Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

CWS.HomeSearch in registry? [RESOLVED]

Started by FS3 , Nov 08 2005 12:53 AM

  • This topic is locked This topic is locked

#1
FS3
Posted 08 November 2005 - 12:53 AM

FS3

    New Member

  • Member
  • Pip
  • 6 posts
Hi,
PestPatol says CWS.HomeSearch is in my registry at the location below (and can't remove it, even in safe mode), but all the HJT log entries seem ok to me. Any help would be greatly appreciated.

The location is:
HKEY_LOCAL_MACHINE\system\currentcontroset\enum\root\legacy_11f*00df*00e4*0006#*b700ba*00C4*00d6*`1
Pics of the reg entries attached.

I have tried updated Adaware-se, CWShredder, Spybot, Ewido, and Housecall.

Thank you.

Here's my HJT log

Logfile of HijackThis v1.99.1
Scan saved at 2:00:15 AM, on 11/8/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\Program Files\Intuit\AgentSrv.EXE
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ALCXMNTR.EXE
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Acronis\TrueImage\TrueImageMonitor.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\D-Link\AirPlus XtremeG\AirPlusCFG.exe
C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
C:\Program Files\Palm\HOTSYNC.EXE
C:\HJT\HijackThis.exe

N3 - Netscape 7: user_pref("browser.startup.homepage", "http://home.netscape.com/"); (C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\hdw1a9f5.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "http://www.google.com/"); (C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\hdw1a9f5.slt\prefs.js)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [BlockTracker] c:\hp\bin\BlockTracker.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [CpqSysTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\2\cpqpscp.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Acronis True Image Monitor] "C:\Program Files\Acronis\TrueImage\TrueImageMonitor.exe"
O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe"
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [D-Link AirPlus XtremeG] C:\Program Files\D-Link\AirPlus XtremeG\AirPlusCFG.exe
O4 - HKLM\..\Run: [ANIWZCS2Service] C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Palm\HOTSYNC.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: ATI CATALYST System Tray.lnk = C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Quicken Online Backup TaskBar Icon.LNK = C:\Program Files\Intuit\CBSysTray.exe
O16 - DPF: {0DD4833D-DFFA-11D3-94D7-0050DAC353B6} (DndCtrl Class) - http://www.ofoto.com/OfotoDND.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplane...DC_1_0_0_44.cab
O16 - DPF: {56393399-041A-4650-94C7-13DFCB1F4665} (PSFormX Control) - http://www.my-etrust...an/pestscan.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1120197593843
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1129011407331
O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.kodakgall..._1/axofupld.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg...ol_v1-0-3-0.cab
O16 - DPF: {F5C90925-ABBF-4475-88F5-8622B452BA9E} (Compaq System Data Class) - http://www29.compaq....co/SysQuery.cab
O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://pdl.stream.ao.../ampx_en_dl.cab
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: Connected Agent Service (AgentSrv) - Connected Corporation - C:\Program Files\Intuit\AgentSrv.EXE
O23 - Service: ANIWZCSd Service (ANIWZCSdService) - Alpha Networks Inc. - C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: GoToMyPC - Unknown owner - C:\Program Files\Expertcity\GoToMyPC\g2svc.exe" -service (file missing)
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

Attached Files


Edited by FS3, 08 November 2005 - 01:01 AM.

  • 0

Advertisements

#2
Excal
Posted 15 November 2005 - 06:53 AM

Excal

    Malware Slayer Extraordinaire!

  • Retired Staff
  • 12,739 posts
Hi FS3 and welcome to GeeksToGo! My name is Excal and I will be helping you.

I apologize for the delay getting to your log, the helpers here are very busy.

Have you ran Spybot S&D, CWSchredder and AdAware yet? Did you follow all these instructions?

You Must Read This Before Posting A Hijackthis Log


:tazz:

Excal
  • 0

#3
FS3
Posted 15 November 2005 - 04:08 PM

FS3

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
Excal,
Thanks for replying.

I did follow those instructions and run those utilities prior to my first post. But, to be sure, I did it all again with updated versions- except for Trojan Hunter because the trial period has expired.

On the first go round (prior to first post) Ewido found some trojan downloaders, which I removed.
This go round only some tracking cookies found/removed.

I believe I had a cws infection a while ago (browser hijacking) which I think/though I fixed.
Perhaps the registry entries I have are inactive remnants of that?

Below is a new HJT log.
Comparing this log to the log above, I found a few new processes:
system32\csrss.exe
system32\wdfmgr.exe
and two more instances of system32/scvhost.exe (is 4 of these normal?)

Thanks again for your help.
- FS3

Logfile of HijackThis v1.99.1
Scan saved at 4:58:28 PM, on 11/15/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\Program Files\Intuit\AgentSrv.EXE
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ALCXMNTR.EXE
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\Acronis\TrueImage\TrueImageMonitor.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\D-Link\AirPlus XtremeG\AirPlusCFG.exe
C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
C:\Program Files\Palm\HOTSYNC.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\HJT\HijackThis.exe

N3 - Netscape 7: user_pref("browser.startup.homepage", "http://home.netscape.com/"); (C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\hdw1a9f5.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "http://www.google.com/"); (C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\hdw1a9f5.slt\prefs.js)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [BlockTracker] c:\hp\bin\BlockTracker.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [CpqSysTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\2\cpqpscp.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Acronis True Image Monitor] "C:\Program Files\Acronis\TrueImage\TrueImageMonitor.exe"
O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe"
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [D-Link AirPlus XtremeG] C:\Program Files\D-Link\AirPlus XtremeG\AirPlusCFG.exe
O4 - HKLM\..\Run: [ANIWZCS2Service] C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Palm\HOTSYNC.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: ATI CATALYST System Tray.lnk = C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Quicken Online Backup TaskBar Icon.LNK = C:\Program Files\Intuit\CBSysTray.exe
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.t...all/xscan60.cab
O16 - DPF: {0DD4833D-DFFA-11D3-94D7-0050DAC353B6} (DndCtrl Class) - http://www.ofoto.com/OfotoDND.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplane...DC_1_0_0_44.cab
O16 - DPF: {56393399-041A-4650-94C7-13DFCB1F4665} (PSFormX Control) - http://www.my-etrust...an/pestscan.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1120197593843
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1129011407331
O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.kodakgall..._1/axofupld.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg...ol_v1-0-3-0.cab
O16 - DPF: {F5C90925-ABBF-4475-88F5-8622B452BA9E} (Compaq System Data Class) - http://www29.compaq....co/SysQuery.cab
O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://pdl.stream.ao.../ampx_en_dl.cab
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: Connected Agent Service (AgentSrv) - Connected Corporation - C:\Program Files\Intuit\AgentSrv.EXE
O23 - Service: ANIWZCSd Service (ANIWZCSdService) - Alpha Networks Inc. - C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: GoToMyPC - Unknown owner - C:\Program Files\Expertcity\GoToMyPC\g2svc.exe" -service (file missing)
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

Edited by FS3, 15 November 2005 - 04:09 PM.

  • 0

#4
Excal
Posted 15 November 2005 - 05:25 PM

Excal

    Malware Slayer Extraordinaire!

  • Retired Staff
  • 12,739 posts
Those two entries are legit and it is normal to have more than one instant of scvhost.exe to be running :)


Are those reg entries gone now?

And did you run ewido in safe mode and if so, can I please have the log.


Thanks,

:tazz:

Excal
  • 0

#5
FS3
Posted 15 November 2005 - 10:52 PM

FS3

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
Excal,
I still have the registry entries.
I ran Ewido again in safe mode today (11/15/2005). The log is below - just some cookies
Also, I posted a log from when I first ran Ewido (on 11/7/2005) which shows (what appear to be) some *other* cws registry entries and other bad stuff.

XXXX Start of most recent Ewido log (11/15/2005)
---------------------------------------------------------
ewido security suite - Scan report
--------------------------------------------------------
+ Created on: 11:36:12 PM, 11/15/2005
+ Report-Checksum: 626AA5E7
+ Scan result:

:mozilla.16:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\g4vhv82i.default\cookies.txt -> Spyware.Cookie.Atdmt : Cleaned with backup
:mozilla.27:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\g4vhv82i.default\cookies.txt -> Spyware.Cookie.Ru4 : Cleaned with backup
:mozilla.28:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\g4vhv82i.default\cookies.txt -> Spyware.Cookie.Ru4 : Cleaned with backup
:mozilla.42:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\g4vhv82i.default\cookies.txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
:mozilla.43:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\g4vhv82i.default\cookies.txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
:mozilla.46:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\g4vhv82i.default\cookies.txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
:mozilla.47:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\g4vhv82i.default\cookies.txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
:mozilla.48:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\g4vhv82i.default\cookies.txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
:mozilla.49:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\g4vhv82i.default\cookies.txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
:mozilla.50:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\g4vhv82i.default\cookies.txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
:mozilla.51:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\g4vhv82i.default\cookies.txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
::Report End
XXXX End of most recent Ewido log (11/15/2005)

XXXX Start of previous Ewido log (11/7/2005)
---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------
+ Created on: 1:42:18 AM, 11/7/2005
+ Report-Checksum: FDB7512A
+ Scan result:

C:\Program Files\Intuit\COBackup.exe -> Heuristic.Win32.Dialer : Ignored [I think this is OK]
HKLM\SOFTWARE\Classes\CLSID\{2FB10B1F-E342-08A1-CBAA-D4A2CD2ABAC6} -> Spyware.CoolWebSearch : Cleaned without backup
HKLM\SOFTWARE\Classes\CLSID\{52CA0FCE-F9E0-2125-6CA6-2627141A47E9} -> Spyware.CoolWebSearch : Cleaned without backup
HKLM\SOFTWARE\Classes\CLSID\{5FA0CF1E-5FF7-5212-6D7D-5710E683BABB} -> Spyware.CoolWebSearch : Cleaned without backup
HKLM\SOFTWARE\Classes\CLSID\{7EFCA545-7AB8-61BF-D7DE-AEA89256912C} -> Spyware.CoolWebSearch : Cleaned without backup
HKLM\SOFTWARE\Classes\CLSID\{81AE8953-3335-A1BB-5174-F82625372B4E} -> Spyware.CoolWebSearch : Cleaned without backup
HKLM\SOFTWARE\Classes\CLSID\{9D7705A4-9543-9869-8249-F62AC961BDA5} -> Spyware.CoolWebSearch : Cleaned without backup
HKLM\SOFTWARE\Classes\CLSID\{BCA18F7D-4CAB-D300-286E-432722FFB0FB} -> Spyware.CoolWebSearch : Cleaned without backup
C:\Program Files\PestPatrol\Quarantine\20050730024420.zip/Documents and Settings/Owner/Cookies/owner@2o7[2].txt -> Spyware.Cookie.2o7 : Cleaned with backup
C:\Program Files\PestPatrol\Quarantine\20050730024420.zip/Documents and Settings/Owner/Cookies/owner@casalemedia[2].txt -> Spyware.Cookie.Casalemedia : Cleaned with backup
C:\Program Files\PestPatrol\Quarantine\20050730024420.zip/Documents and Settings/Owner/Cookies/[email protected][1].txt -> Spyware.Cookie.Bridgetrack : Cleaned with backup
C:\Program Files\PestPatrol\Quarantine\20050730024420.zip/Documents and Settings/Owner/Cookies/[email protected][2].txt -> Spyware.Cookie.Clickzs : Cleaned with backup
C:\Program Files\PestPatrol\Quarantine\20050730024420.zip/Documents and Settings/Owner/Cookies/owner@questionmarket[1].txt -> Spyware.Cookie.Questionmarket : Cleaned with backup
C:\Program Files\PestPatrol\Quarantine\20050730024420.zip/Documents and Settings/Owner/Cookies/owner@serving-sys[2].txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
C:\Program Files\PestPatrol\Quarantine\20050730024420.zip/Documents and Settings/Owner/Cookies/owner@spylog[1].txt -> Spyware.Cookie.Spylog : Cleaned with backup
C:\Program Files\PestPatrol\Quarantine\20050730024420.zip/Documents and Settings/Owner/Cookies/owner@tribalfusion[2].txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
C:\Program Files\PestPatrol\Quarantine\20050730024420.zip/Documents and Settings/Owner/Cookies/[email protected][1].txt -> Spyware.Cookie.Adserver : Cleaned with backup
C:\Program Files\PestPatrol\Quarantine\20051101232212.zip/Documents and Settings/Owner/Cookies/owner@2o7[2].txt -> Spyware.Cookie.2o7 : Cleaned with backup
C:\Program Files\PestPatrol\Quarantine\20051101232212.zip/Documents and Settings/Owner/Cookies/owner@advertising[1].txt -> Spyware.Cookie.Advertising : Cleaned with backup
C:\Program Files\PestPatrol\Quarantine\20051101232212.zip/Documents and Settings/Owner/Cookies/owner@atdmt[1].txt -> Spyware.Cookie.Atdmt : Cleaned with backup
C:\Program Files\PestPatrol\Quarantine\20051101232212.zip/Documents and Settings/Owner/Cookies/[email protected][1].txt -> Spyware.Cookie.Bridgetrack : Cleaned with backup
C:\Program Files\PestPatrol\Quarantine\20051101232212.zip/Documents and Settings/Owner/Cookies/[email protected][1].txt -> Spyware.Cookie.Coremetrics : Cleaned with backup
C:\Program Files\PestPatrol\Quarantine\20051101232212.zip/Documents and Settings/Owner/Cookies/owner@doubleclick[1].txt -> Spyware.Cookie.Doubleclick : Cleaned with backup
C:\Program Files\PestPatrol\Quarantine\20051101232212.zip/Documents and Settings/Owner/Cookies/owner@hitbox[2].txt -> Spyware.Cookie.Hitbox : Cleaned with backup
C:\Program Files\PestPatrol\Quarantine\20051101232212.zip/Documents and Settings/Owner/Cookies/owner@mediaplex[1].txt -> Spyware.Cookie.Mediaplex : Cleaned with backup
C:\Program Files\PestPatrol\Quarantine\20051101232212.zip/Documents and Settings/Owner/Cookies/owner@questionmarket[2].txt -> Spyware.Cookie.Questionmarket : Cleaned with backup
C:\Program Files\PestPatrol\Quarantine\20051101232212.zip/Documents and Settings/Owner/Cookies/[email protected][1].txt -> Spyware.Cookie.Advertising : Cleaned with backup
C:\Program Files\PestPatrol\Quarantine\20051102014500.zip/Documents and Settings/Owner/Cookies/owner@com[2].txt -> Spyware.Cookie.Com : Cleaned with backup
C:\Program Files\PestPatrol\Quarantine\20051106234002.zip/Documents and Settings/Owner/Cookies/owner@atdmt[1].txt -> Spyware.Cookie.Atdmt : Cleaned with backup
C:\Program Files\PestPatrol\Quarantine\20051106234002.zip/Documents and Settings/Owner/Cookies/owner@tradedoubler[1].txt -> Spyware.Cookie.Tradedoubler : Cleaned with backup
C:\WINDOWS\aucfg.ini:hciar -> TrojanDownloader.Agent.bc : Cleaned without backup
C:\WINDOWS\aucfg.ini:hmysl -> TrojanDownloader.Agent.bq : Cleaned without backup
C:\WINDOWS\aucfg.ini:jpzml -> TrojanDownloader.Agent.bq : Cleaned without backup
C:\WINDOWS\Blue Lace 16.bmp:dpjrhg -> TrojanDownloader.Agent.bc : Cleaned without backup
C:\WINDOWS\Blue Lace 16.bmp:dydcx -> TrojanDownloader.Agent.bc : Cleaned without backup
C:\WINDOWS\Blue Lace 16.bmp:vaosj -> TrojanDownloader.Agent.bq : Cleaned without backup
C:\WINDOWS\cdplayer.ini:hsiti -> TrojanDownloader.Agent.bc : Cleaned without backup
C:\WINDOWS\cdplayer.ini:wyuhb -> TrojanDownloader.Agent.bq : Cleaned without backup
C:\WINDOWS\CleaningLab.INI:wqcxji -> Trojan.Agent.bi : Cleaned without backup
C:\WINDOWS\Coffee Bean.bmp:oaguu -> TrojanDownloader.Agent.bq : Cleaned without backup
C:\WINDOWS\Coffee Bean.bmp:oruce -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\control.ini:cwara -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\control.ini:sllme -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\cpqastat.ini:zpwen -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\desktop.ini:mkctq -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\doom3.ini:avbwpc -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\Downloaded Program Files\gsda.dll.tcf -> Dialer.Generic : Cleaned with backup
C:\WINDOWS\earnmoney.ico:iytev -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\elkla.dat:swucrn -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\EngineExe.INI:yhzkj -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\eReg.dat:kqfsj -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\eReg.dat:miawk -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\explorer.scf:drsce -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\FeatherTexture.bmp:dooye -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\FeatherTexture.bmp:pmxrg -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\FeatherTexture.bmp:qzpvt -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\Greenstone.bmp:kipesb -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\Greenstone.bmp:lspcl -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\Greenstone.bmp:qgvwut -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\intuprof.ini:cbarud -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\intuprof.ini:ljvxd -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\INTURS.DAT:yppjpa -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\INTURS.DAT:ztukq -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\kodakpcd.Owner.ini:aooun -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\lmijntb.ini:tbpsn -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\matchnet.ico:tzdry -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\matchnet.ico:vcvrhc -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\mgxoschk.ini:ncark -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\ModemLog_Lucent Win Modem.txt:manwag -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\ModemLog_Lucent Win Modem.txt:oekqd -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\msoffice.ini:ysznw -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\netflix.ico:iutck -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\netflix.ico:qddjh -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\netflix.ico:qzoqx -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\nsreg.dat:xrkgsu -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\ODBC.INI:jtcfs -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\ODBC.INI:lqvrfi -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\ODBC.INI:ncaluh -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\ODBCINST.INI:uxterd -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\orun32.ini:eyeza -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\orun32.ini:fphny -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\orun32.ini:fvkqor -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\orun32.ini:lwpai -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\orun32.ini:mbrpw -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\orun32.isu:orjrc -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\PanelExe.INI:iqgcce -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\Prairie Wind.bmp:ajzhwo -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\QUICKEN.INI:risle -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\QUICKEN.INI:wfzbp -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\qwimp.ini:mwhqt -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\readme.ico:gwjulx -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\Readme.txt:uwacs -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\Readme.txt:ytqic -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\REGLOCS.OLD:mtfvx -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\Rhododendron.bmp:hgcul -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\Rhododendron.bmp:zzujf -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\River Sumida.bmp:neqer -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\Santa Fe Stucco.bmp:dwmnmr -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\Santa Fe Stucco.bmp:sxvsvb -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\setupapi.log.0.old:odvzvn -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\setupapi.log.0.old:zqlgk -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\SetupPestPatrolBeta.mif:cksmb -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\Soap Bubbles.bmp:tqnclq -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\tiscali_it_2.ico:pbuly -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\tiscali_it_2.ico:wekaws -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\TOC Printer.INI:fiala -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\TOC Printer.INI:frrok -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\vb.ini:auyma -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\vb.ini:avabc -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\vb.ini:pieelq -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\vb.ini:qbdew -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\vb.ini:qtvzh -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\vbaddin.ini:kvpbo -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\VTruck1.ini:kqmuk -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\VTruck1.ini:nnvqb -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\win.ini:loduz -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\win.ini:lvkxx -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\WININIT.INI:lkveoq -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\WININIT.INI:qrior -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\winnt.bmp:hiogn -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\winnt.bmp:pvipsx -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\winnt.bmp:tueis -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\winnt.bmp:wsngd -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\winnt.bmp:xlzqa -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\winnt256.bmp:xdcex -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\WMSysPrx.prx:glsxdb -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\Zapotec.bmp:bruyo -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\Zapotec.bmp:mbdcz -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\Zapotec.bmp:vcabb -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\Zapotec.bmp:ycgcj -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\Zapotec.bmp:ylldxd -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\_default.pif:abglw -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\_default.pif:acnvi -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\_default.pif:actub -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\_default.pif:aczfu -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\_default.pif:ajptl -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\_default.pif:amkmi -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\_default.pif:anmwn -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\_default.pif:arzlu -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\_default.pif:axgbi -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\_default.pif:axvooa -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\_default.pif:axxcv -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\_default.pif:bdrng -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\_default.pif:bhqyv -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\_default.pif:bkmwi -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\_default.pif:blrpl -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\_default.pif:bnzpq -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\_default.pif:bosnc -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\_default.pif:bpkma -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\_default.pif:bqzii -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\_default.pif:ccdsg -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\_default.pif:cjliqu -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\_default.pif:ckzkg -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\_default.pif:cxgnc -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\_default.pif:cyjwzl -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\_default.pif:dbxoj -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\_default.pif:dbxojd -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\_default.pif:dgqvfo -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\_default.pif:dktmi -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\_default.pif:dpbyco -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\_default.pif:drvum -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\_default.pif:dwicr -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\_default.pif:eblzk -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\_default.pif:eiiet -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\_default.pif:elxoe -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\_default.pif:enhgq -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\_default.pif:eogkg -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\_default.pif:eogkgx -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\_default.pif:eohoz -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\_default.pif:euxfe -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\_default.pif:faxdzk -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\_default.pif:fbvhv -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\_default.pif:fnwiwz -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\_default.pif:fptsh -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\_default.pif:fsgyg -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\_default.pif:fsxyr -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\_default.pif:fzrfz -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\_default.pif:gdqmb -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\_default.pif:geaqxu -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\_default.pif:gghib -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\_default.pif:ggmgc -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\_default.pif:gikrk -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\_default.pif:glmegq -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\_default.pif:gntwm -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\_default.pif:gqszc -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\_default.pif:gsmnwi -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\_default.pif:hgqkr -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\_default.pif:hroep -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\_default.pif:hslvoq -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\_default.pif:hxkfr -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\_default.pif:hzqrt -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\_default.pif:ibbjjv -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\_default.pif:iidek -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\_default.pif:ikbpd -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\_default.pif:iqcoh -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\_default.pif:isapz -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\_default.pif:iubwf -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\_default.pif:ivyjo -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\_default.pif:iyljw -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\_default.pif:jdphm -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\_default.pif:jggoy -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\_default.pif:jjnft -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\_default.pif:jnznb -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\_default.pif:kixxc -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\_default.pif:kjgwm -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\_default.pif:kjzhg -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\_default.pif:kkftth -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\_default.pif:kljuf -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\_default.pif:kpkzi -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\_default.pif:kpsix -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\_default.pif:kqioy -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\_default.pif:kwmvq -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\_default.pif:kwpkwp -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\_default.pif:kylim -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\_default.pif:kztsu -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\_default.pif:lcket -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\_default.pif:lewex -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\_default.pif:lnuii -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\_default.pif:lpxhj -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\_default.pif:lvzof -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\_default.pif:majzu -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\_default.pif:mfmdr -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\_default.pif:mfpto -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\_default.pif:mksxgd -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\_default.pif:mlzxh -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\_default.pif:mphds -> TrojanDownloader.Agent.bc : Cleaned with backup
::Report End
XXXX End of previous Ewido log (11/7/2005)
  • 0

#6
Excal
Posted 16 November 2005 - 06:25 AM

Excal

    Malware Slayer Extraordinaire!

  • Retired Staff
  • 12,739 posts
it looks like its all gone :)!



Great job, it appears your computer is clean :tazz:

Now that your system is Malware Free, it is important to reset your system Restore. Click Here to learn how to.

I recommend that you Defrag your computer before setting your Restore points:

Go to start>all programs>accessories>system tools>Disk Defragmentor Make sure it set to the proper drive (default should be your main driver) and click on defragment


Might I suggest the following Free Spyware programs, if you don't already have them, for added security, you can download them at the following links. These programs work great for detection:

Ad-aware SE
Spybot S&D
Microsoft Anti-Spyware


If you are unhappy with your current antivirus and want to replace it or if you dont already have one, I suggest one of these free programs:
*Note - do not use more than one anti-virus program as it will more than likely cause conflict.

AVG
Avast
AntiVir


The following free programs are great for prevention:

SpywareBlaster 3.4
Spywareguard
IE/Spyad

A Firewall is a must! Here are 3 good free versions:
(do not have more than one firewall running on your system)

Sygate
Kerio
ZoneLabs

There are other options other than Internet Explorer for a browser, which some say have better security. Two of them are:

Firefox
Opera

If you decide to keep Internet Explorer, This site is a great source for tightening up security on It's settings.

Make sure that you keep your Operating System and IE updated with the latest Critical Security Updates from Microsoft...they usually come out once a month, on the 2nd Tuesday of each month.

Be sure and give the Temp folders a cleaning out now and then as well, Make sure after you clean your Temp files to empty out your Recycle bin as well.
For ease use the following program:

Cleanup
Run "Cleanup" and when it has finished, Reboot

To help prevent future spyware installations/infections, please read the Anti-Spyware Tutorial and use the tools provided. Also read So how did I get infected in the first place?
  • 0

#7
FS3
Posted 16 November 2005 - 10:54 PM

FS3

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
Excal,
Thanks again for the reply.

It seems my HJT log is clean, but I still have that strange registry entry that Pest Patrol thinks is WS.homesearch:

HKEY_LOCAL_MACHINE\system\currentcontroset\enum\root\legacy_11f*00df*00e4*0006#*b700ba*00C4*00d6*`1

Pics of the reg entries attached to first post.

I don't have any strange computer behavior, so maybe I should just ignore the registry entry?
- FS3
  • 0

#8
Excal
Posted 17 November 2005 - 06:23 AM

Excal

    Malware Slayer Extraordinaire!

  • Retired Staff
  • 12,739 posts
Launch Notepad, and copy/paste the box below into a new text file. Save it as fixme.reg (make sure that Save as Type is set at "All Files") on your Desktop. Ensure there is no space at or above REGEDIT 4.


REGEDIT4

[-HKEY_LOCAL_MACHINE\system\currentcontroset\enum\root\legacy_11f*00df*00e4*0006#*b700ba*00C4*00d6*`1]



Locate fixme.reg on your Desktop and double-click on it. You will receive a prompt similar to: "Do you wish to merge the information into the registry?". Answer "Yes" and wait for a message to appear similar to "Merged Successfully".


reboot and that should take care of it :tazz:
  • 0

#9
FS3
Posted 18 November 2005 - 12:18 AM

FS3

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
Excal,

Thank you for your help- I was able to delete the key. :tazz:

fixme.reg did not work, but that lead me to inspect the key in regedit.

Feeling bold (reckless?), I tried deleting the key in regedit, but it would not allow it.
I noticed that "Permissions" showed that the group "System" had "Full Control" and the group "Everyone" had "Read". So, I changed the permission on that key (only) for the group Everyone to "Full Control" and voila - deleteable.

Somewhat strange because I have admin rights, but it worked.

Thanks again for your help.

Donation in the email...

- F3

Edited by FS3, 18 November 2005 - 12:39 AM.

  • 0

#10
Excal
Posted 18 November 2005 - 06:21 AM

Excal

    Malware Slayer Extraordinaire!

  • Retired Staff
  • 12,739 posts
good job, Thanks :)

:tazz:

Excal
  • 0

#11
Excal
Posted 22 November 2005 - 06:34 AM

Excal

    Malware Slayer Extraordinaire!

  • Retired Staff
  • 12,739 posts
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :tazz:

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP