCR\interface\{023a4648-601a-4c30-8a2e-c72ebfa99af6}\ (7 subtraces) (ID = 774214)
1:12 PM: HKCR\interface\{175816a5-219e-4079-b2f9-53c501c409ba}\ (7 subtraces) (ID = 774223)
1:12 PM: HKCR\interface\{19ebcbe0-9245-4397-bc5d-883d34782043}\ (7 subtraces) (ID = 774232)
1:12 PM: HKCR\interface\{27c4569f-8728-4958-a920-a607cae8153c}\ (7 subtraces) (ID = 774259)
1:12 PM: HKCR\interface\{38370864-346f-4afa-8c4b-4fbff518c0bb}\ (8 subtraces) (ID = 774268)
1:12 PM: HKCR\interface\{397a208b-3d09-4b3e-93e8-ca171886612e}\ (7 subtraces) (ID = 774277)
1:12 PM: HKCR\interface\{421745e9-16df-4ee4-a758-d51f939c49cb}\ (7 subtraces) (ID = 774286)
1:12 PM: HKCR\interface\{4331ec56-0aab-499e-8757-dd2ee44ad671}\ (7 subtraces) (ID = 774295)
1:12 PM: HKCR\interface\{54286c3a-e044-4e65-bd44-528d6ae28a18}\ (7 subtraces) (ID = 774304)
1:12 PM: HKCR\interface\{5f2b9de7-f878-4762-8cfe-e9c58f082f0e}\ (7 subtraces) (ID = 774331)
1:12 PM: HKCR\interface\{8654592e-952a-4e7c-a960-304763b35fa6}\ (7 subtraces) (ID = 774349)
1:12 PM: HKCR\interface\{8a61a950-c325-4f44-ba64-273180ff3464}\ (7 subtraces) (ID = 774358)
1:12 PM: HKCR\interface\{8d5c4ec6-af8e-4b85-ba27-64babe410510}\ (7 subtraces) (ID = 774367)
1:12 PM: HKCR\interface\{8e98faf8-794f-47f9-af90-15305564ed81}\ (7 subtraces) (ID = 774376)
1:12 PM: HKCR\interface\{af15975b-1498-4740-8e6c-90af78e4198c}\ (7 subtraces) (ID = 774385)
1:12 PM: HKCR\interface\{b53d4cd4-406d-43cc-8244-7893d72236dd}\ (7 subtraces) (ID = 774394)
1:12 PM: HKCR\interface\{b9bb3219-f84c-4060-966b-4a1e73e24226}\ (7 subtraces) (ID = 774412)
1:12 PM: HKCR\interface\{bc8c2e5f-d8b4-4997-bce3-8775c3707956}\ (7 subtraces) (ID = 774421)
1:12 PM: HKCR\interface\{d082721f-4bd4-4b8b-bb82-06753ee6174f}\ (7 subtraces) (ID = 774430)
1:12 PM: HKCR\interface\{d24f9d3c-5d4c-47f8-9ab7-632b44ad6a0d}\ (7 subtraces) (ID = 774439)
1:12 PM: HKCR\interface\{f43ec88b-b6c8-4969-a763-e2bf55602cce}\ (7 subtraces) (ID = 774448)
1:12 PM: HKCR\interface\{f786cb18-3809-4e49-bc99-9a66da47db8b}\ (7 subtraces) (ID = 774457)
1:12 PM: HKCR\interface\{f814be58-1bf9-4b50-829a-e889f86127ad}\ (7 subtraces) (ID = 774466)
1:12 PM: HKLM\software\classes\interface\{023a4648-601a-4c30-8a2e-c72ebfa99af6}\ (7 subtraces) (ID = 774490)
1:12 PM: HKLM\software\classes\interface\{175816a5-219e-4079-b2f9-53c501c409ba}\ (7 subtraces) (ID = 774499)
1:12 PM: HKLM\software\classes\interface\{19ebcbe0-9245-4397-bc5d-883d34782043}\ (7 subtraces) (ID = 774508)
1:12 PM: HKLM\software\classes\interface\{27c4569f-8728-4958-a920-a607cae8153c}\ (7 subtraces) (ID = 774535)
1:12 PM: HKLM\software\classes\interface\{38370864-346f-4afa-8c4b-4fbff518c0bb}\ (8 subtraces) (ID = 774544)
1:12 PM: HKLM\software\classes\interface\{397a208b-3d09-4b3e-93e8-ca171886612e}\ (7 subtraces) (ID = 774553)
1:12 PM: HKLM\software\classes\interface\{421745e9-16df-4ee4-a758-d51f939c49cb}\ (7 subtraces) (ID = 774562)
1:12 PM: HKLM\software\classes\interface\{4331ec56-0aab-499e-8757-dd2ee44ad671}\ (7 subtraces) (ID = 774571)
1:12 PM: HKLM\software\classes\interface\{54286c3a-e044-4e65-bd44-528d6ae28a18}\ (7 subtraces) (ID = 774580)
1:12 PM: HKLM\software\classes\interface\{5f2b9de7-f878-4762-8cfe-e9c58f082f0e}\ (7 subtraces) (ID = 774607)
1:12 PM: HKLM\software\classes\interface\{8654592e-952a-4e7c-a960-304763b35fa6}\ (7 subtraces) (ID = 774625)
1:12 PM: HKLM\software\classes\interface\{8a61a950-c325-4f44-ba64-273180ff3464}\ (7 subtraces) (ID = 774634)
1:12 PM: HKLM\software\classes\interface\{8d5c4ec6-af8e-4b85-ba27-64babe410510}\ (7 subtraces) (ID = 774643)
1:12 PM: HKLM\software\classes\interface\{8e98faf8-794f-47f9-af90-15305564ed81}\ (7 subtraces) (ID = 774652)
1:12 PM: HKLM\software\classes\interface\{af15975b-1498-4740-8e6c-90af78e4198c}\ (7 subtraces) (ID = 774661)
1:12 PM: HKLM\software\classes\interface\{b53d4cd4-406d-43cc-8244-7893d72236dd}\ (7 subtraces) (ID = 774670)
1:12 PM: HKLM\software\classes\interface\{b9bb3219-f84c-4060-966b-4a1e73e24226}\ (7 subtraces) (ID = 774688)
1:12 PM: HKLM\software\classes\interface\{bc8c2e5f-d8b4-4997-bce3-8775c3707956}\ (7 subtraces) (ID = 774697)
1:12 PM: HKLM\software\classes\interface\{d082721f-4bd4-4b8b-bb82-06753ee6174f}\ (7 subtraces) (ID = 774706)
1:12 PM: HKLM\software\classes\interface\{d24f9d3c-5d4c-47f8-9ab7-632b44ad6a0d}\ (7 subtraces) (ID = 774715)
1:12 PM: HKLM\software\classes\interface\{f43ec88b-b6c8-4969-a763-e2bf55602cce}\ (7 subtraces) (ID = 774724)
1:12 PM: HKLM\software\classes\interface\{f786cb18-3809-4e49-bc99-9a66da47db8b}\ (7 subtraces) (ID = 774733)
1:12 PM: HKLM\software\classes\interface\{f814be58-1bf9-4b50-829a-e889f86127ad}\ (7 subtraces) (ID = 774742)
1:12 PM: HKLM\software\microsoft\code store database\distribution units\{8c875948-9c60-4381-9248-0df180542d53}\ (11 subtraces) (ID = 774751)
1:12 PM: Registry Sweep Complete, Elapsed Time:00:00:15
1:12 PM: Starting Cookie Sweep
1:12 PM: Found Spy Cookie: 2o7.net cookie
1:12 PM: phyllis dunn@2o7[2].txt (ID = 1957)
1:12 PM: Found Spy Cookie: atlas dmt cookie
1:12 PM: phyllis dunn@atdmt[2].txt (ID = 2253)
1:12 PM: Found Spy Cookie: bluestreak cookie
1:12 PM: phyllis dunn@bluestreak[1].txt (ID = 2314)
1:12 PM: Found Spy Cookie: hitslink cookie
1:12 PM: phyllis [email protected][2].txt (ID = 2790)
1:12 PM: Found Spy Cookie: go.com cookie
1:12 PM: phyllis dunn@go[1].txt (ID = 2728)
