Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Comet Systems Adware


  • Please log in to reply

#1
wwisconsin

wwisconsin

    Member

  • Member
  • PipPip
  • 25 posts
My XP Home Edition computer is set up so that we each have our own log-in at the welcome screen. When my wife logs-in, then Mocrosoft Antispyware comes up "red" with a warning that Comet Systems Adware is trying to instal. She always hits the remove now option. It claims to remove it and she moves on. However, she has been getting the warning at each log-on for several months. I have tried Adware, Spybot, Spyblaster, and MS Antispyware to get rid of it. Please help. Thanks
Pat

Logfile of HijackThis v1.99.1
Scan saved at 9:06:04 AM, on 10/8/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\RAM Idle\RAM_XP.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Microsoft AntiSpyware\gcasServAlert.exe
C:\Program Files\Hijack This\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bbc.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cnn.com/
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: IeCaptureBho Object - {7c1ce531-09e9-4fc5-9803-1c2956615786} - C:\Program Files\Google\Google Desktop Search\GoogleDesktopIE.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_5_7_1.dll (file missing)
O4 - HKLM\..\Run: [AHQInit] C:\Program Files\Creative\SBLive\Program\AHQInit.exe
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [Ad-watch] C:\Program Files\Lavasoft\Ad-aware 6\Ad-watch.exe
O4 - HKLM\..\Run: [LoadMSvcmm] C:\WINDOWS\system32\msvcmm32.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [RAM Idle Professional] C:\Program Files\RAM Idle\RAM_XP.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O16 - DPF: Yahoo! Pool 2 - http://download.game...ts/y/pote_x.cab
O16 - DPF: Yahoo! Pyramids - http://download.game...ts/y/pyt1_x.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop...p/PCPitStop.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {72C23FEC-3AF9-48FC-9597-241A8EBDFE0A} (InstallShield International Setup Player) - http://ftp.hp.com/pu...er/isetupML.cab
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
  • 0

Advertisements


#2
ukbiker

ukbiker

    Rest in Peace, ukbiker

  • Retired Staff
  • 2,014 posts
Hi There

I am UKBiker and I will be helping you with this log. If you still need help, please post a fresh HJT log here in a reply to this topic.
  • 0

#3
wwisconsin

wwisconsin

    Member

  • Topic Starter
  • Member
  • PipPip
  • 25 posts
Yes. I do still need help. Thanks

I just did a computer restart, logged-in as my wife, and captured this log as soon as I was able. The Microsoft Antispyware warning about Comet Systems was already up when I captured the log.

Thanks again


Logfile of HijackThis v1.99.1
Scan saved at 7:20:50 PM, on 10/10/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\RAM Idle\RAM_XP.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Hijack This\HijackThis.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Microsoft AntiSpyware\gcasServAlert.exe
C:\WINDOWS\system32\wuauclt.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bbc.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cnn.com/
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: IeCaptureBho Object - {7c1ce531-09e9-4fc5-9803-1c2956615786} - C:\Program Files\Google\Google Desktop Search\GoogleDesktopIE.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_5_7_1.dll (file missing)
O4 - HKLM\..\Run: [AHQInit] C:\Program Files\Creative\SBLive\Program\AHQInit.exe
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [Ad-watch] C:\Program Files\Lavasoft\Ad-aware 6\Ad-watch.exe
O4 - HKLM\..\Run: [LoadMSvcmm] C:\WINDOWS\system32\msvcmm32.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [RAM Idle Professional] C:\Program Files\RAM Idle\RAM_XP.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O16 - DPF: Yahoo! Pool 2 - http://download.game...ts/y/pote_x.cab
O16 - DPF: Yahoo! Pyramids - http://download.game...ts/y/pyt1_x.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop...p/PCPitStop.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {72C23FEC-3AF9-48FC-9597-241A8EBDFE0A} (InstallShield International Setup Player) - http://ftp.hp.com/pu...er/isetupML.cab
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
  • 0

#4
ukbiker

ukbiker

    Rest in Peace, ukbiker

  • Retired Staff
  • 2,014 posts
Hi there

Is there anything disabled from startup in your msconfig? If so, please re enable everything and then carry on as below.

Please download WebRoot SpySweeper from HERE (It's a 2 week trial):
  • Click the Free Trial link under to "SpySweeper" to download the program.
  • Install it.
  • Once the program is installed, it will open.
  • It will prompt you to update to the latest definitions, click Yes.
  • Once the definitions are installed, click Sweep Now on the left side.
  • Click the Start button.
  • When it's done scanning, click the Next button.
  • Make sure everything has a check next to it, then click the Next button.
  • It will remove all of the items found.
  • Click Session Log in the upper right corner, copy everything in that window.
  • Click the Summary tab and click Finish.
  • Paste the contents of the session log you copied into your next reply.
If you did have items disabled in msconfig, please ensure that they are still enabled and post a fresh HJT log here for me please.
  • 0

#5
wwisconsin

wwisconsin

    Member

  • Topic Starter
  • Member
  • PipPip
  • 25 posts
Yes. I did have the following disabled - sorry.
SMSS
Google Desktop
Movielink Manager
MMTask
NWIZ
QTTASK

I rpbably disabled it months agao becasue I can't stand thsi crap taking over my computer.
Anyway, I enabled everything as you asked and did a restoart. On restart, Movielink Manager did an automatic update. Then I restarted again; logged-on as my wife and captured the following log.

Logfile of HijackThis v1.99.1
Scan saved at 8:04:08 PM, on 10/10/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\DOCUME~1\Dad\MYDOCU~1\DIAGNO~1\MOVIEL~1\MOVIEL~3.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\RAM Idle\RAM_XP.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Microsoft AntiSpyware\gcasServAlert.exe
C:\Program Files\Hijack This\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bbc.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cnn.com/
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: IeCaptureBho Object - {7c1ce531-09e9-4fc5-9803-1c2956615786} - C:\Program Files\Google\Google Desktop Search\GoogleDesktopIE.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_5_7_1.dll (file missing)
O4 - HKLM\..\Run: [AHQInit] C:\Program Files\Creative\SBLive\Program\AHQInit.exe
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [Ad-watch] C:\Program Files\Lavasoft\Ad-aware 6\Ad-watch.exe
O4 - HKLM\..\Run: [LoadMSvcmm] "C:\Documents and Settings\Dad\My Documents\diagnostics\MovielinkManager\Movielink User.exe"
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [RAM Idle Professional] C:\Program Files\RAM Idle\RAM_XP.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [Debug ] C:\WINDOWS\SMSS.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O16 - DPF: Yahoo! Pool 2 - http://download.game...ts/y/pote_x.cab
O16 - DPF: Yahoo! Pyramids - http://download.game...ts/y/pyt1_x.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop...p/PCPitStop.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {72C23FEC-3AF9-48FC-9597-241A8EBDFE0A} (InstallShield International Setup Player) - http://ftp.hp.com/pu...er/isetupML.cab
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Movielink Core Service - Unknown owner - C:\DOCUME~1\Dad\MYDOCU~1\DIAGNO~1\MOVIEL~1\MOVIEL~3.EXE (file missing)
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
  • 0

#6
ukbiker

ukbiker

    Rest in Peace, ukbiker

  • Retired Staff
  • 2,014 posts
Hi There

thats better, i can see whats happening now.

please download Spysweeper as per my earlier post and run it as instructed.
  • 0

#7
wwisconsin

wwisconsin

    Member

  • Topic Starter
  • Member
  • PipPip
  • 25 posts
Okay. I downloaded SpySweeper; installed it; updated definitions and ran a scan. It found a lot of threats. I selected all and hit next. I think it worked (see my notes after this Sweep Log.

********
8:36 PM: |··· Start of Session, Monday, October 10, 2005 ···|
8:36 PM: Spy Sweeper started
8:36 PM: Sweep initiated using definitions version 552
8:36 PM: Starting Memory Sweep
8:39 PM: Memory Sweep Complete, Elapsed Time: 00:02:55
8:39 PM: Starting Registry Sweep
8:39 PM: Found Adware: comet cursor
8:39 PM: HKU\WRSS_Profile_S-1-5-21-1645522239-1757981266-725345543-1005\software\microsoft\internet explorer\toolbar\webbrowser\ || {fe6bc4ef-5676-484b-88ae-883323913256} (ID = 106731)
8:39 PM: Found Adware: ist istbar
8:39 PM: HKLM\software\classes\typelib\{67907b3c-a6ef-4a01-99ad-3fcd5f526429}\ (7 subtraces) (ID = 129103)
8:39 PM: HKCR\typelib\{67907b3c-a6ef-4a01-99ad-3fcd5f526429}\ (7 subtraces) (ID = 129190)
8:39 PM: Found Adware: winad
8:39 PM: HKCR\appid\loaderx.exe\ (1 subtraces) (ID = 147150)
8:39 PM: HKCR\appid\{735c5a0c-f79f-47a1-8ca1-2a2e482662a8}\ (1 subtraces) (ID = 147151)
8:39 PM: HKLM\software\classes\appid\loaderx.exe\ (1 subtraces) (ID = 147164)
8:39 PM: HKLM\software\classes\appid\{735c5a0c-f79f-47a1-8ca1-2a2e482662a8}\ (1 subtraces) (ID = 147165)
8:39 PM: HKLM\software\classes\typelib\{15696ae2-6ea4-47f4-bea6-a3d32693efc7}\ (9 subtraces) (ID = 147176)
8:39 PM: HKLM\software\microsoft\windows\currentversion\moduleusage\c:/windows/downloaded program files/mediaaccx.dll\ (2 subtraces) (ID = 147191)
8:39 PM: HKLM\software\microsoft\windows\currentversion\shareddlls\ || c:\windows\downloaded program files\mediaaccx.dll (ID = 147221)
8:39 PM: HKCR\typelib\{15696ae2-6ea4-47f4-bea6-a3d32693efc7}\ (9 subtraces) (ID = 147244)
8:39 PM: Registry Sweep Complete, Elapsed Time:00:00:11
8:39 PM: Starting Cookie Sweep
8:39 PM: Found Spy Cookie: yieldmanager cookie
8:39 PM: dad@ad.yieldmanager[2].txt (ID = 3751)
8:39 PM: Found Spy Cookie: atwola cookie
8:39 PM: dad@atwola[1].txt (ID = 2255)
8:39 PM: Found Spy Cookie: realmedia cookie
8:39 PM: dad@realmedia[1].txt (ID = 3235)
8:39 PM: Found Spy Cookie: 2o7.net cookie
8:39 PM: mom@2o7[1].txt (ID = 1957)
8:39 PM: Found Spy Cookie: overture cookie
8:39 PM: mom@perf.overture[1].txt (ID = 3106)
8:39 PM: Found Spy Cookie: centrport net cookie
8:39 PM: sam@centrport[1].txt (ID = 2374)
8:39 PM: Found Spy Cookie: 247realmedia cookie
8:39 PM: eric@247realmedia[1].txt (ID = 1953)
8:39 PM: eric@2o7[2].txt (ID = 1957)
8:39 PM: Found Spy Cookie: 64.62.232 cookie
8:39 PM: eric@64.62.232[1].txt (ID = 1987)
8:39 PM: Found Spy Cookie: about cookie
8:39 PM: eric@about[1].txt (ID = 2037)
8:39 PM: eric@ad.yieldmanager[2].txt (ID = 3751)
8:39 PM: Found Spy Cookie: adknowledge cookie
8:39 PM: eric@adknowledge[1].txt (ID = 2072)
8:39 PM: Found Spy Cookie: addynamix cookie
8:39 PM: eric@ads.addynamix[1].txt (ID = 2062)
8:39 PM: Found Spy Cookie: pointroll cookie
8:39 PM: eric@ads.pointroll[1].txt (ID = 3148)
8:39 PM: Found Spy Cookie: adtech cookie
8:39 PM: eric@adtech[2].txt (ID = 2155)
8:39 PM: Found Spy Cookie: apmebf cookie
8:39 PM: eric@apmebf[2].txt (ID = 2229)
8:39 PM: eric@ar.atwola[1].txt (ID = 2256)
8:39 PM: Found Spy Cookie: belnk cookie
8:39 PM: eric@ath.belnk[1].txt (ID = 2293)
8:39 PM: eric@atwola[2].txt (ID = 2255)
8:39 PM: Found Spy Cookie: go.com cookie
8:39 PM: eric@autobytel.espn.go[2].txt (ID = 2729)
8:39 PM: eric@belnk[2].txt (ID = 2292)
8:39 PM: Found Spy Cookie: bluestreak cookie
8:39 PM: eric@bluestreak[1].txt (ID = 2314)
8:39 PM: Found Spy Cookie: burstnet cookie
8:39 PM: eric@burstnet[2].txt (ID = 2336)
8:39 PM: eric@burstnet[3].txt (ID = 2336)
8:39 PM: eric@burstnet[4].txt (ID = 2336)
8:39 PM: Found Spy Cookie: cardomain cookie
8:39 PM: eric@cardomain[2].txt (ID = 2350)
8:39 PM: eric@centrport[2].txt (ID = 2374)
8:39 PM: eric@cnn.122.2o7[1].txt (ID = 1958)
8:39 PM: Found Spy Cookie: adbureau cookie
8:39 PM: eric@creview.adbureau[2].txt (ID = 2060)
8:39 PM: eric@dist.belnk[1].txt (ID = 2293)
8:39 PM: Found Spy Cookie: ru4 cookie
8:39 PM: eric@edge.ru4[1].txt (ID = 3269)
8:39 PM: eric@espn.go[1].txt (ID = 2729)
8:39 PM: eric@games.espn.go[1].txt (ID = 2729)
8:39 PM: Found Spy Cookie: goclick cookie
8:39 PM: eric@goclick[1].txt (ID = 2732)
8:39 PM: eric@go[2].txt (ID = 2728)
8:39 PM: eric@go[3].txt (ID = 2728)
8:39 PM: Found Spy Cookie: humanclick cookie
8:39 PM: eric@hc2.humanclick[2].txt (ID = 2810)
8:39 PM: Found Spy Cookie: hypertracker.com cookie
8:39 PM: eric@hypertracker[1].txt (ID = 2817)
8:39 PM: Found Spy Cookie: ic-live cookie
8:39 PM: eric@ic-live[1].txt (ID = 2821)
8:39 PM: eric@my.espn.go[1].txt (ID = 2729)
8:39 PM: eric@overture[2].txt (ID = 3105)
8:39 PM: Found Spy Cookie: touchclarity cookie
8:39 PM: eric@partypoker.touchclarity[2].txt (ID = 3567)
8:39 PM: Found Spy Cookie: partypoker cookie
8:39 PM: eric@partypoker[2].txt (ID = 3111)
8:39 PM: eric@perf.overture[1].txt (ID = 3106)
8:39 PM: eric@proxy.espn.go[1].txt (ID = 2729)
8:39 PM: Found Spy Cookie: qksrv cookie
8:39 PM: eric@qksrv[2].txt (ID = 3213)
8:39 PM: Found Spy Cookie: questionmarket cookie
8:39 PM: eric@questionmarket[1].txt (ID = 3217)
8:39 PM: eric@r.espn.go[1].txt (ID = 2729)
8:39 PM: Found Spy Cookie: rc cookie
8:39 PM: eric@rc[1].txt (ID = 3231)
8:39 PM: eric@realmedia[1].txt (ID = 3235)
8:39 PM: eric@rsi.espn.go[1].txt (ID = 2729)
8:39 PM: Found Spy Cookie: web-stat cookie
8:39 PM: eric@server3.web-stat[1].txt (ID = 3649)
8:39 PM: eric@soccernet.espn.go[1].txt (ID = 2729)
8:39 PM: eric@sonycorporate.122.2o7[1].txt (ID = 1958)
8:39 PM: eric@sports.espn.go[2].txt (ID = 2729)
8:39 PM: Found Spy Cookie: dealtime cookie
8:39 PM: eric@stat.dealtime[1].txt (ID = 2506)
8:39 PM: Found Spy Cookie: onestat.com cookie
8:39 PM: eric@stat.onestat[2].txt (ID = 3098)
8:39 PM: Found Spy Cookie: statcounter cookie
8:39 PM: eric@statcounter[1].txt (ID = 3447)
8:39 PM: Found Spy Cookie: webtrendslive cookie
8:39 PM: eric@statse.webtrendslive[2].txt (ID = 3667)
8:39 PM: Found Spy Cookie: tracking cookie
8:39 PM: eric@tracking[2].txt (ID = 3571)
8:39 PM: Found Spy Cookie: tradedoubler cookie
8:39 PM: eric@tradedoubler[1].txt (ID = 3575)
8:39 PM: Found Spy Cookie: myaffiliateprogram.com cookie
8:39 PM: eric@www.myaffiliateprogram[1].txt (ID = 3032)
8:39 PM: Found Spy Cookie: adserver cookie
8:39 PM: eric@z1.adserver[1].txt (ID = 2142)
8:39 PM: Found Spy Cookie: atlas dmt cookie
8:39 PM: z guest of radles@atdmt[2].txt (ID = 2253)
8:39 PM: z guest of radles@atwola[2].txt (ID = 2255)
8:39 PM: z guest of radles@centrport[2].txt (ID = 2374)
8:39 PM: z guest of radles@cnn.122.2o7[2].txt (ID = 1958)
8:39 PM: Found Spy Cookie: fastclick cookie
8:39 PM: z guest of radles@fastclick[1].txt (ID = 2651)
8:39 PM: z guest of radles@overture[1].txt (ID = 3105)
8:39 PM: z guest of radles@z1.adserver[1].txt (ID = 2142)
8:39 PM: Cookie Sweep Complete, Elapsed Time: 00:00:09
8:39 PM: Starting File Sweep
8:41 PM: Warning: Failed to read file "c:\documents and settings\dad\local settings\temp\perflib_perfdata_408.dat". System Error. Code: 32.
The process cannot access the file because it is being used by another process
8:41 PM: Found Adware: gain-supported software
8:41 PM: gator.txt (ID = 61395)
8:51 PM: Found Adware: cydoor peer-to-peer dependency
8:51 PM: cd_clint.dll (ID = 57300)
8:52 PM: Warning: Failed to read file "c:\documents and settings\dad\local settings\application data\google\google desktop search\dbeam". System Error. Code: 32.
The process cannot access the file because it is being used by another process
8:52 PM: Warning: Failed to read file "c:\documents and settings\dad\local settings\application data\google\google desktop search\dbdam". System Error. Code: 32.
The process cannot access the file because it is being used by another process
8:52 PM: File Sweep Complete, Elapsed Time: 00:13:06
8:52 PM: Full Sweep has completed. Elapsed time 00:16:27
8:52 PM: Traces Found: 121
8:53 PM: Removal process initiated
8:53 PM: Quarantining All Traces: comet cursor
8:53 PM: Quarantining All Traces: ist istbar
8:53 PM: Quarantining All Traces: winad
8:53 PM: Quarantining All Traces: yieldmanager cookie
8:53 PM: Quarantining All Traces: atwola cookie
8:54 PM: Quarantining All Traces: realmedia cookie
8:54 PM: Quarantining All Traces: 2o7.net cookie
8:54 PM: Quarantining All Traces: overture cookie
8:54 PM: Quarantining All Traces: centrport net cookie
8:54 PM: Quarantining All Traces: 247realmedia cookie
8:54 PM: Quarantining All Traces: 64.62.232 cookie
8:54 PM: Quarantining All Traces: about cookie
8:54 PM: Quarantining All Traces: adknowledge cookie
8:54 PM: Quarantining All Traces: addynamix cookie
8:54 PM: Quarantining All Traces: pointroll cookie
8:54 PM: Quarantining All Traces: adtech cookie
8:54 PM: Quarantining All Traces: apmebf cookie
8:54 PM: Quarantining All Traces: belnk cookie
8:54 PM: Quarantining All Traces: go.com cookie
8:54 PM: Quarantining All Traces: bluestreak cookie
8:54 PM: Quarantining All Traces: burstnet cookie
8:54 PM: Quarantining All Traces: cardomain cookie
8:54 PM: Quarantining All Traces: adbureau cookie
8:54 PM: Quarantining All Traces: ru4 cookie
8:54 PM: Quarantining All Traces: goclick cookie
8:54 PM: Quarantining All Traces: humanclick cookie
8:54 PM: Quarantining All Traces: hypertracker.com cookie
8:54 PM: Quarantining All Traces: ic-live cookie
8:54 PM: Quarantining All Traces: touchclarity cookie
8:54 PM: Quarantining All Traces: partypoker cookie
8:54 PM: Quarantining All Traces: qksrv cookie
8:54 PM: Quarantining All Traces: questionmarket cookie
8:54 PM: Quarantining All Traces: rc cookie
8:54 PM: Quarantining All Traces: web-stat cookie
8:54 PM: Quarantining All Traces: dealtime cookie
8:54 PM: Quarantining All Traces: onestat.com cookie
8:54 PM: Quarantining All Traces: statcounter cookie
8:54 PM: Quarantining All Traces: webtrendslive cookie
8:54 PM: Quarantining All Traces: tracking cookie
8:54 PM: Quarantining All Traces: tradedoubler cookie
8:54 PM: Quarantining All Traces: myaffiliateprogram.com cookie
8:54 PM: Quarantining All Traces: adserver cookie
8:54 PM: Quarantining All Traces: atlas dmt cookie
8:54 PM: Quarantining All Traces: fastclick cookie
8:54 PM: Quarantining All Traces: gain-supported software
8:54 PM: Quarantining All Traces: cydoor peer-to-peer dependency
8:55 PM: Removal process completed. Elapsed time 00:01:57
********
8:18 PM: |··· Start of Session, Monday, October 10, 2005 ···|
8:18 PM: Spy Sweeper started
8:19 PM: Hosts file is too large.
8:21 PM: Updating spyware definitions
8:21 PM: Your definitions are up to date.
8:21 PM: Updating spyware definitions
8:21 PM: Your definitions are up to date.
8:36 PM: Hosts file is too large.
8:36 PM: |··· End of Session, Monday, October 10, 2005 ···|




Then I restarted; logged-in as my wife, and NO COMET WARNING from MS Antispyware. Fantastic.
Here is the HJT log




Logfile of HijackThis v1.99.1
Scan saved at 9:01:30 PM, on 10/10/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\DOCUME~1\Dad\MYDOCU~1\DIAGNO~1\MOVIEL~1\MOVIEL~3.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\RAM Idle\RAM_XP.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Hijack This\HijackThis.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bbc.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cnn.com/
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: IeCaptureBho Object - {7c1ce531-09e9-4fc5-9803-1c2956615786} - C:\Program Files\Google\Google Desktop Search\GoogleDesktopIE.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_5_7_1.dll (file missing)
O4 - HKLM\..\Run: [AHQInit] C:\Program Files\Creative\SBLive\Program\AHQInit.exe
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [Ad-watch] C:\Program Files\Lavasoft\Ad-aware 6\Ad-watch.exe
O4 - HKLM\..\Run: [LoadMSvcmm] "C:\Documents and Settings\Dad\My Documents\diagnostics\MovielinkManager\Movielink User.exe"
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [RAM Idle Professional] C:\Program Files\RAM Idle\RAM_XP.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [Debug ] C:\WINDOWS\SMSS.exe
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O16 - DPF: Yahoo! Pool 2 - http://download.game...ts/y/pote_x.cab
O16 - DPF: Yahoo! Pyramids - http://download.game...ts/y/pyt1_x.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop...p/PCPitStop.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {72C23FEC-3AF9-48FC-9597-241A8EBDFE0A} (InstallShield International Setup Player) - http://ftp.hp.com/pu...er/isetupML.cab
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Movielink Core Service - Unknown owner - C:\DOCUME~1\Dad\MYDOCU~1\DIAGNO~1\MOVIEL~1\MOVIEL~3.EXE (file missing)
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe


Thanks a lot.

My computer seems so bogged down now, especially with the Spysweeper free trial running at start-up.
I have Adaware; Spybot; Spyblaster, MS AntiSpyware, CC Cleaner, Norton AntiVirus and Windows Washer 5. Do I really need all this stuff?

Also, do you see a lot of other useless crap that's running in the background from my log file (like Movie Link, Quick Time, etc ...)?
  • 0

#8
ukbiker

ukbiker

    Rest in Peace, ukbiker

  • Retired Staff
  • 2,014 posts
Hi there

I do like Spysweeper, its great.

Please reboot into safe mode and run Spysweeper again.
  • 0

#9
wwisconsin

wwisconsin

    Member

  • Topic Starter
  • Member
  • PipPip
  • 25 posts
Okay. I restarted to Safe Mode and ran SpySweeper. It found two more things. Here's the log:


********
9:30 PM: |··· Start of Session, Monday, October 10, 2005 ···|
9:30 PM: Spy Sweeper started
9:30 PM: Sweep initiated using definitions version 552
9:30 PM: Starting Memory Sweep
9:31 PM: Memory Sweep Complete, Elapsed Time: 00:01:13
9:31 PM: Starting Registry Sweep
9:31 PM: Registry Sweep Complete, Elapsed Time:00:00:14
9:31 PM: Starting Cookie Sweep
9:31 PM: Found Spy Cookie: atwola cookie
9:31 PM: dad@atwola[1].txt (ID = 2255)
9:31 PM: Cookie Sweep Complete, Elapsed Time: 00:00:03
9:31 PM: Starting File Sweep
9:33 PM: Found Adware: gain-supported software
9:33 PM: 00058072.txt (ID = 61395)
9:38 PM: File Sweep Complete, Elapsed Time: 00:07:09
9:38 PM: Full Sweep has completed. Elapsed time 00:08:55
9:38 PM: Traces Found: 2
9:39 PM: Removal process initiated
9:39 PM: Quarantining All Traces: atwola cookie
9:39 PM: Quarantining All Traces: gain-supported software
9:39 PM: Removal process completed. Elapsed time 00:00:25
********
8:36 PM: |··· Start of Session, Monday, October 10, 2005 ···|
8:36 PM: Spy Sweeper started
8:36 PM: Sweep initiated using definitions version 552
8:36 PM: Starting Memory Sweep
8:39 PM: Memory Sweep Complete, Elapsed Time: 00:02:55
8:39 PM: Starting Registry Sweep
8:39 PM: Found Adware: comet cursor
8:39 PM: HKU\WRSS_Profile_S-1-5-21-1645522239-1757981266-725345543-1005\software\microsoft\internet explorer\toolbar\webbrowser\ || {fe6bc4ef-5676-484b-88ae-883323913256} (ID = 106731)
8:39 PM: Found Adware: ist istbar
8:39 PM: HKLM\software\classes\typelib\{67907b3c-a6ef-4a01-99ad-3fcd5f526429}\ (7 subtraces) (ID = 129103)
8:39 PM: HKCR\typelib\{67907b3c-a6ef-4a01-99ad-3fcd5f526429}\ (7 subtraces) (ID = 129190)
8:39 PM: Found Adware: winad
8:39 PM: HKCR\appid\loaderx.exe\ (1 subtraces) (ID = 147150)
8:39 PM: HKCR\appid\{735c5a0c-f79f-47a1-8ca1-2a2e482662a8}\ (1 subtraces) (ID = 147151)
8:39 PM: HKLM\software\classes\appid\loaderx.exe\ (1 subtraces) (ID = 147164)
8:39 PM: HKLM\software\classes\appid\{735c5a0c-f79f-47a1-8ca1-2a2e482662a8}\ (1 subtraces) (ID = 147165)
8:39 PM: HKLM\software\classes\typelib\{15696ae2-6ea4-47f4-bea6-a3d32693efc7}\ (9 subtraces) (ID = 147176)
8:39 PM: HKLM\software\microsoft\windows\currentversion\moduleusage\c:/windows/downloaded program files/mediaaccx.dll\ (2 subtraces) (ID = 147191)
8:39 PM: HKLM\software\microsoft\windows\currentversion\shareddlls\ || c:\windows\downloaded program files\mediaaccx.dll (ID = 147221)
8:39 PM: HKCR\typelib\{15696ae2-6ea4-47f4-bea6-a3d32693efc7}\ (9 subtraces) (ID = 147244)
8:39 PM: Registry Sweep Complete, Elapsed Time:00:00:11
8:39 PM: Starting Cookie Sweep
8:39 PM: Found Spy Cookie: yieldmanager cookie
8:39 PM: dad@ad.yieldmanager[2].txt (ID = 3751)
8:39 PM: Found Spy Cookie: atwola cookie
8:39 PM: dad@atwola[1].txt (ID = 2255)
8:39 PM: Found Spy Cookie: realmedia cookie
8:39 PM: dad@realmedia[1].txt (ID = 3235)
8:39 PM: Found Spy Cookie: 2o7.net cookie
8:39 PM: mom@2o7[1].txt (ID = 1957)
8:39 PM: Found Spy Cookie: overture cookie
8:39 PM: mom@perf.overture[1].txt (ID = 3106)
8:39 PM: Found Spy Cookie: centrport net cookie
8:39 PM: sam@centrport[1].txt (ID = 2374)
8:39 PM: Found Spy Cookie: 247realmedia cookie
8:39 PM: eric@247realmedia[1].txt (ID = 1953)
8:39 PM: eric@2o7[2].txt (ID = 1957)
8:39 PM: Found Spy Cookie: 64.62.232 cookie
8:39 PM: eric@64.62.232[1].txt (ID = 1987)
8:39 PM: Found Spy Cookie: about cookie
8:39 PM: eric@about[1].txt (ID = 2037)
8:39 PM: eric@ad.yieldmanager[2].txt (ID = 3751)
8:39 PM: Found Spy Cookie: adknowledge cookie
8:39 PM: eric@adknowledge[1].txt (ID = 2072)
8:39 PM: Found Spy Cookie: addynamix cookie
8:39 PM: eric@ads.addynamix[1].txt (ID = 2062)
8:39 PM: Found Spy Cookie: pointroll cookie
8:39 PM: eric@ads.pointroll[1].txt (ID = 3148)
8:39 PM: Found Spy Cookie: adtech cookie
8:39 PM: eric@adtech[2].txt (ID = 2155)
8:39 PM: Found Spy Cookie: apmebf cookie
8:39 PM: eric@apmebf[2].txt (ID = 2229)
8:39 PM: eric@ar.atwola[1].txt (ID = 2256)
8:39 PM: Found Spy Cookie: belnk cookie
8:39 PM: eric@ath.belnk[1].txt (ID = 2293)
8:39 PM: eric@atwola[2].txt (ID = 2255)
8:39 PM: Found Spy Cookie: go.com cookie
8:39 PM: eric@autobytel.espn.go[2].txt (ID = 2729)
8:39 PM: eric@belnk[2].txt (ID = 2292)
8:39 PM: Found Spy Cookie: bluestreak cookie
8:39 PM: eric@bluestreak[1].txt (ID = 2314)
8:39 PM: Found Spy Cookie: burstnet cookie
8:39 PM: eric@burstnet[2].txt (ID = 2336)
8:39 PM: eric@burstnet[3].txt (ID = 2336)
8:39 PM: eric@burstnet[4].txt (ID = 2336)
8:39 PM: Found Spy Cookie: cardomain cookie
8:39 PM: eric@cardomain[2].txt (ID = 2350)
8:39 PM: eric@centrport[2].txt (ID = 2374)
8:39 PM: eric@cnn.122.2o7[1].txt (ID = 1958)
8:39 PM: Found Spy Cookie: adbureau cookie
8:39 PM: eric@creview.adbureau[2].txt (ID = 2060)
8:39 PM: eric@dist.belnk[1].txt (ID = 2293)
8:39 PM: Found Spy Cookie: ru4 cookie
8:39 PM: eric@edge.ru4[1].txt (ID = 3269)
8:39 PM: eric@espn.go[1].txt (ID = 2729)
8:39 PM: eric@games.espn.go[1].txt (ID = 2729)
8:39 PM: Found Spy Cookie: goclick cookie
8:39 PM: eric@goclick[1].txt (ID = 2732)
8:39 PM: eric@go[2].txt (ID = 2728)
8:39 PM: eric@go[3].txt (ID = 2728)
8:39 PM: Found Spy Cookie: humanclick cookie
8:39 PM: eric@hc2.humanclick[2].txt (ID = 2810)
8:39 PM: Found Spy Cookie: hypertracker.com cookie
8:39 PM: eric@hypertracker[1].txt (ID = 2817)
8:39 PM: Found Spy Cookie: ic-live cookie
8:39 PM: eric@ic-live[1].txt (ID = 2821)
8:39 PM: eric@my.espn.go[1].txt (ID = 2729)
8:39 PM: eric@overture[2].txt (ID = 3105)
8:39 PM: Found Spy Cookie: touchclarity cookie
8:39 PM: eric@partypoker.touchclarity[2].txt (ID = 3567)
8:39 PM: Found Spy Cookie: partypoker cookie
8:39 PM: eric@partypoker[2].txt (ID = 3111)
8:39 PM: eric@perf.overture[1].txt (ID = 3106)
8:39 PM: eric@proxy.espn.go[1].txt (ID = 2729)
8:39 PM: Found Spy Cookie: qksrv cookie
8:39 PM: eric@qksrv[2].txt (ID = 3213)
8:39 PM: Found Spy Cookie: questionmarket cookie
8:39 PM: eric@questionmarket[1].txt (ID = 3217)
8:39 PM: eric@r.espn.go[1].txt (ID = 2729)
8:39 PM: Found Spy Cookie: rc cookie
8:39 PM: eric@rc[1].txt (ID = 3231)
8:39 PM: eric@realmedia[1].txt (ID = 3235)
8:39 PM: eric@rsi.espn.go[1].txt (ID = 2729)
8:39 PM: Found Spy Cookie: web-stat cookie
8:39 PM: eric@server3.web-stat[1].txt (ID = 3649)
8:39 PM: eric@soccernet.espn.go[1].txt (ID = 2729)
8:39 PM: eric@sonycorporate.122.2o7[1].txt (ID = 1958)
8:39 PM: eric@sports.espn.go[2].txt (ID = 2729)
8:39 PM: Found Spy Cookie: dealtime cookie
8:39 PM: eric@stat.dealtime[1].txt (ID = 2506)
8:39 PM: Found Spy Cookie: onestat.com cookie
8:39 PM: eric@stat.onestat[2].txt (ID = 3098)
8:39 PM: Found Spy Cookie: statcounter cookie
8:39 PM: eric@statcounter[1].txt (ID = 3447)
8:39 PM: Found Spy Cookie: webtrendslive cookie
8:39 PM: eric@statse.webtrendslive[2].txt (ID = 3667)
8:39 PM: Found Spy Cookie: tracking cookie
8:39 PM: eric@tracking[2].txt (ID = 3571)
8:39 PM: Found Spy Cookie: tradedoubler cookie
8:39 PM: eric@tradedoubler[1].txt (ID = 3575)
8:39 PM: Found Spy Cookie: myaffiliateprogram.com cookie
8:39 PM: eric@www.myaffiliateprogram[1].txt (ID = 3032)
8:39 PM: Found Spy Cookie: adserver cookie
8:39 PM: eric@z1.adserver[1].txt (ID = 2142)
8:39 PM: Found Spy Cookie: atlas dmt cookie
8:39 PM: z guest of radles@atdmt[2].txt (ID = 2253)
8:39 PM: z guest of radles@atwola[2].txt (ID = 2255)
8:39 PM: z guest of radles@centrport[2].txt (ID = 2374)
8:39 PM: z guest of radles@cnn.122.2o7[2].txt (ID = 1958)
8:39 PM: Found Spy Cookie: fastclick cookie
8:39 PM: z guest of radles@fastclick[1].txt (ID = 2651)
8:39 PM: z guest of radles@overture[1].txt (ID = 3105)
8:39 PM: z guest of radles@z1.adserver[1].txt (ID = 2142)
8:39 PM: Cookie Sweep Complete, Elapsed Time: 00:00:09
8:39 PM: Starting File Sweep
8:41 PM: Warning: Failed to read file "c:\documents and settings\dad\local settings\temp\perflib_perfdata_408.dat". System Error. Code: 32.
The process cannot access the file because it is being used by another process
8:41 PM: Found Adware: gain-supported software
8:41 PM: gator.txt (ID = 61395)
8:51 PM: Found Adware: cydoor peer-to-peer dependency
8:51 PM: cd_clint.dll (ID = 57300)
8:52 PM: Warning: Failed to read file "c:\documents and settings\dad\local settings\application data\google\google desktop search\dbeam". System Error. Code: 32.
The process cannot access the file because it is being used by another process
8:52 PM: Warning: Failed to read file "c:\documents and settings\dad\local settings\application data\google\google desktop search\dbdam". System Error. Code: 32.
The process cannot access the file because it is being used by another process
8:52 PM: File Sweep Complete, Elapsed Time: 00:13:06
8:52 PM: Full Sweep has completed. Elapsed time 00:16:27
8:52 PM: Traces Found: 121
8:53 PM: Removal process initiated
8:53 PM: Quarantining All Traces: comet cursor
8:53 PM: Quarantining All Traces: ist istbar
8:53 PM: Quarantining All Traces: winad
8:53 PM: Quarantining All Traces: yieldmanager cookie
8:53 PM: Quarantining All Traces: atwola cookie
8:54 PM: Quarantining All Traces: realmedia cookie
8:54 PM: Quarantining All Traces: 2o7.net cookie
8:54 PM: Quarantining All Traces: overture cookie
8:54 PM: Quarantining All Traces: centrport net cookie
8:54 PM: Quarantining All Traces: 247realmedia cookie
8:54 PM: Quarantining All Traces: 64.62.232 cookie
8:54 PM: Quarantining All Traces: about cookie
8:54 PM: Quarantining All Traces: adknowledge cookie
8:54 PM: Quarantining All Traces: addynamix cookie
8:54 PM: Quarantining All Traces: pointroll cookie
8:54 PM: Quarantining All Traces: adtech cookie
8:54 PM: Quarantining All Traces: apmebf cookie
8:54 PM: Quarantining All Traces: belnk cookie
8:54 PM: Quarantining All Traces: go.com cookie
8:54 PM: Quarantining All Traces: bluestreak cookie
8:54 PM: Quarantining All Traces: burstnet cookie
8:54 PM: Quarantining All Traces: cardomain cookie
8:54 PM: Quarantining All Traces: adbureau cookie
8:54 PM: Quarantining All Traces: ru4 cookie
8:54 PM: Quarantining All Traces: goclick cookie
8:54 PM: Quarantining All Traces: humanclick cookie
8:54 PM: Quarantining All Traces: hypertracker.com cookie
8:54 PM: Quarantining All Traces: ic-live cookie
8:54 PM: Quarantining All Traces: touchclarity cookie
8:54 PM: Quarantining All Traces: partypoker cookie
8:54 PM: Quarantining All Traces: qksrv cookie
8:54 PM: Quarantining All Traces: questionmarket cookie
8:54 PM: Quarantining All Traces: rc cookie
8:54 PM: Quarantining All Traces: web-stat cookie
8:54 PM: Quarantining All Traces: dealtime cookie
8:54 PM: Quarantining All Traces: onestat.com cookie
8:54 PM: Quarantining All Traces: statcounter cookie
8:54 PM: Quarantining All Traces: webtrendslive cookie
8:54 PM: Quarantining All Traces: tracking cookie
8:54 PM: Quarantining All Traces: tradedoubler cookie
8:54 PM: Quarantining All Traces: myaffiliateprogram.com cookie
8:54 PM: Quarantining All Traces: adserver cookie
8:54 PM: Quarantining All Traces: atlas dmt cookie
8:54 PM: Quarantining All Traces: fastclick cookie
8:54 PM: Quarantining All Traces: gain-supported software
8:54 PM: Quarantining All Traces: cydoor peer-to-peer dependency
8:55 PM: Removal process completed. Elapsed time 00:01:57
9:03 PM: Hosts file is too large.
9:29 PM: Program Version 4.0.4 (Build 430) Using Spyware Definitions 552
9:30 PM: |··· End of Session, Monday, October 10, 2005 ···|
********
8:18 PM: |··· Start of Session, Monday, October 10, 2005 ···|
8:18 PM: Spy Sweeper started
8:19 PM: Hosts file is too large.
8:21 PM: Updating spyware definitions
8:21 PM: Your definitions are up to date.
8:21 PM: Updating spyware definitions
8:21 PM: Your definitions are up to date.
8:36 PM: Hosts file is too large.
8:36 PM: |··· End of Session, Monday, October 10, 2005 ···|


Then I restrated to normal mode; logged-on as my wife and ran HJT. Here's the log. Still no sign of the Comet Systems Warning.


Logfile of HijackThis v1.99.1
Scan saved at 9:43:37 PM, on 10/10/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\DOCUME~1\Dad\MYDOCU~1\DIAGNO~1\MOVIEL~1\MOVIEL~3.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\RAM Idle\RAM_XP.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\Hijack This\HijackThis.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bbc.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cnn.com/
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: IeCaptureBho Object - {7c1ce531-09e9-4fc5-9803-1c2956615786} - C:\Program Files\Google\Google Desktop Search\GoogleDesktopIE.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_5_7_1.dll (file missing)
O4 - HKLM\..\Run: [AHQInit] C:\Program Files\Creative\SBLive\Program\AHQInit.exe
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [Ad-watch] C:\Program Files\Lavasoft\Ad-aware 6\Ad-watch.exe
O4 - HKLM\..\Run: [LoadMSvcmm] "C:\Documents and Settings\Dad\My Documents\diagnostics\MovielinkManager\Movielink User.exe"
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [RAM Idle Professional] C:\Program Files\RAM Idle\RAM_XP.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [Debug ] C:\WINDOWS\SMSS.exe
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O16 - DPF: Yahoo! Pool 2 - http://download.game...ts/y/pote_x.cab
O16 - DPF: Yahoo! Pyramids - http://download.game...ts/y/pyt1_x.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop...p/PCPitStop.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {72C23FEC-3AF9-48FC-9597-241A8EBDFE0A} (InstallShield International Setup Player) - http://ftp.hp.com/pu...er/isetupML.cab
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Movielink Core Service - Unknown owner - C:\DOCUME~1\Dad\MYDOCU~1\DIAGNO~1\MOVIEL~1\MOVIEL~3.EXE (file missing)
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

How's it look?
Any more reccomendations on useless crap to remove?
Thanks
  • 0

#10
ukbiker

ukbiker

    Rest in Peace, ukbiker

  • Retired Staff
  • 2,014 posts
Hi There

Could you please get a file checked for me please?

Jotti File Submission:
  • Please go to Jotti's malware scan
  • Copy and paste the following file path into the "File to upload & scan"box on the top of the page:
    • C:\WINDOWS\SMSS.exe
  • Click on the submit button
  • Please post the results in your next reply.

  • 0

Advertisements


#11
wwisconsin

wwisconsin

    Member

  • Topic Starter
  • Member
  • PipPip
  • 25 posts
Hello again
I could not find the file in c:\windows, but I found it in c:\windows\system32 and c:\windos\servicepackfiles\386

results from Jottis scan as follows:


Service load: 0% 100%

File: smss.exe
Status: OK (Note: this file has been scanned before. Therefore, this file's scan results will not be stored in the database)
MD5 bd7fb0957c716f1a60333aee04de2178
Packers detected: -
Scanner results
AntiVir Found nothing
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
Fortinet Found nothing
Kaspersky Anti-Virus Found nothing
NOD32 Found nothing
Norman Virus Control Found nothing
UNA Found nothing
VBA32 Found nothing


Statistics
Last file scanned at least one scanner reported something about: tizupd.bin, detected by:

Scanner Malware name
AntiVir X
ArcaVir X
Avast X
AVG Antivirus X
BitDefender Trojan.Downloader.Purityscan.AH
ClamAV X
Dr.Web Trojan.PurityAd
F-Prot Antivirus X
Fortinet X
Kaspersky Anti-Virus Trojan-Downloader.Win32.PurityScan.ah
NOD32 probably a variant of Win32/Adware.MediaTickets application
Norman Virus Control X
UNA X
VBA32 X
  • 0

#12
ukbiker

ukbiker

    Rest in Peace, ukbiker

  • Retired Staff
  • 2,014 posts
Hi There

ok, which of the two files gave the bad result?, th eone in the system 32 path?
we need to have the exact file path that you pasted into the box which generated the infected result.
  • 0

#13
wwisconsin

wwisconsin

    Member

  • Topic Starter
  • Member
  • PipPip
  • 25 posts
The scan I posted yesterday was from c:\windows\system32. The following is from c:\windows\servicepackfiles\i386

Service load: 0% 100%

File: smss.exe
Status: OK (Note: this file has been scanned before. Therefore, this file's scan results will not be stored in the database)
MD5 bd7fb0957c716f1a60333aee04de2178
Packers detected: -
Scanner results
AntiVir Found nothing
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
Fortinet Found nothing
Kaspersky Anti-Virus Found nothing
NOD32 Found nothing
Norman Virus Control Found nothing
UNA Found nothing
VBA32 Found nothing

Also, I did a Microsoft Antispyware scan last night and it found a serious threat that I removed. I don't know if this is related or just a coincedence. Here is the scan results.

Total Time: 16 mins 2 secs

Detected Threats

Worm:Win32/VB.DA Worm more information...
Details: This is a worm that propagates itself using Microsoft Outlook.
Status: Removed
Severe threat - Severe-risk items have an extreme potential for harm, such as a security exploit, and should be removed.

Infected files detected
c:\s.tmp


NewDotNet Browser Plug-in more information...
Details: New.Net is an Internet Explorer plug-in that adds extra top-level domains (such as .shop or .tech) to your name resolution system.
Status: Removed
Moderate threat - Moderate-risk items have some potential for harm, but may be part of a wanted service. Users may decide to ignore such programs after review.

Infected files detected
c:\windows\ndnuninstall6_30.exe


Detected Spyware Cookies
No spyware cookies were found during this scan.
  • 0

#14
ukbiker

ukbiker

    Rest in Peace, ukbiker

  • Retired Staff
  • 2,014 posts
Hiya

when MSAS detected and removed the newdotnet item, was it justt he uninstaller it removed? The problem is that NDN if wrongly removed will break your system badly, and MSAS removes it wrongly. I strongly suggest that you restore the newdotnet item ,but not the outlook worm, which is what i have been looking for. I will post the correct newdotnet fix in a minute for you.

Hi There

here is the newdotnet fix.

First, Download LSPFix.exe to a convenient location. Do NOT run this program. This is only to be used if you lose Internet Access after removing NewDotNet.

To Get rid of NewDotNet, go to:

Start > Control Panel > Add or Remove Programs and remove the following:

New.Net Applications or New.Net Domains (anything that says New.Net)

If it is not there, go here and follow Procedure 4: NewDotNet Removal Procedure 4.

In the event that you lose Internet access after removing New.Net, please double-click LSPFix.exe that you downloaded earlier. Check the "I know what I'm doing" button. You will see 2 panels. If there is any file listed in the "Remove" panel on the right-side, leave it as is and just click "Finish>>" then reboot your computer and you should now have access to the Internet. If nothing is listed under the "Remove Panel", do NOT do anything - just close the program. You will need to use another computer to come back here for further instructions on what to do.

Hopefully we caught it before msas did any damage.

Dont forget to print these instructions out.
  • 0

#15
wwisconsin

wwisconsin

    Member

  • Topic Starter
  • Member
  • PipPip
  • 25 posts
I'm thinking it was just the ininstaller based on this cut and paste from the report:

NewDotNet Browser Plug-in more information...
Details: New.Net is an Internet Explorer plug-in that adds extra top-level domains (such as .shop or .tech) to your name resolution system.
Status: Removed
Moderate threat - Moderate-risk items have some potential for harm, but may be part of a wanted service. Users may decide to ignore such programs after review.

Infected files detected
c:\windows\ndnuninstall6_30.exe

But I don't know for sure. I also would not know how to restore it. I don't see it in my recylce bin?
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP