[Michelle]

Now that you have access to normal mode, will you please post the log from Ewido so I can see what's in it?

Run HiJackThis. Place a check next to the following items and click FIX CHECKED:

O3 - Toolbar: AZE Search - {a19ef336-01d4-48e6-926a-fe7e1c747aed} - C:\WINDOWS\azesearch4.dll (file missing)

Close HiJackThis.

Next, download and install CleanUp!

Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu).
Set the program up as follows:
Click "Options..."
Move the arrow down to "Custom CleanUp!"
Put a check next to the following (Make sure nothing else is checked!):

• Empty Recycle Bins
• Delete Cookies
• Delete Prefetch files
• Cleanup! All Users

Click OK
Press the CleanUp! button to start the program.

It may ask you to reboot at the end, if it does click no.

Then, please run this online virus scan:
ActiveScan

Copy the results of the ActiveScan and paste them here along with that Ewido log.

[Advertisements]

ok im waiting on the active scan now.
do you want the ewido log from 11/20 or you want me to run a new one?

[brooke d]

ok im waiting on the active scan now.
do you want the ewido log from 11/20 or you want me to run a new one?

[brooke d]

ok here is the log for activescan...i wasnt sure if i was suppose to load the 30 day free trail to disinfect these files? let me know about that...also im attachting the ewido log from 11/20..wasnt sure if you wanted a new one or not.


Incident Status Location

Adware:Adware/AzeSearch Not disinfected C:\Documents and Settings\Brooke\Desktop\backups\backup-20051120-101054-405.inf
Adware:adware/cws Not disinfected C:\Documents and Settings\Brooke\Desktop\Casino.url
Adware:Adware/Secure32 Not disinfected C:\WINDOWS\secure32.html
Adware:adware/azesearch Not disinfected C:\WINDOWS\SYSTEM32\azebar.xml
Adware:adware/msctl32 Not disinfected C:\WINDOWS\SYSTEM32\msctl32.dll
---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 11:13:12 AM, 11/20/2005
+ Report-Checksum: 162D88BE

+ Scan result:

HKLM\SOFTWARE\Classes\CLSID\{9F95F736-0F62-4214-A4B4-CAA6738D4C07} -> Spyware.SaveNow : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{C285D18D-43A2-4AEF-83FB-BF280E660A97} -> Spyware.SaveNow : Cleaned with backup
HKLM\SOFTWARE\Classes\RunMSC.Loader\CLSID\\ -> Spyware.SaveNow : Cleaned with backup
HKLM\SOFTWARE\Classes\RunMSC.Loader.1\CLSID\\ -> Spyware.SaveNow : Cleaned with backup
HKU\S-1-5-21-3256859827-4200377037-4052851216-1006\Software\Microsoft\Search Assistant\ACMru\5603\\001 -> Spyware.ZToolbar : Cleaned with backup
C:\Documents and Settings\Brooke\Cookies\[email protected][1].txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\Brooke\Cookies\[email protected][1].txt -> Spyware.Cookie.2o7 : Cleaned with backup
C:\Documents and Settings\Brooke\Cookies\brooke@yieldmanager[2].txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\Brooke\Desktop\backups\backup-20051120-101053-460.dll -> Spyware.AzSearch : Cleaned with backup
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP143\A0039437.dll -> Spyware.WildTangent : Cleaned with backup
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP143\A0039441.dll -> Spyware.WildTangent : Cleaned with backup
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP143\A0040401.dll -> Spyware.ClearSearch : Cleaned with backup
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP143\A0040402.exe -> Spyware.ClearSearch : Cleaned with backup
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP143\A0041401.dll -> Spyware.ClearSearch : Cleaned with backup
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP143\A0041402.exe -> Spyware.ClearSearch : Cleaned with backup
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP144\A0041447.dll -> Spyware.ClearSearch : Cleaned with backup
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP144\A0041448.exe -> Spyware.ClearSearch : Cleaned with backup
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP144\A0042460.dll -> Spyware.ClearSearch : Cleaned with backup
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP144\A0042461.exe -> Spyware.ClearSearch : Cleaned with backup
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP145\A0042536.dll -> Spyware.ClearSearch : Cleaned with backup
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP145\A0042537.exe -> Spyware.ClearSearch : Cleaned with backup
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP145\A0043530.dll -> Spyware.ClearSearch : Cleaned with backup
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP145\A0043531.exe -> Spyware.ClearSearch : Cleaned with backup
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP145\A0043556.dll -> Spyware.ClearSearch : Cleaned with backup
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP145\A0043557.exe -> Spyware.ClearSearch : Cleaned with backup
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP145\A0043564.DLL -> Spyware.ClearSearch : Cleaned with backup
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP145\A0043565.DLL -> Spyware.ClearSearch : Cleaned with backup
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP146\A0044565.DLL -> Spyware.ClearSearch : Cleaned with backup
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP146\A0044569.DLL -> Spyware.ClearSearch : Cleaned with backup
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP147\A0045599.sys -> Trojan.Rootkit.Agent.af : Cleaned with backup
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP153\A0052130.dll -> Spyware.WildTangent : Cleaned with backup
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP153\A0052145.dll -> Spyware.WildTangent : Cleaned with backup
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP166\A0052719.dll -> Spyware.AzSearch : Cleaned with backup
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP177\A0056397.exe -> Adware.SaveNow : Cleaned with backup
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP180\A0059619.dll -> Spyware.AzSearch : Cleaned with backup
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP181\A0059720.exe -> Not-A-Virus.Hoax.Renos.aa : Cleaned with backup
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP181\A0059721.exe -> Adware.SpySheriff : Cleaned with backup
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP183\A0059773.exe -> Not-A-Virus.Hoax.Renos.aa : Cleaned with backup
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP183\A0059784.dll -> Spyware.AzSearch : Cleaned with backup
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP183\A0060192.dll -> Spyware.AzSearch : Cleaned with backup
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP186\A0060512.exe -> Spyware.WinAD : Cleaned with backup
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP186\A0060564.dll -> Spyware.AzSearch : Cleaned with backup
C:\WINDOWS\Downloaded Program Files\CONFLICT.1\UWFX5LP_0001_0802NetInstaller.exe -> Not-A-Virus.Downloader.Agent.c : Cleaned with backup
C:\WINDOWS\Downloaded Program Files\popcaploader.dll -> Not-A-Virus.PornWare.PopCap.b : Cleaned with backup
C:\WINDOWS\Downloaded Program Files\UWFX5LP_0001_0802NetInstaller.exe -> Not-A-Virus.Downloader.Agent.c : Cleaned with backup
C:\WINDOWS\SYSTEM32\azesearch4.ocx -> Spyware.AzSearch : Cleaned with backup
C:\WINDOWS\SYSTEM32\iasada.dll_tobedeleted -> Spyware.AzSearch : Cleaned with backup
C:\WINDOWS\tool2.exe -> Not-A-Virus.Hoax.Renos.z : Cleaned with backup
C:\winstall.exe -> Not-A-Virus.Hoax.Renos.z : Cleaned with backup


::Report End

[Michelle]

Hello Brooke

No need for the 30 day trial, we'll get rid of them manually.

First we need to get an export of a portion of your registry so we can find out what's going on with those services:

Go to Start > Run and paste the following into the box:

regedit /e c:\reg.txt "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services"

Click OK.

Then using Windows Explorer (right-click the start button and go to "Explore") locate the following file:

C:\reg.txt

Right-click on reg.txt and go to "Send to > Compressed (Zipped) folder" It will create a zipped file called reg.zip on C:

Please e-mail reg.zip to [email protected]


Then, please go here: Jotti Virus Scan

Click the "browse" button and locate this file:

C:\WINDOWS\SYSTEM32\msctl32.dll

Click "Open", then click the "Submit" button. Copy the results and paste them here.

Then using Windows Explorer navigate to the following files in bold and delete them:

C:\Documents and Settings\Brooke\Desktop\Casino.url
C:\WINDOWS\secure32.html
C:\WINDOWS\SYSTEM32\azebar.xml

Please download Trend Micro™ Anti-Spyware for the Web Utility (by clicking the "Scan and Clean your PC" button).

• Save it to your desktop.
• Double-click the new icon on your desktop (tmas-web-scan.exe)
• It will say "Loading TrendMicro definitions".
• Once the definitions are loaded, the program will appear to close then re-open.
• Click Start Scan
• After it's done scanning, click Scan Results
• Make sure all items found have a check next to them, then click Clean Threats Now.
• Click Exit.

Reboot your computer. In place of the TrendMicro icon will be a text file called Antispyware.log, please double-click that log and copy the entire contents and paste them here.

[brooke d]

sorry the results you wanted for the jotti scan i lost...when i rebooted my computer.

here are the other results you asked for...is there anyway i can get the others for you? the file seems to be gone?

Started Scanning
Internet Cookies
Found 'casalemedia.com' in 'Internet Explorer Cache'
Found 'tradedoubler.com' in 'Internet Explorer Cache'
Found 'tribalfusion.com' in 'Internet Explorer Cache'
Found 'media.adrevolver.com' in 'Internet Explorer Cache'
Found 'bluestreak.com' in 'Internet Explorer Cache'
Found 'ad.yieldmanager.com' in 'Internet Explorer Cache'
Found 'adknowledge.com' in 'Internet Explorer Cache'
Found 'realmedia.com' in 'Internet Explorer Cache'
Found 'media.adrevolver.com' in 'Internet Explorer Cache'
Programs in Memory
Windows Registry
Found '' in 'SOFTWARE\Classes\ed2k'
Found '' in 'SOFTWARE\Magnet'
Found '' in 'SOFTWARE\Classes\magnet'
Found '' in 'Software\AppConf'
Found 'confset' in 'Software\AppConf'
Found '' in 'Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\Range1'
Found '' in 'Software\Microsoft\Internet Explorer\Explorer Bars\{30D02401-6A81-11D0-8274-00C04FD5AE38}'
Found '' in 'SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run'
Internet URL Shortcuts
Files and Directories
Found '' in 'C:\Program Files\BearShare'
Found '' in 'C:\Program Files\BearShare\db'
Found '' in 'C:\Program Files\BearShare\Logs'
Found '' in 'C:\Program Files\WinMX'
Finished Scanning
Started Backup
Finished Backup
Started Cleaning
Checking for 'C:\Program Files\BearShare' in shortcut areas.
Checking for 'C:\Program Files\BearShare' in startup areas.
Cleaning 'C:\Program Files\BearShare'
Checking for 'C:\Program Files\BearShare\BearShare.dat' in shortcut areas.
Checking for 'C:\Program Files\BearShare\BearShare.dat' in startup areas.
Cleaning 'C:\Program Files\BearShare\BearShare.dat'
Checking for 'C:\Program Files\BearShare\db\config.bin' in shortcut areas.
Checking for 'C:\Program Files\BearShare\db\config.bin' in startup areas.
Cleaning 'C:\Program Files\BearShare\db\config.bin'
Checking for 'C:\Program Files\BearShare\db\connect.txt' in shortcut areas.
Checking for 'C:\Program Files\BearShare\db\connect.txt' in startup areas.
Cleaning 'C:\Program Files\BearShare\db\connect.txt'
Checking for 'C:\Program Files\BearShare\db\gwebcache.dat' in shortcut areas.
Checking for 'C:\Program Files\BearShare\db\gwebcache.dat' in startup areas.
Cleaning 'C:\Program Files\BearShare\db\gwebcache.dat'
Checking for 'C:\Program Files\BearShare\db\Hostiles-Chat.txt' in shortcut areas.
Checking for 'C:\Program Files\BearShare\db\Hostiles-Chat.txt' in startup areas.
Cleaning 'C:\Program Files\BearShare\db\Hostiles-Chat.txt'
Checking for 'C:\Program Files\BearShare\db\Hostiles.txt' in shortcut areas.
Checking for 'C:\Program Files\BearShare\db\Hostiles.txt' in startup areas.
Cleaning 'C:\Program Files\BearShare\db\Hostiles.txt'
Checking for 'C:\Program Files\BearShare\db\library.2.db' in shortcut areas.
Checking for 'C:\Program Files\BearShare\db\library.2.db' in startup areas.
Cleaning 'C:\Program Files\BearShare\db\library.2.db'
Checking for 'C:\Program Files\BearShare\db\library.db' in shortcut areas.
Checking for 'C:\Program Files\BearShare\db\library.db' in startup areas.
Cleaning 'C:\Program Files\BearShare\db\library.db'
Checking for 'C:\Program Files\BearShare\db\searches.ini' in shortcut areas.
Checking for 'C:\Program Files\BearShare\db\searches.ini' in startup areas.
Cleaning 'C:\Program Files\BearShare\db\searches.ini'
Checking for 'C:\Program Files\BearShare\FreePeers.ini' in shortcut areas.
Checking for 'C:\Program Files\BearShare\FreePeers.ini' in startup areas.
Cleaning 'C:\Program Files\BearShare\FreePeers.ini'
Checking for 'C:\Program Files\BearShare\Logs\hosts-state.txt' in shortcut areas.
Checking for 'C:\Program Files\BearShare\Logs\hosts-state.txt' in startup areas.
Cleaning 'C:\Program Files\BearShare\Logs\hosts-state.txt'
Checking for 'C:\Program Files\BearShare\Logs\memory.txt' in shortcut areas.
Checking for 'C:\Program Files\BearShare\Logs\memory.txt' in startup areas.
Cleaning 'C:\Program Files\BearShare\Logs\memory.txt'
Checking for 'C:\Program Files\BearShare\Logs\ordinal.txt' in shortcut areas.
Checking for 'C:\Program Files\BearShare\Logs\ordinal.txt' in startup areas.
Cleaning 'C:\Program Files\BearShare\Logs\ordinal.txt'
Checking for 'C:\Program Files\BearShare\Logs\streams.txt' in shortcut areas.
Checking for 'C:\Program Files\BearShare\Logs\streams.txt' in startup areas.
Cleaning 'C:\Program Files\BearShare\Logs\streams.txt'
Checking for 'C:\Program Files\BearShare\db' in shortcut areas.
Checking for 'C:\Program Files\BearShare\db' in startup areas.
Cleaning 'C:\Program Files\BearShare\db'
[SCANMODS] The file 'C:\Program Files\BearShare\db' was not found. Most likely already cleaned by another scanner module.
Checking for 'C:\Program Files\BearShare\Logs' in shortcut areas.
Checking for 'C:\Program Files\BearShare\Logs' in startup areas.
Cleaning 'C:\Program Files\BearShare\Logs'
[SCANMODS] The file 'C:\Program Files\BearShare\Logs' was not found. Most likely already cleaned by another scanner module.
Checking for 'C:\Program Files\WinMX' in shortcut areas.
Checking for 'C:\Program Files\WinMX' in startup areas.
Cleaning 'C:\Program Files\WinMX'
Checking for 'C:\Program Files\WinMX\wpnpchannelcmds.txt' in shortcut areas.
Checking for 'C:\Program Files\WinMX\wpnpchannelcmds.txt' in startup areas.
Cleaning 'C:\Program Files\WinMX\wpnpchannelcmds.txt'
Finished Cleaning

[Michelle]

Hello Brooke

We received your registry export, thank you

Now, we're going to try restoring everything Ewido removed to see if anything there caused the problem with those services, don't worry about restoring the bad guys, we'll get rid of them again:

Open Ewido
Click Quarantine on the left side.

Highlight everything in that window (click the first item, hold shift and press the down arrow)

When everything is highlighted, click Restore

A small window will open up. Click Restore on this one as well.

After they are restored:

Go to start > run type services.msc

Scroll down the list and look for each of these:

TCP/IP NetBIOS Helper
Remote Registry
Windows User Mode Driver Framework
Web Client

Right-click on each one and go to Properties. Under the general tab, click the Stop button, then change the "Startup Type" to manual. Click Apply, OK.

Then go into msconfig and select normal startup (so that all services are checked) apply, ok.

Reboot your computer and see if you can get into normal windows or if it freezes before log-in again.

If you can't get to normal windows, disable those 4 services in msconfig again, let me know how it goes!

[brooke d]

ok i got into normal mode

[Michelle]

Interesting...

msconfig is set to normal startup (all services checked)? Just have to double-check b/c it's odd that it would work now. All 4 services were stopped and set to manual as well?

We need to find out if it was Ewido which caused that problem of not being able to boot into normal mode.

I need you to open Ewido, click update, then click "Start Update" to update the definitions, then when it's done, boot into safe mode and run it again. Remove everything it finds again and reboot your computer. If you can't get into normal mode again, please post the log for me first, then restore what Ewido has quarantined once more and we'll do something else there.

If you can get into normal mode, then just post the new Ewido log for me

[brooke d]

yea i thought that was weird also. i double checked thinking maybe i didnt do something right. but i got in.

anyway today i have ran the scan and got into normal mode again afterwards.
here is the log

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 1:15:50 PM, 11/28/2005
+ Report-Checksum: C4CE8CC0

+ Scan result:

C:\Documents and Settings\Brooke\Cookies\[email protected][1].txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\Brooke\Cookies\[email protected][1].txt -> Spyware.Cookie.Pointroll : Cleaned with backup
C:\Documents and Settings\Brooke\Cookies\brooke@bluestreak[1].txt -> Spyware.Cookie.Bluestreak : Cleaned with backup
C:\Documents and Settings\Brooke\Cookies\brooke@casalemedia[2].txt -> Spyware.Cookie.Casalemedia : Cleaned with backup
C:\Documents and Settings\Brooke\Cookies\[email protected][1].txt -> Spyware.Cookie.Bridgetrack : Cleaned with backup
C:\Documents and Settings\Brooke\Cookies\[email protected][2].txt -> Spyware.Cookie.Overture : Cleaned with backup
C:\Documents and Settings\Brooke\Cookies\[email protected][1].txt -> Spyware.Cookie.2o7 : Cleaned with backup
C:\Documents and Settings\Brooke\Cookies\[email protected][1].txt -> Spyware.Cookie.Overture : Cleaned with backup
C:\Documents and Settings\Brooke\Cookies\brooke@questionmarket[1].txt -> Spyware.Cookie.Questionmarket : Cleaned with backup
C:\Documents and Settings\Brooke\Cookies\brooke@tribalfusion[2].txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
C:\Documents and Settings\Brooke\Cookies\brooke@yieldmanager[2].txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\Brooke\Desktop\backups\backup-20051120-101053-460.dll -> Spyware.AzSearch : Cleaned with backup
C:\Program Files\ewido\security suite\Quarantine\res179.tmp -> Spyware.ClearSearch : Cleaned with backup
C:\Program Files\ewido\security suite\Quarantine\res17A.tmp -> Spyware.ClearSearch : Cleaned with backup
C:\Program Files\ewido\security suite\Quarantine\res17B.tmp -> Spyware.ClearSearch : Cleaned with backup
C:\Program Files\ewido\security suite\Quarantine\res17C.tmp -> Spyware.ClearSearch : Cleaned with backup
C:\Program Files\ewido\security suite\Quarantine\res17D.tmp -> Spyware.ClearSearch : Cleaned with backup
C:\Program Files\ewido\security suite\Quarantine\res17E.tmp -> Spyware.ClearSearch : Cleaned with backup
C:\Program Files\ewido\security suite\Quarantine\res17F.tmp -> Spyware.ClearSearch : Cleaned with backup
C:\Program Files\ewido\security suite\Quarantine\res180.tmp -> Spyware.ClearSearch : Cleaned with backup
C:\Program Files\ewido\security suite\Quarantine\res181.tmp -> Spyware.ClearSearch : Cleaned with backup
C:\Program Files\ewido\security suite\Quarantine\res182.tmp -> Spyware.ClearSearch : Cleaned with backup
C:\Program Files\ewido\security suite\Quarantine\res183.tmp -> Spyware.ClearSearch : Cleaned with backup
C:\Program Files\ewido\security suite\Quarantine\res184.tmp -> Spyware.ClearSearch : Cleaned with backup
C:\Program Files\ewido\security suite\Quarantine\res185.tmp -> Spyware.ClearSearch : Cleaned with backup
C:\Program Files\ewido\security suite\Quarantine\res186.tmp -> Spyware.ClearSearch : Cleaned with backup
C:\Program Files\ewido\security suite\Quarantine\res187.tmp -> Spyware.ClearSearch : Cleaned with backup
C:\Program Files\ewido\security suite\Quarantine\res188.tmp -> Spyware.ClearSearch : Cleaned with backup
C:\Program Files\ewido\security suite\Quarantine\res189.tmp -> Spyware.ClearSearch : Cleaned with backup
C:\Program Files\ewido\security suite\Quarantine\res18A.tmp -> Spyware.ClearSearch : Cleaned with backup
C:\Program Files\ewido\security suite\Quarantine\res18B.tmp -> Spyware.ClearSearch : Cleaned with backup
C:\Program Files\ewido\security suite\Quarantine\res18C.tmp -> Spyware.ClearSearch : Cleaned with backup
C:\Program Files\ewido\security suite\Quarantine\res18D.tmp -> Spyware.ClearSearch : Cleaned with backup
C:\Program Files\ewido\security suite\Quarantine\res18E.tmp -> Spyware.ClearSearch : Cleaned with backup
C:\Program Files\ewido\security suite\Quarantine\res18F.tmp -> Spyware.ClearSearch : Cleaned with backup
C:\Program Files\ewido\security suite\Quarantine\res190.tmp -> Spyware.ClearSearch : Cleaned with backup
C:\Program Files\ewido\security suite\Quarantine\res191.tmp -> Spyware.ClearSearch : Cleaned with backup
C:\Program Files\ewido\security suite\Quarantine\res192.tmp -> Spyware.ClearSearch : Cleaned with backup
C:\Program Files\ewido\security suite\Quarantine\res193.tmp -> Spyware.ClearSearch : Cleaned with backup
C:\Program Files\ewido\security suite\Quarantine\res194.tmp -> Spyware.ClearSearch : Cleaned with backup
C:\Program Files\ewido\security suite\Quarantine\res195.tmp -> Trojan.Rootkit.Agent.af : Cleaned with backup
C:\Program Files\ewido\security suite\Quarantine\res196.tmp -> Spyware.WildTangent : Cleaned with backup
C:\Program Files\ewido\security suite\Quarantine\res197.tmp -> Spyware.WildTangent : Cleaned with backup
C:\Program Files\ewido\security suite\Quarantine\res198.tmp -> Spyware.AzSearch : Cleaned with backup
C:\Program Files\ewido\security suite\Quarantine\res199.tmp -> Adware.SaveNow : Cleaned with backup
C:\Program Files\ewido\security suite\Quarantine\res19A.tmp -> Spyware.AzSearch : Cleaned with backup
C:\Program Files\ewido\security suite\Quarantine\res19B.tmp -> Adware.SaveNow : Cleaned with backup
C:\Program Files\ewido\security suite\Quarantine\res19C.tmp -> Spyware.AzSearch : Cleaned with backup
C:\Program Files\ewido\security suite\Quarantine\res19D.tmp -> Not-A-Virus.Hoax.Renos.aa : Cleaned with backup
C:\Program Files\ewido\security suite\Quarantine\res19E.tmp -> Adware.SpySheriff : Cleaned with backup
C:\Program Files\ewido\security suite\Quarantine\res19F.tmp -> Spyware.AzSearch : Cleaned with backup
C:\Program Files\ewido\security suite\Quarantine\res1A0.tmp -> Spyware.WinAD : Cleaned with backup
C:\Program Files\ewido\security suite\Quarantine\res1A1.tmp -> Spyware.AzSearch : Cleaned with backup
C:\Program Files\ewido\security suite\Quarantine\res1A6.tmp -> Trojan.Rootkit.Agent.af : Cleaned with backup
C:\Program Files\ewido\security suite\Quarantine\res1A9.tmp -> Spyware.AzSearch : Cleaned with backup
C:\Program Files\ewido\security suite\Quarantine\res1B0.tmp -> Spyware.ClearSearch : Cleaned with backup
C:\Program Files\ewido\security suite\Quarantine\res1B3.tmp -> Adware.SaveNow : Cleaned with backup
C:\Program Files\ewido\security suite\Quarantine\res1B4.tmp -> Adware.SaveNow : Cleaned with backup
C:\WINDOWS\Downloaded Program Files\CONFLICT.1\UWFX5LP_0001_0802NetInstaller.exe -> Not-A-Virus.Downloader.Agent.c : Cleaned with backup
C:\WINDOWS\Downloaded Program Files\popcaploader.dll -> Not-A-Virus.PornWare.PopCap.b : Cleaned with backup
C:\WINDOWS\Downloaded Program Files\UWFX5LP_0001_0802NetInstaller.exe -> Not-A-Virus.Downloader.Agent.c : Cleaned with backup
C:\WINDOWS\SYSTEM32\azesearch4.ocx -> Spyware.AzSearch : Cleaned with backup
C:\WINDOWS\x.exe -> Trojan.Dialer.mi : Cleaned with backup
C:\winstall.exe -> Not-A-Virus.Hoax.Renos.z : Cleaned with backup


::Report


does this mean we might have it fixed???

[Michelle]

Excellent! I'm not sure what caused the problem, but I'm sure glad we got it fixed!

Please post another HiJackThis log for me so I can make sure everything is good before giving you my recommendations to help keep your system clean

[brooke d]

Logfile of HijackThis v1.99.1
Scan saved at 6:47:49 AM, on 11/29/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\System32\DSentry.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Dell\AccessDirect\dadapp.exe
C:\Program Files\Netopia\C3kWepN.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\WINDOWS\BCMSMMSG.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\Support.com\bin\tgcmd.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe
C:\Program Files\Support.com\bin\jobcheck.exe
C:\Program Files\Support.com\bin\tgshell.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Brooke\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.c...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapp...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\Support.com\BellSouth\hcenter.exe" /starthidden /tgcmdwrapper
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [DadApp] C:\Program Files\Dell\AccessDirect\dadapp.exe
O4 - HKLM\..\Run: [C2kWep] C:\Program Files\Netopia\C3kWepN.exe
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [BearShare] "C:\Program Files\BearShare\BearShare.exe" /pause
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [Yahoo! Pager] C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe -quiet
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.t...all/xscan60.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {238EC5B8-0BF5-11D5-826E-00010239321B} (OBXViewer Control) - http://testimg.charl...s/OBXViewer.cab
O16 - DPF: {321FB770-1FBE-4BFE-BDC1-6F622D4FA499} - https://activation.a...aller_2-0-0.cab
O16 - DPF: {3C648A72-C49A-48EF-9F90-68EF13293F97} (Cacher Class) - http://www3.priv.cml...ch/XMLCache.CAB
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {8285080A-3FAF-41B1-B7BD-933EE724B650} (OBXDocumentSelect Control) - http://testimg.charl...s/OBXSelect.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/...ro.cab34246.cab
O16 - DPF: {D54160C3-DB7B-4534-9B65-190EE4A9C7F7} (SproutLauncherCtrl Class) - http://www.shockwave...outLauncher.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.game...aploader_v6.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/z...s/heartbeat.cab
O16 - DPF: {F375116A-793C-11D2-BFE1-444553540001} (First American Res MapActiveX Control) - http://realist2.firs...r/mapviewer.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

[Michelle]

Good Morning Brooke

First, I strongly recommend uninstalling Bearshare.

Other than that you're good to go!

Congratulations your log is clean! Great job on the clean up

I recommend checking the http://www.microsoft.com website periodically for critical updates to install.

Here are some tips, to reduce the potential for spyware infection in the future, I strongly recommend installing the following applications:

Detect and Remove Programs:

• How to use Ad-Aware to remove Spyware <= If you suspect that you have spyware installed on your computer, here are instructions on how to download, install and then use Ad-Aware.
• How to use Spybot to remove Spyware <= If you suspect that you have spyware installed on your computer, here are instructions on how to download, install and then use Spybot. Similar to Ad-Aware, I strongly recommend both to catch most spyware.

Prevention Programs:

• Spywareblaster <= SpywareBlaster will prevent spyware from being installed.
• Spywareguard <= SpywareGuard offers realtime protection from spyware installation attempts.
• MVPS Hosts file <= The MVPS Hosts file replaces your current HOSTS file with one containing well known ad sites etc. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer
• Google Toolbar <= Get the free google toolbar to help stop pop up windows.

Other necessary Programs:

• Firewall<= A firewall is definitely a must have. Three good free versions are Sygate, Kerio, and ZoneAlarm.

[brooke d]

I thought i removed bearshare a ling time ago. i did it from the control panel/add remove programs. is it somewhere else that i need to remove files?

thanks so much for your help. i'll be making a donation soon!

[Michelle]

Run HiJackThis. Place a check next to the following item and click FIX CHECKED:

O4 - HKLM\..\Run: [BearShare] "C:\Program Files\BearShare\BearShare.exe" /pause

Close HiJackThis.

Delete the following folder:

C:\Program Files\BearShare

That'll get rid of the rest of what's left

You're very welcome, I'm happy we could help

[Michelle]

Since this issue appears to be resolved ... this Topic has been closed. Glad we could help.

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.