1:12 PM: Found Spy Cookie: humanclick cookie
1:12 PM: phyllis [email protected][2].txt (ID = 2810)
1:12 PM: phyllis [email protected][2].txt (ID = 2729)
1:12 PM: Found Spy Cookie: pricegrabber cookie
1:12 PM: phyllis dunn@pricegrabber[1].txt (ID = 3185)
1:12 PM: Found Spy Cookie: questionmarket cookie
1:12 PM: phyllis dunn@questionmarket[1].txt (ID = 3217)
1:12 PM: Found Spy Cookie: tracking cookie
1:12 PM: phyllis dunn@tracking[2].txt (ID = 3571)
1:12 PM: Found Spy Cookie: mytemplatestorage cookie
1:12 PM: phyllis [email protected][1].txt (ID = 3050)
1:12 PM: Cookie Sweep Complete, Elapsed Time: 00:00:00
1:12 PM: Starting File Sweep
1:12 PM: Found Adware: 180search assistant/zango
1:12 PM: c:\program files\zangoclient (3 subtraces) (ID = -2147479980)
1:12 PM: c:\program files\aprps (8 subtraces) (ID = -2147481420)
1:12 PM: Found Adware: bullguard popup ad
1:12 PM: c:\documents and settings\all users\start menu\programs\bullguard (3 subtraces) (ID = -2147481289)
1:12 PM: c:\documents and settings\all users\application data\nsv (17 subtraces) (ID = -2147481136)
1:12 PM: c:\documents and settings\all users\application data\vidctrl (1 subtraces) (ID = -2147477475)
1:12 PM: c:\documents and settings\all users\start menu\programs\zango (2 subtraces) (ID = -2147479982)
1:12 PM: progress.res (ID = 62367)
1:12 PM: progress.res (ID = 62367)
1:14 PM: progress.res (ID = 62367)
1:14 PM: progress.res (ID = 62367)
1:14 PM: bullguard.lnk (ID = 52019)
1:14 PM: bullguard.lnk (ID = 52019)
1:14 PM: setup.inf (ID = 50158)
1:14 PM: silent.exe (ID = 147463)
1:14 PM: zanu_gdf.dat (ID = 93789)
1:14 PM: Found Adware: ezula ilookup
1:14 PM: button_small.gif (ID = 60415)
1:14 PM: Found Adware: surfsidekick
1:14 PM: sskknwrd.dll (ID = 77733)
1:15 PM: dbenderc.dll (ID = 62276)
1:15 PM: grinstall6.dll (ID = 75775)
1:15 PM: Found Adware: mindset interactive - favoriteman
1:15 PM: a_i_037.dll.tcf (ID = 69818)
1:16 PM: eabh.dll (ID = 60427)
1:16 PM: Found Adware: targetsaver
1:16 PM: tsuninst.exe (ID = 78276)
1:16 PM: Found Adware: ist yoursitebar
1:16 PM: a_i_037.exe.tcf (ID = 64498)
1:16 PM: search.src (ID = 111060)
1:17 PM: wingenerics.dll (ID = 50187)
1:17 PM: uzuwc.dll (ID = 78253)
1:17 PM: vocabulary (ID = 78283)
1:17 PM: class-barrel (ID = 78229)
1:17 PM: proxystub.dll (ID = 120164)
1:17 PM: wmv1215.dbd (ID = 57687)
1:17 PM: wmv2007.dbd (ID = 57693)
1:17 PM: wmv1920.dbd (ID = 57692)
1:17 PM: wmv1909.ddx (ID = 57691)
1:17 PM: wmv1125.ddx (ID = 57685)
1:17 PM: wmv1204.ddx (ID = 57683)
1:17 PM: wmv0904.ddx (ID = 57691)
1:17 PM: email-def-email-backgrounds.mnu (ID = 121844)
1:17 PM: email-premium-email-premium.mnu (ID = 121844)
1:17 PM: email-def-511724-9595.mnu (ID = 121842)
1:17 PM: wmv0204.ddx (ID = 57683)
1:17 PM: wmv0504.ddx (ID = 57683)
1:17 PM: wmv0412.ddx (ID = 57683)
1:17 PM: sskcwrd.dll (ID = 77712)
1:17 PM: wmv0106.ddx (ID = 57679)
1:17 PM: wmv0315.ddx (ID = 57683)
1:17 PM: email-def-email-backgrounds.mnu (ID = 121844)
1:17 PM: email-premium-email-premium.mnu (ID = 121844)
1:17 PM: email-def-511724-9595.mnu (ID = 121842)
1:17 PM: email-def-email-backgrounds.mnu (ID = 121844)
1:17 PM: email-def-email-backgrounds.mnu (ID = 121844)
1:17 PM: email-premium-email-premium.mnu (ID = 121844)
1:17 PM: email-def-511724-9595.mnu (ID = 121842)
1:17 PM: email-premium-email-premium.mnu (ID = 121844)
1:17 PM: email-def-511724-9595.mnu (ID = 121842)
1:17 PM: grinstall.inf (ID = 75773)
1:17 PM: param.ez (ID = 111058)
1:17 PM: legend.lgn (ID = 111056)
1:17 PM: spamblockerutility.inf (ID = 62333)
1:17 PM: progress.xip (ID = 62368)
1:17 PM: business_promo.xip (ID = 121856)
1:17 PM: progress.xip (ID = 62368)
1:17 PM: business_promo.xip (ID = 121856)
1:17 PM: clientax.inf (ID = 70515)
1:17 PM: File Sweep Complete, Elapsed Time: 00:05:18
1:17 PM: Full Sweep has completed. Elapsed time 00:08:36
1:17 PM: Traces Found: 1008
1:18 PM: Removal process initiated
1:18 PM: Quarantining All Traces: altnet
1:18 PM: Quarantining All Traces: apropos
1:18 PM: Quarantining All Traces: elitebar
1:18 PM: Quarantining All Traces: hotbar
1:18 PM: Quarantining All Traces: search fast communicator toolbar
1:18 PM: Quarantining All Traces: searchforit
1:18 PM: Quarantining All Traces: topsearch
1:19 PM: Quarantining All Traces: visual log
1:19 PM: Quarantining All Traces: delfin
1:19 PM: Quarantining All Traces: shopathomeselect
1:19 PM: Quarantining All Traces: 2o7.net cookie
1:19 PM: Quarantining All Traces: atlas dmt cookie
1:19 PM: Quarantining All Traces: bluestreak cookie
1:19 PM: Quarantining All Traces: hitslink cookie
1:19 PM: Quarantining All Traces: go.com cookie
1:19 PM: Quarantining All Traces: humanclick cookie
1:19 PM: Quarantining All Traces: pricegrabber cookie
1:19 PM: Quarantining All Traces: questionmarket cookie
1:19 PM: Quarantining All Traces: tracking cookie
1:19 PM: Quarantining All Traces: mytemplatestorage cookie
1:19 PM: Quarantining All Traces: 180search assistant/zango
1:19 PM: Quarantining All Traces: bullguard popup ad
1:19 PM: Quarantining All Traces: ezula ilookup
1:19 PM: Quarantining All Traces: surfsidekick
1:19 PM: Quarantining All Traces: mindset interactive - favoriteman
1:19 PM: Quarantining All Traces: targetsaver
1:19 PM: Quarantining All Traces: ist yoursitebar
1:19 PM: Removal process completed. Elapsed time 00:01:33
********

Logfile of HijackThis v1.99.1
Scan saved at 1:31:33 PM, on 10/06/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\PROGRA~1\CENTAL~3\Cntld1.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\Program Files\Wireless Sync\Client\ClientShell.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\PROGRA~1\CENTAL~4\centaleim.exe
C:\WINDOWS\system32\wdfmgr.exe
c:\program files\verizon wireless\venturi\Client\ventc.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\MICROS~4\OFFICE11\OUTLOOK.EXE
C:\Documents and Settings\Phyllis Dunn\Desktop\Spyware removal Tools\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.1stsearchportal.com/sp2.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SEENUS/SAOS01
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://my.msn.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.h...ilion&pf=laptop
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.my.msn.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.h...ilion&pf=laptop
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - Default URLSearchHook is missing
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [CentaleD1] C:\PROGRA~1\CENTAL~3\Cntld1.exe
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - Startup: Centale IM.lnk = C:\Program Files\Centale IM\UNWISE.EXE
O4 - Startup: Check for updates.lnk = C:\Program Files\Centale IM\UNWISE.EXE
O4 - Startup: MOD Updates.lnk = C:\Program Files\MusicOnDemand\update.EXE
O4 - Global Startup: Wireless Sync Client.lnk = C:\Program Files\Wireless Sync\Client\ClientShell.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q105&bd=pavilion&pf=laptop
O16 - DPF: {2B55B5F0-9D95-48CF-96A1-FEAF74CEC150} (portLoader Class) - http://a248.g.akamai...g2/download.cab
O16 - DPF: {470A6E01-15A3-49B3-B8B9-8EDF4AC1A480} - http://sp.ask.com/do...teomab-inst.cab
O16 - DPF: {670821E0-76D1-11D4-9F60-009027A966BF} (YouBet Secure Data Transfer Control) - http://racing.youbet...s/ybrequest.cab
O16 - DPF: {72C23FEC-3AF9-48FC-9597-241A8EBDFE0A} (InstallShield International Setup Player) - http://software.news...k1/isetupml.cab
O16 - DPF: {9E72D9D4-4DC3-429C-A4D5-EFF3AC5CC606} (InstallerAX Class) - http://chevy.a.conte...installerAX.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://freetrial.we...bex/ieatgpc.cab
O16 - DPF: {FC67BB52-AAB6-4282-9D51-2DAFFE73AFD0} - http://download.spys...rCabInstall.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{CD3B6305-5C82-4D9C-90B5-4E5F4F53B8B1}: NameServer = 65.169.169.5,204.117.214.10
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AdobeVersionCue - Adobe Sytems - C:\Program Files\Adobe\Adobe Photoshop CS\service\VersionCue.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: HP WMI Interface (hpqwmi) - Unknown owner - C:\Program Files\HPQ\SHARED\HPQWMI.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Macromedia - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: Venturi Client (Venturi2) - Venturi Wireless - c:\program files\verizon wireless\venturi\Client\ventc.exe

Hopefully this will cure it, but I'm not going to hold my breath on it. THanks for helping me, I appreciate it very much . Please let me know if there is anything else that looks bad in here.

Matt
  • 0

#8
tampabelle
Posted 07 October 2005 - 07:49 AM

tampabelle

    Member 5k

  • Retired Staff
  • 6,363 posts
Run Hijack This and click on scan. The following items need to be fixed -

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.1stsearchportal.com/sp2.php
R3 - Default URLSearchHook is missing

Close all windows other than Hijack This. Check the boxes next to above items and click on Fix checked.


How is your PC behaving now ????
  • 0

#9
md2o2o
Posted 10 October 2005 - 09:06 AM

md2o2o

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
Sorry for the delay in getting back to you, as I was out of town. I did the last steps and it appears to running fine. Thanks for your help!!! :tazz:

Matt
  • 0

#10
tampabelle
Posted 10 October 2005 - 09:56 AM

tampabelle

    Member 5k

  • Retired Staff
  • 6,363 posts
Hi Matt,


Everything is fine. We just need to do some cleaning up.



Uninstall Ewido as it is a trial product and the trial period will expire shortly. Conflicts can arise between multiple anti-virus programs and can severely hamper the performance of the PC.
  • 0

#11
tampabelle
Posted 10 October 2005 - 09:56 AM

tampabelle

    Member 5k

  • Retired Staff
  • 6,363 posts
hi,


CONGRATULATIONS !!!!!!!!!!! Your PC is clean now :tazz:



I would recommend the following steps to keep your PC clean (especially Step 1 to install critical Windows patches including Service Pack 2 or SP2 if not already installed and Step 8 now that your PC is clean) -

PREVENTIVE MEASURES FOR FUTURE

Operating System
1. Keep the Windows and Internet Explorer updated with the latest fixes. These fixes are available free from Microsoft. Click on Tools in the IE menu bar and then on Windows update. You can also use the following links

Windows security and critical updates
Internet Explorer security and critical updates

Also ensure that automatic updates are enabled for faster updation of the system.
(Right click on My Computer on your desktop, properties and Automatic Updates tab.


Anti-Virus Software
2. Keep your Anti-virus program updated with the latest definitions. Some of the common anti-virus programs in use are :

Norton Anti-Virus
McAfee Anti-Virus
AVG Anti-Virus --- freeware
Avast Home Edition --- freeware

Use only one anti-virus program as multiple such programs can create conflicts between themselves and severely hamper the performance of your PC.


Firewall
3. You should also have a good firewall. Here are 3 free ones available for personal use:
Sygate Personal Firewall, Kerio Personal Firewall, ZoneAlarm


Internet Browsers
4. Have robust explorer settings. It is preferable to use an internet browser other that IE as most of the malware is targetted at IE. In case you prefer to use IE, then download a list of innocent looking but harmful websites from IE-Spyad and install it on ur PC. IE-SPYAD puts over 5000 sites in your internet explorer's restricted zone, so you'll be protected when you visit innocent-looking sites that aren't really innocent at all.

Some alternate browsers I suggest are Firefox Mozilla Browser and Opera

Ensure that Security level, irrespective of whichever browser you use, is set at Medium or higher, restrict the usage of cookies and activeX components.


Spyware Protection
5. Have a wall of protection against spyware / adware by installing SpywareBlaster and SpywareGuard.

SpywareBlaster and SpywareGuard are by JavaCool and both are free programs.
SpywareBlaster will prevent spyware from being installed and consumes no system resources.
SpywareGuard offers realtime protection from spyware installation and browser hijack attempts. Both have free ongoing updates.


Spyware Removers
6. Install programs for scanning for malware and uninstalling them. Two of the best programs, both are freeware, are :

Spybot Search & Destroy - A powerful tool which can search and annhilate nasties that make it onto your system. Now with an Immunize section that will help prevent future infections.

AdAware SE Personal Edition - Another very powerful tool which searches and kills nasties that infect your system. AdAware and Spybot Search & Destroy compliment each other very well.


Regular Maintenance of PC
7. Finally, invest some time for regular maintenance of your PC. Delete the temporary Internet files, temporary files, cookies etc. Click on Start button, Programs, Accessories, System Tools and run the program Disk Cleanup. Follow the instructions.

An alternate freeware software which can be used is CleanUp.

Keep your Registry clean. My favourite software is Registry First Aid. This is not a freeware but a trial version can be downloaded.


System Restore Points
8. Since your PC is currently clean, create a system restore point. A system restore would enable you to revert to the settings on the PC when the restore point was created. It is also a good idea to flush all earlier system restore points which may be containing infected files.

A. Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.

B. Restart your computer.

C. Turn ON System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check Turn off System Restore.
Click Apply, and then click OK.

System Restore will now be active again.


Go ahead and enjoy a clean PC !!!!!!!!!!!!!
  • 0

#12
tampabelle
Posted 23 October 2005 - 01:13 PM

tampabelle

    Member 5k

  • Retired Staff
  • 6,363 posts
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :tazz:

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP