Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

TBPS.exe

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Unread postby Middle Of Nowhere » November 10th, 2005, 4:33 am

Hi valdestana

I need you to follow the below instructions:

Let's look for, and delete, any program segments(prefetches) that might be present, and are associated with the 'problems' we're trying to remove from this system. To do this, let's:

1) Click "Start | Search", then search for each of these program's base name(s), in all files and folders:

TBPSSvc.exe*


2) Then if any are found in the 'prefetch' folder, delete them.

Look closely, since the 'base' name will have a bunch of random numbers and letters attached to it.

Run HiJackThis then:

1. Click "Config..."
2. Click "Misc Tools"
3. Click "Open Process manager"

-

Next, while holding down the CTRL key, locate (if present) and click on (highlight) each of the following:

C:\PROGRA~1\Toolbar\TBPSSvc.exe

Now double-check and make sure that only those item(s) above are highlighted, then click "Kill process". Now, click "Refresh", check again, and repeat this step if any remain.
===============

Run HiJackThis once more and click "Scan", then check(tick) the following, if present:

O23 - Service: WebSeach Toolbar support NT service (TBPSSvc) - Unknown owner - C:\PROGRA~1\Toolbar\TBPSSvc.exe (file missing)

Now, with all windows closed except HiJackThis, click "Fix checked".

===============

Please download Ewido Security Suite, it is a free version of the program.
  1. Install ewido security suite
  2. When installing the program, under "Additonal Options" uncheck...
    • Install background guard
    • Install scan via context menu
  3. Launch ewido, there should now be an icon on your desktop, double-click it.
  4. The program will now open to the main screen.
  5. When you run ewido for the first time, you may get a warning "Database could not be found!". Click OK. We will fix this in a moment.
  6. You will need to update ewido to the latest definition files:
    • On the left hand side of the main screen click update.
    • Then click on Start Update.
  7. The update will start and a progress bar will show the updates being installed.
    (the status bar at the bottom will display "Update successful")
  8. Close Ewido Security Suite
If you are having problems with the updater, you can use this link to manually update ewido.
Ewido manual updates

Once the updates are installed, do the following:
  1. Reboot computer into "Safe Mode" using the "F8" method...
    • As soon as the BIOS is loaded begin tapping the F8 key until the Boot Menu appears
    • Use the arrow keys to select the Safe Mode menu item
  2. Once in Safe Mode start Ewido Security Suite
  3. Click on scanner. (Note: Do not start any programs or open any windows while Ewido is scanning)
  4. Click on Complete System Scan, the scan will now begin.
  5. While the scan is in progress you will be promted to clean files, click OK.
  6. When it asks if you want to clean the first file, put a checkmark in the lower left corner of the box that says "Perform action on all infections", then choose clean and click OK.
  7. Once the scan has completed, there will be a button located at the bottom of the screen named Save Report.
  8. Click Save Report.
  9. Now save the report .txt file to your desktop.
  10. Close Ewido Security Suite


==================

Once Ewido as finished scanning restart windows back into normal mode and you need to do a new HJT log which you need to post back here along with the Ewido log as well. Thanks
User avatar
Middle Of Nowhere
Retired Graduate
 
Posts: 677
Joined: May 30th, 2005, 2:08 pm
Location: Derbyshire, UK
Advertisement
Register to Remove

Unread postby valdestana » November 13th, 2005, 6:27 pm

Hi Fiona

Thank you for the response and help generally. I am pleased to say that I think the problem is now resolved!

I did follow your advice (or tried to on Friday) but ran Ewido in Normal mode (rather than Safe Mode) as I had not read your instructions properly.

Nevertheless, it did seem to work as I could find no trace of TBPS.exe anywhere in the system. I have repeated tonight, doing it as recommended and I think the result is the same. I post the log of HJT below:

Logfile of HijackThis v1.99.1
Scan saved at 22:09:32, on 13/11/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180
)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Creative\SBLive\AudioHQ\AHQTB.EXE
C:\Program Files\Creative\SBLive\Program\CTAvTray.EXE
C:\WINDOWS\System32\taskswitch.exe
C:\WINDOWS\System32\fast.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\Program Files\USBDRIVE\shwicon.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
C:\Program Files\Inventel\Gateway\wlancfg.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\System32\Fast.exe
C:\Program Files\OpenOffice.org1.1.5\program\soffice.exe
C:\PROGRA~1\INCRED~1\bin\IMApp.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Messenger\msmsgs.exe
C:\unzipped\hijackthis-2\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://news.bbc.co.uk/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: WebFerret - {A58686ED-FC46-44C3-95C6-4A812AB776F1} - C:\Program Files\FerretSoft\WebFerret\FerretBand.dll
O3 - Toolbar: Wanadoo - {8B68564D-53FD-4293-B80C-993A9F3988EE} - C:\PROGRA~1\Wanadoo\WSBar\WSBar.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [AudioHQ] C:\Program Files\Creative\SBLive\AudioHQ\AHQTB.EXE
O4 - HKLM\..\Run: [CTAvTray] C:\Program Files\Creative\SBLive\Program\CTAvTray.EXE
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [CoolSwitch] C:\WINDOWS\System32\taskswitch.exe
O4 - HKLM\..\Run: [FastUser] C:\WINDOWS\System32\fast.exe
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [ShowIcon_Justrams_USB Drives Driver v1.19r020] "C:\Program Files\USBDRIVE\shwicon.exe" -t"Justrams\USB Drives Driver v1.19r020"
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [IncrediMail] C:\Program Files\IncrediMail\bin\IncMail.exe /c
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\RunOnce: [CTAVTray] C:\Program Files\Creative\SBLive\Program\CTAvStub.EXE EAX.AVI
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [IncrediMail] C:\PROGRA~1\INCRED~1\bin\IncMail.exe /c
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\ahead\Nero\Nero BackItUp\NBJ.exe"
O4 - Startup: OpenOffice.org 1.1.5.lnk = C:\Program Files\OpenOffice.org1.1.5\program\quickstart.exe
O4 - Global Startup: AOL Tray Icon.lnk = C:\Program Files\AOL 9.0\aoltray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: ZoneAlarm.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Search with Wanadoo - res://C:\PROGRA~1\Wanadoo\WSBar\WSBar.dll/VSearch.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .bcf: C:\Program Files\Internet Explorer\Plugins\NPBelv32.dll
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab
O16 - DPF: {6CB5E471-C305-11D3-99A8-000086395495} - http://toolbar.google.com/data/en/deleo ... gleNav.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Me ... Client.cab
O16 - DPF: {F00F4763-7355-4725-82F7-0DA94A256D46} (IMDownloader Class) - http://www2.incredimail.com/contents/se ... loader.cab
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\\aolserv.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: Service de lancement de WlanCfg (Wlancfg) - Inventel - C:\Program Files\Inventel\Gateway\wlancfg.exe

and the log of Ewido scan done just now also below:

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 21:59:11, 13/11/2005
+ Report-Checksum: 7D97AB44

+ Scan result:

:mozilla.6:C:\Documents and Settings\CHRIS\Application Data\Mozilla\Firefox\Profiles\lzhin6v4.default\cookies.txt -> Spyware.Cookie.Mediaplex : Cleaned with backup
:mozilla.51:C:\Documents and Settings\CHRIS\Application Data\Mozilla\Firefox\Profiles\lzhin6v4.default\cookies.txt -> Spyware.Cookie.Overture : Cleaned with backup
:mozilla.52:C:\Documents and Settings\CHRIS\Application Data\Mozilla\Firefox\Profiles\lzhin6v4.default\cookies.txt -> Spyware.Cookie.Overture : Cleaned with backup
:mozilla.53:C:\Documents and Settings\CHRIS\Application Data\Mozilla\Firefox\Profiles\lzhin6v4.default\cookies.txt -> Spyware.Cookie.Questionmarket : Cleaned with backup
:mozilla.54:C:\Documents and Settings\CHRIS\Application Data\Mozilla\Firefox\Profiles\lzhin6v4.default\cookies.txt -> Spyware.Cookie.Questionmarket : Cleaned with backup
:mozilla.70:C:\Documents and Settings\CHRIS\Application Data\Mozilla\Firefox\Profiles\lzhin6v4.default\cookies.txt -> Spyware.Cookie.Adtech : Cleaned with backup
:mozilla.71:C:\Documents and Settings\CHRIS\Application Data\Mozilla\Firefox\Profiles\lzhin6v4.default\cookies.txt -> Spyware.Cookie.Adtech : Cleaned with backup
:mozilla.76:C:\Documents and Settings\CHRIS\Application Data\Mozilla\Firefox\Profiles\lzhin6v4.default\cookies.txt -> Spyware.Cookie.Hypertracker : Cleaned with backup
:mozilla.85:C:\Documents and Settings\CHRIS\Application Data\Mozilla\Firefox\Profiles\lzhin6v4.default\cookies.txt -> Spyware.Cookie.Doubleclick : Cleaned with backup
:mozilla.92:C:\Documents and Settings\CHRIS\Application Data\Mozilla\Firefox\Profiles\lzhin6v4.default\cookies.txt -> Spyware.Cookie.Pointroll : Cleaned with backup
:mozilla.93:C:\Documents and Settings\CHRIS\Application Data\Mozilla\Firefox\Profiles\lzhin6v4.default\cookies.txt -> Spyware.Cookie.Pointroll : Cleaned with backup
:mozilla.94:C:\Documents and Settings\CHRIS\Application Data\Mozilla\Firefox\Profiles\lzhin6v4.default\cookies.txt -> Spyware.Cookie.Pointroll : Cleaned with backup
:mozilla.95:C:\Documents and Settings\CHRIS\Application Data\Mozilla\Firefox\Profiles\lzhin6v4.default\cookies.txt -> Spyware.Cookie.Pointroll : Cleaned with backup
:mozilla.96:C:\Documents and Settings\CHRIS\Application Data\Mozilla\Firefox\Profiles\lzhin6v4.default\cookies.txt -> Spyware.Cookie.Pointroll : Cleaned with backup
:mozilla.111:C:\Documents and Settings\CHRIS\Application Data\Mozilla\Firefox\Profiles\lzhin6v4.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.112:C:\Documents and Settings\CHRIS\Application Data\Mozilla\Firefox\Profiles\lzhin6v4.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.114:C:\Documents and Settings\CHRIS\Application Data\Mozilla\Firefox\Profiles\lzhin6v4.default\cookies.txt -> Spyware.Cookie.Atdmt : Cleaned with backup
:mozilla.115:C:\Documents and Settings\CHRIS\Application Data\Mozilla\Firefox\Profiles\lzhin6v4.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.116:C:\Documents and Settings\CHRIS\Application Data\Mozilla\Firefox\Profiles\lzhin6v4.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.117:C:\Documents and Settings\CHRIS\Application Data\Mozilla\Firefox\Profiles\lzhin6v4.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.118:C:\Documents and Settings\CHRIS\Application Data\Mozilla\Firefox\Profiles\lzhin6v4.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.119:C:\Documents and Settings\CHRIS\Application Data\Mozilla\Firefox\Profiles\lzhin6v4.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.136:C:\Documents and Settings\CHRIS\Application Data\Mozilla\Firefox\Profiles\lzhin6v4.default\cookies.txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
:mozilla.137:C:\Documents and Settings\CHRIS\Application Data\Mozilla\Firefox\Profiles\lzhin6v4.default\cookies.txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
:mozilla.138:C:\Documents and Settings\CHRIS\Application Data\Mozilla\Firefox\Profiles\lzhin6v4.default\cookies.txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
:mozilla.139:C:\Documents and Settings\CHRIS\Application Data\Mozilla\Firefox\Profiles\lzhin6v4.default\cookies.txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
:mozilla.140:C:\Documents and Settings\CHRIS\Application Data\Mozilla\Firefox\Profiles\lzhin6v4.default\cookies.txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
:mozilla.141:C:\Documents and Settings\CHRIS\Application Data\Mozilla\Firefox\Profiles\lzhin6v4.default\cookies.txt -> Spyware.Cookie.Webtrendslive : Cleaned with backup
:mozilla.148:C:\Documents and Settings\CHRIS\Application Data\Mozilla\Firefox\Profiles\lzhin6v4.default\cookies.txt -> Spyware.Cookie.Liveperson : Cleaned with backup
:mozilla.149:C:\Documents and Settings\CHRIS\Application Data\Mozilla\Firefox\Profiles\lzhin6v4.default\cookies.txt -> Spyware.Cookie.Liveperson : Cleaned with backup
:mozilla.150:C:\Documents and Settings\CHRIS\Application Data\Mozilla\Firefox\Profiles\lzhin6v4.default\cookies.txt -> Spyware.Cookie.Liveperson : Cleaned with backup
:mozilla.152:C:\Documents and Settings\CHRIS\Application Data\Mozilla\Firefox\Profiles\lzhin6v4.default\cookies.txt -> Spyware.Cookie.Overture : Cleaned with backup
:mozilla.153:C:\Documents and Settings\CHRIS\Application Data\Mozilla\Firefox\Profiles\lzhin6v4.default\cookies.txt -> Spyware.Cookie.Onestat : Cleaned with backup
:mozilla.154:C:\Documents and Settings\CHRIS\Application Data\Mozilla\Firefox\Profiles\lzhin6v4.default\cookies.txt -> Spyware.Cookie.Onestat : Cleaned with backup
:mozilla.155:C:\Documents and Settings\CHRIS\Application Data\Mozilla\Firefox\Profiles\lzhin6v4.default\cookies.txt -> Spyware.Cookie.Onestat : Cleaned with backup
:mozilla.156:C:\Documents and Settings\CHRIS\Application Data\Mozilla\Firefox\Profiles\lzhin6v4.default\cookies.txt -> Spyware.Cookie.Onestat : Cleaned with backup
:mozilla.157:C:\Documents and Settings\CHRIS\Application Data\Mozilla\Firefox\Profiles\lzhin6v4.default\cookies.txt -> Spyware.Cookie.Onestat : Cleaned with backup
:mozilla.187:C:\Documents and Settings\CHRIS\Application Data\Mozilla\Firefox\Profiles\lzhin6v4.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.188:C:\Documents and Settings\CHRIS\Application Data\Mozilla\Firefox\Profiles\lzhin6v4.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.212:C:\Documents and Settings\CHRIS\Application Data\Mozilla\Firefox\Profiles\lzhin6v4.default\cookies.txt -> Spyware.Cookie.Esomniture : Cleaned with backup
:mozilla.624:C:\Documents and Settings\CHRIS\Application Data\Mozilla\Firefox\Profiles\lzhin6v4.default\cookies.txt -> Spyware.Cookie.Sitestat : Cleaned with backup
:mozilla.625:C:\Documents and Settings\CHRIS\Application Data\Mozilla\Firefox\Profiles\lzhin6v4.default\cookies.txt -> Spyware.Cookie.Sitestat : Cleaned with backup
:mozilla.626:C:\Documents and Settings\CHRIS\Application Data\Mozilla\Firefox\Profiles\lzhin6v4.default\cookies.txt -> Spyware.Cookie.Sitestat : Cleaned with backup
:mozilla.666:C:\Documents and Settings\CHRIS\Application Data\Mozilla\Firefox\Profiles\lzhin6v4.default\cookies.txt -> Spyware.Cookie.Statcounter : Cleaned with backup
:mozilla.669:C:\Documents and Settings\CHRIS\Application Data\Mozilla\Firefox\Profiles\lzhin6v4.default\cookies.txt -> Spyware.Cookie.Statcounter : Cleaned with backup
:mozilla.676:C:\Documents and Settings\CHRIS\Application Data\Mozilla\Firefox\Profiles\lzhin6v4.default\cookies.txt -> Spyware.Cookie.Statcounter : Cleaned with backup
:mozilla.677:C:\Documents and Settings\CHRIS\Application Data\Mozilla\Firefox\Profiles\lzhin6v4.default\cookies.txt -> Spyware.Cookie.Statcounter : Cleaned with backup
:mozilla.678:C:\Documents and Settings\CHRIS\Application Data\Mozilla\Firefox\Profiles\lzhin6v4.default\cookies.txt -> Spyware.Cookie.Statcounter : Cleaned with backup
:mozilla.679:C:\Documents and Settings\CHRIS\Application Data\Mozilla\Firefox\Profiles\lzhin6v4.default\cookies.txt -> Spyware.Cookie.Statcounter : Cleaned with backup
:mozilla.680:C:\Documents and Settings\CHRIS\Application Data\Mozilla\Firefox\Profiles\lzhin6v4.default\cookies.txt -> Spyware.Cookie.Statcounter : Cleaned with backup
:mozilla.681:C:\Documents and Settings\CHRIS\Application Data\Mozilla\Firefox\Profiles\lzhin6v4.default\cookies.txt -> Spyware.Cookie.Statcounter : Cleaned with backup
:mozilla.686:C:\Documents and Settings\CHRIS\Application Data\Mozilla\Firefox\Profiles\lzhin6v4.default\cookies.txt -> Spyware.Cookie.Statcounter : Cleaned with backup
:mozilla.688:C:\Documents and Settings\CHRIS\Application Data\Mozilla\Firefox\Profiles\lzhin6v4.default\cookies.txt -> Spyware.Cookie.Statcounter : Cleaned with backup
:mozilla.689:C:\Documents and Settings\CHRIS\Application Data\Mozilla\Firefox\Profiles\lzhin6v4.default\cookies.txt -> Spyware.Cookie.Statcounter : Cleaned with backup
:mozilla.691:C:\Documents and Settings\CHRIS\Application Data\Mozilla\Firefox\Profiles\lzhin6v4.default\cookies.txt -> Spyware.Cookie.Statcounter : Cleaned with backup
:mozilla.693:C:\Documents and Settings\CHRIS\Application Data\Mozilla\Firefox\Profiles\lzhin6v4.default\cookies.txt -> Spyware.Cookie.Statcounter : Cleaned with backup
:mozilla.695:C:\Documents and Settings\CHRIS\Application Data\Mozilla\Firefox\Profiles\lzhin6v4.default\cookies.txt -> Spyware.Cookie.Statcounter : Cleaned with backup
:mozilla.696:C:\Documents and Settings\CHRIS\Application Data\Mozilla\Firefox\Profiles\lzhin6v4.default\cookies.txt -> Spyware.Cookie.Statcounter : Cleaned with backup
:mozilla.698:C:\Documents and Settings\CHRIS\Application Data\Mozilla\Firefox\Profiles\lzhin6v4.default\cookies.txt -> Spyware.Cookie.Statcounter : Cleaned with backup
:mozilla.700:C:\Documents and Settings\CHRIS\Application Data\Mozilla\Firefox\Profiles\lzhin6v4.default\cookies.txt -> Spyware.Cookie.Statcounter : Cleaned with backup
:mozilla.714:C:\Documents and Settings\CHRIS\Application Data\Mozilla\Firefox\Profiles\lzhin6v4.default\cookies.txt -> Spyware.Cookie.Spinbox : Cleaned with backup
:mozilla.716:C:\Documents and Settings\CHRIS\Application Data\Mozilla\Firefox\Profiles\lzhin6v4.default\cookies.txt -> Spyware.Cookie.Sitestat : Cleaned with backup
:mozilla.726:C:\Documents and Settings\CHRIS\Application Data\Mozilla\Firefox\Profiles\lzhin6v4.default\cookies.txt -> Spyware.Cookie.Clickzs : Cleaned with backup
:mozilla.761:C:\Documents and Settings\CHRIS\Application Data\Mozilla\Firefox\Profiles\lzhin6v4.default\cookies.txt -> Spyware.Cookie.Statcounter : Cleaned with backup
:mozilla.762:C:\Documents and Settings\CHRIS\Application Data\Mozilla\Firefox\Profiles\lzhin6v4.default\cookies.txt -> Spyware.Cookie.Statcounter : Cleaned with backup
:mozilla.766:C:\Documents and Settings\CHRIS\Application Data\Mozilla\Firefox\Profiles\lzhin6v4.default\cookies.txt -> Spyware.Cookie.Statcounter : Cleaned with backup
:mozilla.794:C:\Documents and Settings\CHRIS\Application Data\Mozilla\Firefox\Profiles\lzhin6v4.default\cookies.txt -> Spyware.Cookie.Revenue : Cleaned with backup
:mozilla.797:C:\Documents and Settings\CHRIS\Application Data\Mozilla\Firefox\Profiles\lzhin6v4.default\cookies.txt -> Spyware.Cookie.Revenue : Cleaned with backup
:mozilla.800:C:\Documents and Settings\CHRIS\Application Data\Mozilla\Firefox\Profiles\lzhin6v4.default\cookies.txt -> Spyware.Cookie.Revenue : Cleaned with backup
:mozilla.801:C:\Documents and Settings\CHRIS\Application Data\Mozilla\Firefox\Profiles\lzhin6v4.default\cookies.txt -> Spyware.Cookie.Revenue : Cleaned with backup
:mozilla.802:C:\Documents and Settings\CHRIS\Application Data\Mozilla\Firefox\Profiles\lzhin6v4.default\cookies.txt -> Spyware.Cookie.Revenue : Cleaned with backup
:mozilla.803:C:\Documents and Settings\CHRIS\Application Data\Mozilla\Firefox\Profiles\lzhin6v4.default\cookies.txt -> Spyware.Cookie.Revenue : Cleaned with backup
:mozilla.804:C:\Documents and Settings\CHRIS\Application Data\Mozilla\Firefox\Profiles\lzhin6v4.default\cookies.txt -> Spyware.Cookie.Revenue : Cleaned with backup
:mozilla.805:C:\Documents and Settings\CHRIS\Application Data\Mozilla\Firefox\Profiles\lzhin6v4.default\cookies.txt -> Spyware.Cookie.Revenue : Cleaned with backup
:mozilla.815:C:\Documents and Settings\CHRIS\Application Data\Mozilla\Firefox\Profiles\lzhin6v4.default\cookies.txt -> Spyware.Cookie.Revenue : Cleaned with backup
:mozilla.822:C:\Documents and Settings\CHRIS\Application Data\Mozilla\Firefox\Profiles\lzhin6v4.default\cookies.txt -> Spyware.Cookie.Revenue : Cleaned with backup
:mozilla.834:C:\Documents and Settings\CHRIS\Application Data\Mozilla\Firefox\Profiles\lzhin6v4.default\cookies.txt -> Spyware.Cookie.Liveperson : Cleaned with backup
:mozilla.857:C:\Documents and Settings\CHRIS\Application Data\Mozilla\Firefox\Profiles\lzhin6v4.default\cookies.txt -> Spyware.Cookie.Specificclick : Cleaned with backup
:mozilla.863:C:\Documents and Settings\CHRIS\Application Data\Mozilla\Firefox\Profiles\lzhin6v4.default\cookies.txt -> Spyware.Cookie.Pro-market : Cleaned with backup
:mozilla.864:C:\Documents and Settings\CHRIS\Application Data\Mozilla\Firefox\Profiles\lzhin6v4.default\cookies.txt -> Spyware.Cookie.Sitestat : Cleaned with backup
:mozilla.869:C:\Documents and Settings\CHRIS\Application Data\Mozilla\Firefox\Profiles\lzhin6v4.default\cookies.txt -> Spyware.Cookie.Sitestat : Cleaned with backup
:mozilla.871:C:\Documents and Settings\CHRIS\Application Data\Mozilla\Firefox\Profiles\lzhin6v4.default\cookies.txt -> Spyware.Cookie.Sitestat : Cleaned with backup
:mozilla.882:C:\Documents and Settings\CHRIS\Application Data\Mozilla\Firefox\Profiles\lzhin6v4.default\cookies.txt -> Spyware.Cookie.Inet-cash : Cleaned with backup
:mozilla.883:C:\Documents and Settings\CHRIS\Application Data\Mozilla\Firefox\Profiles\lzhin6v4.default\cookies.txt -> Spyware.Cookie.Inet-cash : Cleaned with backup
:mozilla.908:C:\Documents and Settings\CHRIS\Application Data\Mozilla\Firefox\Profiles\lzhin6v4.default\cookies.txt -> Spyware.Cookie.Com : Cleaned with backup
:mozilla.909:C:\Documents and Settings\CHRIS\Application Data\Mozilla\Firefox\Profiles\lzhin6v4.default\cookies.txt -> Spyware.Cookie.Sitestat : Cleaned with backup
:mozilla.910:C:\Documents and Settings\CHRIS\Application Data\Mozilla\Firefox\Profiles\lzhin6v4.default\cookies.txt -> Spyware.Cookie.Sitestat : Cleaned with backup
:mozilla.916:C:\Documents and Settings\CHRIS\Application Data\Mozilla\Firefox\Profiles\lzhin6v4.default\cookies.txt -> Spyware.Cookie.Sitestat : Cleaned with backup
:mozilla.974:C:\Documents and Settings\CHRIS\Application Data\Mozilla\Firefox\Profiles\lzhin6v4.default\cookies.txt -> Spyware.Cookie.Sitestat : Cleaned with backup
:mozilla.977:C:\Documents and Settings\CHRIS\Application Data\Mozilla\Firefox\Profiles\lzhin6v4.default\cookies.txt -> Spyware.Cookie.Sitestat : Cleaned with backup
C:\Documents and Settings\CHRIS\Cookies\chris@2o7[2].txt -> Spyware.Cookie.2o7 : Cleaned with backup
C:\Program Files\Common Files\AOL\AOL Spyware Protection\Backup\10814850.asw/newmajorse2.txt -> Spyware.WebSearch : Error during cleaning
C:\Program Files\Common Files\AOL\AOL Spyware Protection\Backup\63909995.asw/newmajorse2.txt -> Spyware.WebSearch : Error during cleaning
C:\System Volume Information\_restore{72E453E3-8C9E-4248-9A9F-5DA190DCB4B9}\RP1\A0000081.dll -> Spyware.Wintol : Cleaned with backup
C:\System Volume Information\_restore{72E453E3-8C9E-4248-9A9F-5DA190DCB4B9}\RP7\A0005795.dll -> Spyware.WebSearch : Cleaned with backup
C:\unzipped\hijackthis\backups\backup-20051026-231744-217.dll -> Spyware.Wintol : Cleaned with backup
C:\WINDOWS\Temp\~390961.tmp -> TrojanDownloader.WinTool : Error during cleaning
C:\WINDOWS\Temp\~521753.tmp -> TrojanDownloader.WinTool : Error during cleaning
C:\WINDOWS\Temp\~543796.tmp -> TrojanDownloader.WinTool : Error during cleaning
C:\WINDOWS\Temp\~562897.tmp -> Spyware.Wintools : Error during cleaning
C:\WINDOWS\Temp\~586577.tmp -> TrojanDownloader.WinTool : Error during cleaning
C:\WINDOWS\Temp\~587316.tmp -> Spyware.Wintools : Error during cleaning
C:\WINDOWS\Temp\~645754.tmp -> Spyware.Wintools : Error during cleaning
C:\WINDOWS\Temp\~716705.tmp -> TrojanDownloader.WinTool : Error during cleaning
C:\WINDOWS\Temp\~836215.tmp -> TrojanDownloader.WinTool : Error during cleaning
C:\WINDOWS\Temp\~856138.tmp -> TrojanDownloader.WinTool : Error during cleaning
C:\WINDOWS\Temp\~871647.tmp -> Spyware.Wintools : Error during cleaning
C:\WINDOWS\Temp\~878320.tmp -> TrojanDownloader.WinTool : Error during cleaning
C:\WINDOWS\Temp\~896033.tmp -> TrojanDownloader.WinTool : Error during cleaning
C:\WINDOWS\Temp\~916576.tmp -> TrojanDownloader.WinTool : Error during cleaning
C:\WINDOWS\Temp\~931495.tmp -> Spyware.Wintools : Error during cleaning


::Report End



I do thank you for all your help-I don't think I could have achieved this without it. I had recently bought the programme Chem Table Reg Organiser to help get rid of it. I did not know much about it but had read something to the effect that it might assist.

What it did actually do was make it clear there was a problem. Your excellent help and advice seems to have helped to finally get rid of it!

One final question:
Is it necessary to do anything with the system restore function to avoid a recurrence?
valdestana
Regular Member
 
Posts: 17
Joined: October 27th, 2005, 3:05 pm

Unread postby Middle Of Nowhere » November 14th, 2005, 1:42 pm

Hi

I noticed ewido had some trouble with something so that is why they need to run it again.

Next stage, you need to do the following:

Download CCleaner from here to clean temp files from your computer.

  • Double click on the file to start the installation of the program.
  • Select your language and click OK, then next.
  • Read the license agreement and click I Agree.
  • Click next to use the default install location. Click Install then finish to complete installation.
  • Double click the CCleaner shortcut on the desktop to start the program.
  • On the "Windows" tab, under "Internet Explorer," uncheck "Cookies" if you do not want them deleted.  (If deleted, you will likely need to reenter your passwords at all sites where a cookie is used to recognize you when you visit).
  • If you use either the Firefox or Mozilla browsers, the box to uncheck for "Cookies" is on the Applications tab, under Firefox/Mozilla.
  • Click Run Cleaner to run the program.
  • Caution: It is not recommended that you use the "Issues" feature unless you are very familiar with the registry as it has been known to find legitimate items.
  • After CCleaner has completed its process, click Exit.

Next you need to run Ewido again as follows:
  • Locate Ewido, double click on the it's icon.
  • Click on scanner. (Note: Do not start any programs or open any windows while Ewido is scanning)
  • Click on Complete System Scan, the scan will now begin.
  • While the scan is in progress you will be promted to clean files, click OK.
  • When it asks if you want to clean the first file, put a checkmark in the lower left corner of the box that says "Perform action on all infections", then choose clean and click OK.
  • Once the scan has completed, there will be a button located at the bottom of the screen named Save Report.
  • Click Save Report.
  • Now save the report .txt file to your desktop.
  • Close Ewido Security Suite


Once complete can you post a new HJT Log also the Ewido log as well. Thanks
User avatar
Middle Of Nowhere
Retired Graduate
 
Posts: 677
Joined: May 30th, 2005, 2:08 pm
Location: Derbyshire, UK

Unread postby valdestana » November 14th, 2005, 5:59 pm

Hi Fiona,

Just when you thought it was safe................................................... :(

I think I have spotted the Ewido file and post current scan below:

ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 21:44:15, 14/11/2005
+ Report-Checksum: 18201067

+ Scan result:

:mozilla.24:C:\Documents and Settings\CHRIS\Application Data\Mozilla\Firefox\Profiles\lzhin6v4.default\cookies.txt -> Spyware.Cookie.Adtech : Cleaned with backup
:mozilla.25:C:\Documents and Settings\CHRIS\Application Data\Mozilla\Firefox\Profiles\lzhin6v4.default\cookies.txt -> Spyware.Cookie.Adtech : Cleaned with backup
:mozilla.37:C:\Documents and Settings\CHRIS\Application Data\Mozilla\Firefox\Profiles\lzhin6v4.default\cookies.txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
:mozilla.38:C:\Documents and Settings\CHRIS\Application Data\Mozilla\Firefox\Profiles\lzhin6v4.default\cookies.txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
:mozilla.39:C:\Documents and Settings\CHRIS\Application Data\Mozilla\Firefox\Profiles\lzhin6v4.default\cookies.txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
:mozilla.40:C:\Documents and Settings\CHRIS\Application Data\Mozilla\Firefox\Profiles\lzhin6v4.default\cookies.txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
:mozilla.41:C:\Documents and Settings\CHRIS\Application Data\Mozilla\Firefox\Profiles\lzhin6v4.default\cookies.txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
:mozilla.43:C:\Documents and Settings\CHRIS\Application Data\Mozilla\Firefox\Profiles\lzhin6v4.default\cookies.txt -> Spyware.Cookie.Webtrendslive : Cleaned with backup
:mozilla.45:C:\Documents and Settings\CHRIS\Application Data\Mozilla\Firefox\Profiles\lzhin6v4.default\cookies.txt -> Spyware.Cookie.Doubleclick : Cleaned with backup
:mozilla.46:C:\Documents and Settings\CHRIS\Application Data\Mozilla\Firefox\Profiles\lzhin6v4.default\cookies.txt -> Spyware.Cookie.Atdmt : Cleaned with backup
:mozilla.97:C:\Documents and Settings\CHRIS\Application Data\Mozilla\Firefox\Profiles\lzhin6v4.default\cookies.txt -> Spyware.Cookie.Overture : Cleaned with backup
C:\Program Files\Common Files\AOL\AOL Spyware Protection\Backup\10814850.asw/newmajorse2.txt -> Spyware.WebSearch : Cleaned with backup
C:\Program Files\Common Files\AOL\AOL Spyware Protection\Backup\63909995.asw/newmajorse2.txt -> Spyware.WebSearch : Cleaned with backup
C:\System Volume Information\_restore{72E453E3-8C9E-4248-9A9F-5DA190DCB4B9}\RP15\A0007144.dll -> Spyware.Wintol : Cleaned with backup
C:\WINDOWS\Temp\~390961.tmp -> TrojanDownloader.WinTool : Error during cleaning
C:\WINDOWS\Temp\~521753.tmp -> TrojanDownloader.WinTool : Error during cleaning
C:\WINDOWS\Temp\~543796.tmp -> TrojanDownloader.WinTool : Error during cleaning
C:\WINDOWS\Temp\~562897.tmp -> Spyware.Wintools : Error during cleaning
C:\WINDOWS\Temp\~586577.tmp -> TrojanDownloader.WinTool : Error during cleaning
C:\WINDOWS\Temp\~587316.tmp -> Spyware.Wintools : Error during cleaning
C:\WINDOWS\Temp\~645754.tmp -> Spyware.Wintools : Error during cleaning
C:\WINDOWS\Temp\~716705.tmp -> TrojanDownloader.WinTool : Error during cleaning
C:\WINDOWS\Temp\~836215.tmp -> TrojanDownloader.WinTool : Error during cleaning
C:\WINDOWS\Temp\~856138.tmp -> TrojanDownloader.WinTool : Error during cleaning
C:\WINDOWS\Temp\~871647.tmp -> Spyware.Wintools : Error during cleaning
C:\WINDOWS\Temp\~878320.tmp -> TrojanDownloader.WinTool : Error during cleaning
C:\WINDOWS\Temp\~896033.tmp -> TrojanDownloader.WinTool : Error during cleaning
C:\WINDOWS\Temp\~916576.tmp -> TrojanDownloader.WinTool : Error during cleaning
C:\WINDOWS\Temp\~931495.tmp -> Spyware.Wintools : Error during cleaning


::Report End

Don't like the look of the reference above to Wintools-where has that come from?

I have just run an HJT scan too and post below:

Logfile of HijackThis v1.99.1
Scan saved at 21:44:52, on 14/11/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Inventel\Gateway\wlancfg.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\System32\Fast.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\Creative\SBLive\AudioHQ\AHQTB.EXE
C:\Program Files\Creative\SBLive\Program\CTAvTray.EXE
C:\WINDOWS\System32\taskswitch.exe
C:\WINDOWS\System32\fast.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\Program Files\USBDRIVE\shwicon.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
C:\Program Files\OpenOffice.org1.1.5\program\soffice.exe
C:\PROGRA~1\INCRED~1\bin\IMApp.exe
C:\Program Files\Messenger\msmsgs.exe
C:\unzipped\hijackthis-2\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://news.bbc.co.uk/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: WebFerret - {A58686ED-FC46-44C3-95C6-4A812AB776F1} - C:\Program Files\FerretSoft\WebFerret\FerretBand.dll
O3 - Toolbar: Wanadoo - {8B68564D-53FD-4293-B80C-993A9F3988EE} - C:\PROGRA~1\Wanadoo\WSBar\WSBar.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [AudioHQ] C:\Program Files\Creative\SBLive\AudioHQ\AHQTB.EXE
O4 - HKLM\..\Run: [CTAvTray] C:\Program Files\Creative\SBLive\Program\CTAvTray.EXE
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [CoolSwitch] C:\WINDOWS\System32\taskswitch.exe
O4 - HKLM\..\Run: [FastUser] C:\WINDOWS\System32\fast.exe
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [ShowIcon_Justrams_USB Drives Driver v1.19r020] "C:\Program Files\USBDRIVE\shwicon.exe" -t"Justrams\USB Drives Driver v1.19r020"
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [IncrediMail] C:\Program Files\IncrediMail\bin\IncMail.exe /c
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\RunOnce: [CTAVTray] C:\Program Files\Creative\SBLive\Program\CTAvStub.EXE EAX.AVI
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [IncrediMail] C:\PROGRA~1\INCRED~1\bin\IncMail.exe /c
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\ahead\Nero\Nero BackItUp\NBJ.exe"
O4 - Startup: OpenOffice.org 1.1.5.lnk = C:\Program Files\OpenOffice.org1.1.5\program\quickstart.exe
O4 - Global Startup: AOL Tray Icon.lnk = C:\Program Files\AOL 9.0\aoltray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: ZoneAlarm.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Search with Wanadoo - res://C:\PROGRA~1\Wanadoo\WSBar\WSBar.dll/VSearch.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .bcf: C:\Program Files\Internet Explorer\Plugins\NPBelv32.dll
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab
O16 - DPF: {6CB5E471-C305-11D3-99A8-000086395495} - http://toolbar.google.com/data/en/deleo ... gleNav.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Me ... Client.cab
O16 - DPF: {F00F4763-7355-4725-82F7-0DA94A256D46} (IMDownloader Class) - http://www2.incredimail.com/contents/se ... loader.cab
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\\aolserv.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: Service de lancement de WlanCfg (Wlancfg) - Inventel - C:\Program Files\Inventel\Gateway\wlancfg.exe

Grateful for any advice and thanks again for all your help,
valdestana
Regular Member
 
Posts: 17
Joined: October 27th, 2005, 3:05 pm

Unread postby Middle Of Nowhere » November 16th, 2005, 7:04 am

Hi

I need you to follow the below instructions:

I need you to goto From Here and download Sytem Security Suite.
Install then run it.
You will have a screen that has several items to check to delete.
On the left side for Internet Explorer, check the Temporary Files box
and on the right side in the My Computer part, check temporary files also.
You may want to check the recycle bin also. Click "Clear Selected Items" and then reboot the computer when prompted.

Please can you run ewido once again and post the log.

Thanks
User avatar
Middle Of Nowhere
Retired Graduate
 
Posts: 677
Joined: May 30th, 2005, 2:08 pm
Location: Derbyshire, UK

Unread postby valdestana » November 17th, 2005, 6:28 am

Hi Fiona,

Thanks-will try this probably over the weekend now
valdestana
Regular Member
 
Posts: 17
Joined: October 27th, 2005, 3:05 pm

Unread postby valdestana » November 20th, 2005, 5:00 pm

Hi Fiona,

This is the Ewido scan:
I have done what you suggested with the new programme.
---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 20:55:07, 20/11/2005
+ Report-Checksum: EDACECCB

+ Scan result:

:mozilla.9:C:\Documents and Settings\CHRIS\Application Data\Mozilla\Firefox\Profiles\lzhin6v4.default\cookies.txt -> Spyware.Cookie.Webtrendslive : Cleaned with backup
:mozilla.10:C:\Documents and Settings\CHRIS\Application Data\Mozilla\Firefox\Profiles\lzhin6v4.default\cookies.txt -> Spyware.Cookie.Doubleclick : Cleaned with backup
:mozilla.25:C:\Documents and Settings\CHRIS\Application Data\Mozilla\Firefox\Profiles\lzhin6v4.default\cookies.txt -> Spyware.Cookie.Adtech : Cleaned with backup
:mozilla.31:C:\Documents and Settings\CHRIS\Application Data\Mozilla\Firefox\Profiles\lzhin6v4.default\cookies.txt -> Spyware.Cookie.Adtech : Cleaned with backup
:mozilla.88:C:\Documents and Settings\CHRIS\Application Data\Mozilla\Firefox\Profiles\lzhin6v4.default\cookies.txt -> Spyware.Cookie.Atdmt : Cleaned with backup
:mozilla.89:C:\Documents and Settings\CHRIS\Application Data\Mozilla\Firefox\Profiles\lzhin6v4.default\cookies.txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
:mozilla.90:C:\Documents and Settings\CHRIS\Application Data\Mozilla\Firefox\Profiles\lzhin6v4.default\cookies.txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
:mozilla.91:C:\Documents and Settings\CHRIS\Application Data\Mozilla\Firefox\Profiles\lzhin6v4.default\cookies.txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
:mozilla.92:C:\Documents and Settings\CHRIS\Application Data\Mozilla\Firefox\Profiles\lzhin6v4.default\cookies.txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
:mozilla.93:C:\Documents and Settings\CHRIS\Application Data\Mozilla\Firefox\Profiles\lzhin6v4.default\cookies.txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
:mozilla.94:C:\Documents and Settings\CHRIS\Application Data\Mozilla\Firefox\Profiles\lzhin6v4.default\cookies.txt -> Spyware.Cookie.Mediaplex : Cleaned with backup
:mozilla.95:C:\Documents and Settings\CHRIS\Application Data\Mozilla\Firefox\Profiles\lzhin6v4.default\cookies.txt -> Spyware.Cookie.Falkag : Cleaned with backup
:mozilla.96:C:\Documents and Settings\CHRIS\Application Data\Mozilla\Firefox\Profiles\lzhin6v4.default\cookies.txt -> Spyware.Cookie.Falkag : Cleaned with backup
:mozilla.97:C:\Documents and Settings\CHRIS\Application Data\Mozilla\Firefox\Profiles\lzhin6v4.default\cookies.txt -> Spyware.Cookie.Falkag : Cleaned with backup
:mozilla.98:C:\Documents and Settings\CHRIS\Application Data\Mozilla\Firefox\Profiles\lzhin6v4.default\cookies.txt -> Spyware.Cookie.Falkag : Cleaned with backup
:mozilla.127:C:\Documents and Settings\CHRIS\Application Data\Mozilla\Firefox\Profiles\lzhin6v4.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.129:C:\Documents and Settings\CHRIS\Application Data\Mozilla\Firefox\Profiles\lzhin6v4.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.158:C:\Documents and Settings\CHRIS\Application Data\Mozilla\Firefox\Profiles\lzhin6v4.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.159:C:\Documents and Settings\CHRIS\Application Data\Mozilla\Firefox\Profiles\lzhin6v4.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.162:C:\Documents and Settings\CHRIS\Application Data\Mozilla\Firefox\Profiles\lzhin6v4.default\cookies.txt -> Spyware.Cookie.Adviva : Cleaned with backup
C:\WINDOWS\Temp\~390961.tmp -> TrojanDownloader.WinTool : Error during cleaning
C:\WINDOWS\Temp\~521753.tmp -> TrojanDownloader.WinTool : Error during cleaning
C:\WINDOWS\Temp\~543796.tmp -> TrojanDownloader.WinTool : Error during cleaning
C:\WINDOWS\Temp\~562897.tmp -> Spyware.Wintools : Error during cleaning
C:\WINDOWS\Temp\~586577.tmp -> TrojanDownloader.WinTool : Error during cleaning
C:\WINDOWS\Temp\~587316.tmp -> Spyware.Wintools : Error during cleaning
C:\WINDOWS\Temp\~645754.tmp -> Spyware.Wintools : Error during cleaning
C:\WINDOWS\Temp\~716705.tmp -> TrojanDownloader.WinTool : Error during cleaning
C:\WINDOWS\Temp\~836215.tmp -> TrojanDownloader.WinTool : Error during cleaning
C:\WINDOWS\Temp\~856138.tmp -> TrojanDownloader.WinTool : Error during cleaning
C:\WINDOWS\Temp\~871647.tmp -> Spyware.Wintools : Error during cleaning
C:\WINDOWS\Temp\~878320.tmp -> TrojanDownloader.WinTool : Error during cleaning
C:\WINDOWS\Temp\~896033.tmp -> TrojanDownloader.WinTool : Error during cleaning
C:\WINDOWS\Temp\~916576.tmp -> TrojanDownloader.WinTool : Error during cleaning
C:\WINDOWS\Temp\~931495.tmp -> Spyware.Wintools : Error during cleaning


::Report End


Hope this helps-grateful for all your assistance so far. All the very best,

valdestana
Regular Member
 
Posts: 17
Joined: October 27th, 2005, 3:05 pm

Unread postby Middle Of Nowhere » November 22nd, 2005, 5:50 am

Hi

Please can you tell me whether you have ran Ewido in safe mode or not :?:

I am asking as your last log you posted from Ewido showed some errors.
User avatar
Middle Of Nowhere
Retired Graduate
 
Posts: 677
Joined: May 30th, 2005, 2:08 pm
Location: Derbyshire, UK

Unread postby valdestana » November 22nd, 2005, 7:17 am

Hi Fiona,

No, I think I ran the Ewido scan in normal mode.

I can redo in Safe Mode if this will improve results :?:

Thanks for the prompt response,
valdestana
Regular Member
 
Posts: 17
Joined: October 27th, 2005, 3:05 pm

Unread postby Middle Of Nowhere » November 23rd, 2005, 5:17 am

Hi valdestana

  1. Reboot computer into "Safe Mode" using the "F8" method...
    • As soon as the BIOS is loaded begin tapping the F8 key until the Boot Menu appears
    • Use the arrow keys to select the Safe Mode menu item
  2. Once in Safe Mode start Ewido Security Suite
  3. Click on scanner. (Note: Do not start any programs or open any windows while Ewido is scanning)
  4. Click on Complete System Scan, the scan will now begin.
  5. While the scan is in progress you will be promted to clean files, click OK.
  6. When it asks if you want to clean the first file, put a checkmark in the lower left corner of the box that says "Perform action on all infections", then choose clean and click OK.
  7. Once the scan has completed, there will be a button located at the bottom of the screen named Save Report.
  8. Click Save Report.
  9. Now save the report .txt file to your desktop.
  10. Close Ewido Security Suite


Once complete restart Windows back into normal mode , then copy/paste ewido log along with a new HJT log back here. Thanks
User avatar
Middle Of Nowhere
Retired Graduate
 
Posts: 677
Joined: May 30th, 2005, 2:08 pm
Location: Derbyshire, UK

Unread postby valdestana » November 23rd, 2005, 6:32 pm

Hi Fiona

Have done as suggested and post log below:

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 22:20:51, 23/11/2005
+ Report-Checksum: 1AB76CC1

+ Scan result:

:mozilla.18:C:\Documents and Settings\CHRIS\Application Data\Mozilla\Firefox\Profiles\lzhin6v4.default\cookies.txt -> Spyware.Cookie.Adtech : Cleaned with backup
:mozilla.19:C:\Documents and Settings\CHRIS\Application Data\Mozilla\Firefox\Profiles\lzhin6v4.default\cookies.txt -> Spyware.Cookie.Adtech : Cleaned with backup
:mozilla.82:C:\Documents and Settings\CHRIS\Application Data\Mozilla\Firefox\Profiles\lzhin6v4.default\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.83:C:\Documents and Settings\CHRIS\Application Data\Mozilla\Firefox\Profiles\lzhin6v4.default\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.84:C:\Documents and Settings\CHRIS\Application Data\Mozilla\Firefox\Profiles\lzhin6v4.default\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.85:C:\Documents and Settings\CHRIS\Application Data\Mozilla\Firefox\Profiles\lzhin6v4.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.94:C:\Documents and Settings\CHRIS\Application Data\Mozilla\Firefox\Profiles\lzhin6v4.default\cookies.txt -> Spyware.Cookie.Atdmt : Cleaned with backup
:mozilla.107:C:\Documents and Settings\CHRIS\Application Data\Mozilla\Firefox\Profiles\lzhin6v4.default\cookies.txt -> Spyware.Cookie.Webtrendslive : Cleaned with backup
:mozilla.110:C:\Documents and Settings\CHRIS\Application Data\Mozilla\Firefox\Profiles\lzhin6v4.default\cookies.txt -> Spyware.Cookie.Falkag : Cleaned with backup
:mozilla.111:C:\Documents and Settings\CHRIS\Application Data\Mozilla\Firefox\Profiles\lzhin6v4.default\cookies.txt -> Spyware.Cookie.Falkag : Cleaned with backup
:mozilla.112:C:\Documents and Settings\CHRIS\Application Data\Mozilla\Firefox\Profiles\lzhin6v4.default\cookies.txt -> Spyware.Cookie.Doubleclick : Cleaned with backup
:mozilla.113:C:\Documents and Settings\CHRIS\Application Data\Mozilla\Firefox\Profiles\lzhin6v4.default\cookies.txt -> Spyware.Cookie.Falkag : Cleaned with backup
:mozilla.126:C:\Documents and Settings\CHRIS\Application Data\Mozilla\Firefox\Profiles\lzhin6v4.default\cookies.txt -> Spyware.Cookie.Questionmarket : Cleaned with backup
:mozilla.128:C:\Documents and Settings\CHRIS\Application Data\Mozilla\Firefox\Profiles\lzhin6v4.default\cookies.txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
:mozilla.129:C:\Documents and Settings\CHRIS\Application Data\Mozilla\Firefox\Profiles\lzhin6v4.default\cookies.txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
:mozilla.130:C:\Documents and Settings\CHRIS\Application Data\Mozilla\Firefox\Profiles\lzhin6v4.default\cookies.txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
:mozilla.131:C:\Documents and Settings\CHRIS\Application Data\Mozilla\Firefox\Profiles\lzhin6v4.default\cookies.txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
:mozilla.132:C:\Documents and Settings\CHRIS\Application Data\Mozilla\Firefox\Profiles\lzhin6v4.default\cookies.txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
C:\WINDOWS\Temp\~390961.tmp -> TrojanDownloader.WinTool : Error during cleaning
C:\WINDOWS\Temp\~521753.tmp -> TrojanDownloader.WinTool : Error during cleaning
C:\WINDOWS\Temp\~543796.tmp -> TrojanDownloader.WinTool : Error during cleaning
C:\WINDOWS\Temp\~562897.tmp -> Spyware.Wintools : Error during cleaning
C:\WINDOWS\Temp\~586577.tmp -> TrojanDownloader.WinTool : Error during cleaning
C:\WINDOWS\Temp\~587316.tmp -> Spyware.Wintools : Error during cleaning
C:\WINDOWS\Temp\~645754.tmp -> Spyware.Wintools : Error during cleaning
C:\WINDOWS\Temp\~716705.tmp -> TrojanDownloader.WinTool : Error during cleaning
C:\WINDOWS\Temp\~836215.tmp -> TrojanDownloader.WinTool : Error during cleaning
C:\WINDOWS\Temp\~856138.tmp -> TrojanDownloader.WinTool : Error during cleaning
C:\WINDOWS\Temp\~871647.tmp -> Spyware.Wintools : Error during cleaning
C:\WINDOWS\Temp\~878320.tmp -> TrojanDownloader.WinTool : Error during cleaning
C:\WINDOWS\Temp\~896033.tmp -> TrojanDownloader.WinTool : Error during cleaning
C:\WINDOWS\Temp\~916576.tmp -> TrojanDownloader.WinTool : Error during cleaning
C:\WINDOWS\Temp\~931495.tmp -> Spyware.Wintools : Error during cleaning


::Report End

Thanks for the advice,

All the best,
valdestana
Regular Member
 
Posts: 17
Joined: October 27th, 2005, 3:05 pm

Unread postby Middle Of Nowhere » November 26th, 2005, 5:43 pm

Hi

As Ewido is still finding Error during cleaning. I recommend you do the following:

First thing you need to do is generate a startup list, as follows:



  • Open HiJack This
  • Click Open the misc tool section
  • Make sure a check mark (tick) in List also Minor sections
  • Click Generate Startup list


---------------------

The next thing you need to do is download Silent Runners . Unzip the file on your desktop,

Locate the folder and open it, double click the Silent Runners program., once the program has started a dialogue box will appear, asking to Skip Supplementary scan Press No. The program will do its thing and it will then save a log.

----------------------



  • Download FindRK-files.zip from here.
  • Extract the RK-files.zip folder from zip to your desktop. (it cannot be run from the zip)
  • Reboot into safe mode. Open the RK-files folder.
  • Double click the "rkfiles.bat" icon. It can take a while to run. Leave it to do its work.
  • When the black cmd.exe window closes reboot your computer in "Normal Mode".
  • A log file was created. It is found at C:\Log.txt.
  • Locate the log and add it to your next post along with the Silent Runners log and Startup list.
Thanks :)
User avatar
Middle Of Nowhere
Retired Graduate
 
Posts: 677
Joined: May 30th, 2005, 2:08 pm
Location: Derbyshire, UK

Unread postby valdestana » November 27th, 2005, 3:38 pm

Hi,

Have tried carry out the steps you have set out.

I post below the RK-files log -at least this is all I can locate in the C:\Log.txt on the PC.
C:\Documents and Settings\CHRIS\Desktop

And this is the Silent Runners List:

"Silent Runners.vbs", revision 41, http://www.silentrunners.org/
Operating System: Windows XP SP2
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"NvMediaCenter" = "RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit" [MS]
"IncrediMail" = "C:\PROGRA~1\INCRED~1\bin\IncMail.exe /c" ["IncrediMail, Ltd."]
"NBJ" = ""C:\Program Files\ahead\Nero\Nero BackItUp\NBJ.exe"" ["Ahead Software AG"]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"NvCplDaemon" = "RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup" [MS]
"AudioHQ" = "C:\Program Files\Creative\SBLive\AudioHQ\AHQTB.EXE" ["Creative Technology Ltd."]
"CTAvTray" = "C:\Program Files\Creative\SBLive\Program\CTAvTray.EXE" ["Creative Technology Ltd."]
"NAV Agent" = "C:\PROGRA~1\NORTON~1\navapw32.exe" [null data]
"CoolSwitch" = "C:\WINDOWS\System32\taskswitch.exe" [null data]
"FastUser" = "C:\WINDOWS\System32\fast.exe" [MS]
"POINTER" = "point32.exe" [MS]
"ShowIcon_Justrams_USB Drives Driver v1.19r020" = ""C:\Program Files\USBDRIVE\shwicon.exe" -t"Justrams\USB Drives Driver v1.19r020"" ["MyComp"]
"nwiz" = "nwiz.exe /install" ["NVIDIA Corporation"]
"AOLDialer" = "C:\Program Files\Common Files\AOL\ACS\AOLDial.exe" ["America Online, Inc"]
"SunJavaUpdateSched" = "C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe" [null data]
"AOL Spyware Protection" = ""C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"" [null data]
"Symantec NetDriver Monitor" = "C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer" ["Symantec Corporation"]
"NeroFilterCheck" = "C:\WINDOWS\system32\NeroCheck.exe" ["Ahead Software Gmbh"]
"IncrediMail" = "C:\Program Files\IncrediMail\bin\IncMail.exe /c" ["IncrediMail, Ltd."]
"ccApp" = ""C:\Program Files\Common Files\Symantec Shared\ccApp.exe"" ["Symantec Corporation"]
"iTunesHelper" = ""C:\Program Files\iTunes\iTunesHelper.exe"" ["Apple Computer, Inc."]
"QuickTime Task" = ""C:\Program Files\QuickTime\qttask.exe" -atboottime" ["Apple Computer, Inc."]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ {++}
"CTAVTray" = "C:\Program Files\Creative\SBLive\Program\CTAvStub.EXE EAX.AVI" ["Creative Technology Ltd."]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = "AcroIEHlprObj Class" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx" [empty string]
{53707962-6F74-2D53-2644-206D7942484F}\(Default) = (no title provided)
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\SPYBOT~1\SDHelper.dll" ["Safer Networking Limited"]
{BDF3E430-B101-42AD-A544-FADC6B084872}\(Default) = "NAV Helper"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Display Panning CPL Extension"
-> {CLSID}\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."]
"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Outlook Custom Icon Handler"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office10\OLKFSTUB.DLL" [MS]
"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office10\msohev.dll" [MS]
"{709C6E11-538F-4759-86AC-6ACB302AA0DE}" = "Desktop Manager"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\msvdm.dll" [null data]
"{1530F7EE-5128-43BD-9977-84A4B0FAD7DF}" = "PhotoToys"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\phototoys.dll" [MS]
"{efb97cb8-a4a4-4357-a261-002ffaed0267}" = "CD Slideshow Powertoy"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\slideshow.dll" [MS]
"{A58686ED-FC46-44C3-95C6-4A812AB776F1}" = "NetFerret IE Toolbar"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\FerretSoft\WebFerret\FerretBand.dll" [null data]
"{fe7634c0-f7b3-11cf-b9b4-444553540000}" = "NetFerret"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\NetFerret.dll" [null data]
"{E0D79304-84BE-11CE-9641-444553540000}" = "WinZip"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WinZip\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{E0D79305-84BE-11CE-9641-444553540000}" = "WinZip"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WinZip\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{E0D79306-84BE-11CE-9641-444553540000}" = "WinZip"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WinZip\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{1CDB2949-8F65-4355-8456-263E7C208A5D}" = "Desktop Explorer"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\nvshell.dll" ["NVIDIA Corporation"]
"{1E9B04FB-F9E5-4718-997B-B8DA88302A47}" = "Desktop Explorer Menu"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\nvshell.dll" ["NVIDIA Corporation"]
"{63542C48-9552-494A-84F7-73AA6A7C99C1}" = "OpenOffice Property Sheet Handler"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\OpenOffice.org1.1.5\program\shlxthdl.dll" ["Sun Microsystems, Inc."]
"{B9E1D2CB-CCFF-4AA6-9579-D7A4754030EF}" = "iTunes"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\iTunes\iTunesMiniPlayer.dll" ["Apple Computer, Inc."]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\
INFECTION WARNING! "{54D9498B-CF93-414F-8984-8CE7FDE0D391}" = "ewido shell guard"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\ewido\security suite\shellhook.dll" ["TODO: <Firmenname>"]

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
ewido\(Default) = "{57BD36D7-CE32-4600-9B1C-1A0C47EFC02E}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\ewido\security suite\context.dll" ["ewido networks"]
IMMenuShellExt\(Default) = "{F8984111-38B6-11D5-8725-0050DA2761C4}"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\INCRED~1\bin\ImShExt.dll" ["IncrediMail, Ltd."]
Symantec.Norton.Antivirus.IEContextMenu\(Default) = "{5345A4D5-41EB-4A2F-9616-CE1D4F6C35B2}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"]
WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WinZip\WZSHLSTB.DLL" ["WinZip Computing, Inc."]

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
ewido\(Default) = "{57BD36D7-CE32-4600-9B1C-1A0C47EFC02E}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\ewido\security suite\context.dll" ["ewido networks"]
WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WinZip\WZSHLSTB.DLL" ["WinZip Computing, Inc."]

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
Symantec.Norton.Antivirus.IEContextMenu\(Default) = "{5345A4D5-41EB-4A2F-9616-CE1D4F6C35B2}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"]
WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WinZip\WZSHLSTB.DLL" ["WinZip Computing, Inc."]


Active Desktop and Wallpaper:
-----------------------------

Active Desktop is disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState


Startup items in "CHRIS" & "All Users" startup folders:
-------------------------------------------------------

C:\Documents and Settings\CHRIS\Start Menu\Programs\Startup
"OpenOffice.org 1.1.5" -> shortcut to: "C:\Program Files\OpenOffice.org1.1.5\program\quickstart.exe" [null data]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
"AOL Tray Icon" -> shortcut to: "C:\Program Files\AOL 9.0\aoltray.exe -check" ["America Online, Inc."]
"Microsoft Office" -> shortcut to: "C:\Program Files\Microsoft Office\Office10\OSA.EXE -b -l" [MS]
"ZoneAlarm" -> shortcut to: "C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe" ["Zone Labs Inc."]


Enabled Scheduled Tasks:
------------------------

"Norton AntiVirus - Scan my computer - CHRIS" -> launches: "C:\PROGRA~1\NORTON~1\Navw32.exe /task:"C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Tasks\mycomp.sca"" ["Symantec Corporation"]
"Symantec NetDetect" -> launches: "C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE" ["Symantec Corporation"]


Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 17
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05


Toolbars, Explorer Bars, Extensions:
------------------------------------

Toolbars

HKLM\Software\Microsoft\Internet Explorer\Toolbar\
"{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6}" = "Norton AntiVirus"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"]

"{A58686ED-FC46-44C3-95C6-4A812AB776F1}" = "WebFerret" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\FerretSoft\WebFerret\FerretBand.dll" [null data]

"{8B68564D-53FD-4293-B80C-993A9F3988EE}" = "Wanadoo"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\Wanadoo\WSBar\WSBar.dll" [empty string]

Explorer Bars

HKLM\Software\Microsoft\Internet Explorer\Explorer Bars\
{FE54FA40-D68C-11D2-98FA-00C0F0318AFE}\ = "Real.com" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\Shdocvw.dll" [MS]

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\Software\Microsoft\Internet Explorer\Extensions\
{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\
"MenuText" = "Sun Java Console"
"CLSIDExtension" = "{08B0E5C0-4FCB-11CF-AAA5-00401C608501}"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\msjava.dll" [MS]

{CD67F990-D8E9-11D2-98FE-00C0F0318AFE}\
"ButtonText" = "Real.com"

{FB5F1910-F110-11D2-BB9E-00C04F795683}\
"ButtonText" = "Messenger"
"MenuText" = "Windows Messenger"
"Exec" = "C:\Program Files\Messenger\msmsgs.exe" [MS]


Miscellaneous IE Hijack Points
------------------------------

C:\WINDOWS\INF\IERESET.INF (used to "Reset Web Settings")

Added lines (compared with English-language version):
[Strings]: START_PAGE_URL=http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome

Missing lines (compared with English-language version):
[Strings]: 1 line


Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

AOL Connectivity Service, AOL ACS, ""C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe"" ["America Online, Inc."]
Creative Service for CDROM Access, Creative Service for CDROM Access, "C:\WINDOWS\System32\CTsvcCDA.EXE" ["Creative Technology Ltd"]
ewido security suite control, ewido security suite control, "C:\Program Files\ewido\security suite\ewidoctrl.exe" ["ewido networks"]
InteractiveLogon, InteractiveLogon, "C:\WINDOWS\System32\Fast.exe -service" [MS]
iPodService, iPodService, "C:\Program Files\iPod\bin\iPodService.exe" ["Apple Computer, Inc."]
Norton AntiVirus Auto-Protect Service, navapsvc, ""C:\Program Files\Norton AntiVirus\navapsvc.exe"" ["Symantec Corporation"]
Norton AntiVirus Firewall Monitor Service, NPFMntor, ""C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe"" ["Symantec Corporation"]
NVIDIA Display Driver Service, NVSvc, "C:\WINDOWS\System32\nvsvc32.exe" ["NVIDIA Corporation"]
PC Tools Spyware Doctor, SDhelper, "C:\Program Files\Spyware Doctor\sdhelp.exe" ["PC Tools"]
Service de lancement de WlanCfg, Wlancfg, "C:\Program Files\Inventel\Gateway\wlancfg.exe SVC" ["Inventel"]
Symantec Core LC, Symantec Core LC, "C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe" ["Symantec Corporation"]
Symantec Event Manager, ccEvtMgr, ""C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"" ["Symantec Corporation"]
Symantec Network Drivers Service, SNDSrvc, ""C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe"" ["Symantec Corporation"]
Symantec Settings Manager, ccSetMgr, ""C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe"" ["Symantec Corporation"]
Symantec SPBBCSvc, SPBBCSvc, ""C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe"" ["Symantec Corporation"]
TrueVector Internet Monitor, vsmon, "C:\WINDOWS\system32\ZoneLabs\vsmon.exe -service" ["Zone Labs Inc."]
WMDM PMSP Service, WMDM PMSP Service, "C:\WINDOWS\System32\MsPMSPSv.exe" [MS]


Print Monitors:
---------------

HKLM\System\CurrentControlSet\Control\Print\Monitors\
Canon BJ Language Monitor S630\Driver = "CNMLM3e.DLL" ["CANON INC."]
Microsoft Shared Fax Monitor\Driver = "FXSMON.DLL" [MS]
SSGB3 Langmon\Driver = "ssgb3mon.dll" ["Samsung Electronics."]


----------
+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ The search for DESKTOP.INI DLL launch points on all local fixed drives
took 71 seconds.
+ The search for all Registry CLSIDs containing dormant Explorer Bars
took 26 seconds.
---------- (total run time: 159 seconds)



Finally the startup list as requeste[color=red]d:[/color]

StartupList report, 27/11/2005, 18:41:58
StartupList version: 1.52.2
Started from : C:\unzipped\hijackthis-2\HijackThis.EXE
Detected: Windows XP SP2 (WinNT 5.01.2600)
Detected: Internet Explorer v6.00 SP2 (6.00.2900.2180)
* Using default options
* Showing rarely important sections
==================================================

Running processes:

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Inventel\Gateway\wlancfg.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\System32\Fast.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\Creative\SBLive\AudioHQ\AHQTB.EXE
C:\Program Files\Creative\SBLive\Program\CTAvTray.EXE
C:\WINDOWS\System32\taskswitch.exe
C:\WINDOWS\System32\fast.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\Program Files\USBDRIVE\shwicon.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\OpenOffice.org1.1.5\program\soffice.exe
C:\PROGRA~1\INCRED~1\bin\IMApp.exe
C:\unzipped\hijackthis-2\HijackThis.exe
C:\Program Files\Messenger\msmsgs.exe

--------------------------------------------------

Listing of startup folders:

Shell folders Startup:
[C:\Documents and Settings\CHRIS\Start Menu\Programs\Startup]
OpenOffice.org 1.1.5.lnk = C:\Program Files\OpenOffice.org1.1.5\program\quickstart.exe

Shell folders Common Startup:
[C:\Documents and Settings\All Users\Start Menu\Programs\Startup]
AOL Tray Icon.lnk = C:\Program Files\AOL 9.0\aoltray.exe
Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
ZoneAlarm.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

NvCplDaemon = RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
AudioHQ = C:\Program Files\Creative\SBLive\AudioHQ\AHQTB.EXE
CTAvTray = C:\Program Files\Creative\SBLive\Program\CTAvTray.EXE
NAV Agent = C:\PROGRA~1\NORTON~1\navapw32.exe
CoolSwitch = C:\WINDOWS\System32\taskswitch.exe
FastUser = C:\WINDOWS\System32\fast.exe
POINTER = point32.exe
ShowIcon_Justrams_USB Drives Driver v1.19r020 = "C:\Program Files\USBDRIVE\shwicon.exe" -t"Justrams\USB Drives Driver v1.19r020"
nwiz = nwiz.exe /install
AOLDialer = C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
SunJavaUpdateSched = C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
AOL Spyware Protection = "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
Symantec NetDriver Monitor = C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
NeroFilterCheck = C:\WINDOWS\system32\NeroCheck.exe
IncrediMail = C:\Program Files\IncrediMail\bin\IncMail.exe /c
ccApp = "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
iTunesHelper = "C:\Program Files\iTunes\iTunesHelper.exe"
QuickTime Task = "C:\Program Files\QuickTime\qttask.exe" -atboottime

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce

CTAVTray = C:\Program Files\Creative\SBLive\Program\CTAvStub.EXE EAX.AVI

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

NvMediaCenter = RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
IncrediMail = C:\PROGRA~1\INCRED~1\bin\IncMail.exe /c
NBJ = "C:\Program Files\ahead\Nero\Nero BackItUp\NBJ.exe"

--------------------------------------------------

Enumerating Active Setup stub paths:
HKLM\Software\Microsoft\Active Setup\Installed Components
(* = disabled by HKCU twin)

[>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]
StubPath = C:\WINDOWS\inf\unregmp2.exe /ShowWMP

[>{26923b43-4d38-484f-9b9e-de460746276c}] *
StubPath = %systemroot%\system32\shmgrate.exe OCInstallUserConfigIE

[>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}] *
StubPath = %systemroot%\system32\shmgrate.exe OCInstallUserConfigOE

[{2C7339CF-2B09-4501-B3F3-F3508C9228ED}] *
StubPath = %SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll

[{44BBA840-CC51-11CF-AAFA-00AA00B6015C}] *
StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install

[{7790769C-0471-11d2-AF11-00C04FA35D02}] *
StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install

[{89820200-ECBD-11cf-8B85-00AA005B4340}] *
StubPath = regsvr32.exe /s /n /i:U shell32.dll

[{89820200-ECBD-11cf-8B85-00AA005B4383}] *
StubPath = %SystemRoot%\system32\ie4uinit.exe

--------------------------------------------------

Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*

Shell & screensaver key from Registry:

Shell=Explorer.exe
SCRNSAVE.EXE=*Registry value not found*
drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry key not found*
HKLM\..\Policies: Shell=*Registry value not found*

--------------------------------------------------

Checking for EXPLORER.EXE instances:

C:\WINDOWS\Explorer.exe: PRESENT!

C:\Explorer.exe: not present
C:\WINDOWS\Explorer\Explorer.exe: not present
C:\WINDOWS\System\Explorer.exe: not present
C:\WINDOWS\System32\Explorer.exe: not present
C:\WINDOWS\Command\Explorer.exe: not present
C:\WINDOWS\Fonts\Explorer.exe: not present

--------------------------------------------------

Checking for superhidden extensions:

.lnk: HIDDEN! (arrow overlay: yes)
.pif: HIDDEN! (arrow overlay: yes)
.exe: not hidden
.com: not hidden
.bat: not hidden
.hta: not hidden
.scr: not hidden
.shs: HIDDEN!
.shb: HIDDEN!
.vbs: not hidden
.vbe: not hidden
.wsh: not hidden
.scf: HIDDEN! (arrow overlay: NO!)
.url: HIDDEN! (arrow overlay: yes)
.js: not hidden
.jse: not hidden

--------------------------------------------------

Enumerating Browser Helper Objects:

(no name) - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
(no name) - C:\PROGRA~1\SPYBOT~1\SDHelper.dll - {53707962-6F74-2D53-2644-206D7942484F}
NAV Helper - C:\Program Files\Norton AntiVirus\NavShExt.dll - {BDF3E430-B101-42AD-A544-FADC6B084872}

--------------------------------------------------

Enumerating Task Scheduler jobs:

Norton AntiVirus - Scan my computer - CHRIS.job
Symantec NetDetect.job

--------------------------------------------------

Enumerating Download Program Files:

[Shockwave ActiveX Control]
InProcServer32 = C:\WINDOWS\System32\macromed\Shockwave 10\Download.dll
CODEBASE = http://fpdownload.macromedia.com/get/sh ... tor/sw.cab

[Minesweeper Flags Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\minesweeper.dll
CODEBASE = http://messenger.zone.msn.com/binary/MineSweeper.cab

[{6CB5E471-C305-11D3-99A8-000086395495}]
CODEBASE = http://toolbar.google.com/data/en/deleo ... gleNav.cab

[MessengerStatsClient Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\messengerstatsclient.dll
CODEBASE = http://messenger.zone.msn.com/binary/Me ... Client.cab

[{9F1C11AA-197B-4942-BA54-47A8489BB47F}]
CODEBASE = http://v4.windowsupdate.microsoft.com/C ... 1220833333

[Shockwave Flash Object]
InProcServer32 = C:\WINDOWS\System32\macromed\flash\Flash.ocx
CODEBASE = http://active.macromedia.com/flash2/cabs/swflash.cab

[IMDownloader Class]
CODEBASE = http://www2.incredimail.com/contents/se ... loader.cab

--------------------------------------------------

Enumerating Windows NT/2000/XP services

Alerter: %SystemRoot%\System32\svchost.exe -k LocalService (autostart)
AOL Connectivity Service: "C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe" (autostart)
AOL Spyware Protection Service: C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\\aolserv.exe (autostart)
Windows Audio: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Computer Browser: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Symantec Event Manager: "C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe" (autostart)
Symantec Settings Manager: "C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe" (autostart)
Creative Service for CDROM Access: C:\WINDOWS\System32\CTsvcCDA.EXE (autostart)
Cryptographic Services: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
DCOM Server Process Launcher: %SystemRoot%\system32\svchost -k DcomLaunch (autostart)
DHCP Client: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
DNS Client: %SystemRoot%\System32\svchost.exe -k NetworkService (autostart)
Error Reporting Service: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Event Log: %SystemRoot%\system32\services.exe (autostart)
ewido security suite control: C:\Program Files\ewido\security suite\ewidoctrl.exe (autostart)
Help and Support: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
InteractiveLogon: C:\WINDOWS\System32\Fast.exe -service (autostart)
Server: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Workstation: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
TCP/IP NetBIOS Helper: %SystemRoot%\System32\svchost.exe -k LocalService (autostart)
Norton AntiVirus Auto-Protect Service: "C:\Program Files\Norton AntiVirus\navapsvc.exe" (autostart)
Norton AntiVirus Firewall Monitor Service: "C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe" (autostart)
NVIDIA Display Driver Service: %SystemRoot%\System32\nvsvc32.exe (autostart)
PfModNT: \??\C:\WINDOWS\System32\PfModNT.sys (autostart)
Plug and Play: %SystemRoot%\system32\services.exe (autostart)
IPSEC Services: %SystemRoot%\System32\lsass.exe (autostart)
Protected Storage: %SystemRoot%\system32\lsass.exe (autostart)
Remote Procedure Call (RPC): %SystemRoot%\system32\svchost -k rpcss (autostart)
Security Accounts Manager: %SystemRoot%\system32\lsass.exe (autostart)
ScriptBlocking Service: C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe (autostart)
Task Scheduler: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
PC Tools Spyware Doctor: C:\Program Files\Spyware Doctor\sdhelp.exe (autostart)
Secdrv: System32\DRIVERS\secdrv.sys (autostart)
Secondary Logon: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
System Event Notification: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Windows Firewall/Internet Connection Sharing (ICS): %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Shell Hardware Detection: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Symantec Network Drivers Service: "C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe" (autostart)
Symantec SPBBCSvc: "C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe" (autostart)
Print Spooler: %SystemRoot%\system32\spoolsv.exe (autostart)
System Restore Service: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Windows Image Acquisition (WIA): %SystemRoot%\System32\svchost.exe -k imgsvc (autostart)
Symantec Core LC: C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe (autostart)
symlcbrd: \??\C:\WINDOWS\system32\drivers\symlcbrd.sys (autostart)
Distributed Link Tracking Client: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
vsdatant: \??\C:\WINDOWS\System32\vsdatant.sys (autostart)
TrueVector Internet Monitor: C:\WINDOWS\system32\ZoneLabs\vsmon.exe -service (autostart)
Windows Time: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
WebClient: %SystemRoot%\System32\svchost.exe -k LocalService (autostart)
Windows Management Instrumentation: %systemroot%\system32\svchost.exe -k netsvcs (autostart)
Service de lancement de WlanCfg: C:\Program Files\Inventel\Gateway\wlancfg.exe SVC (autostart)
WMDM PMSP Service: C:\WINDOWS\System32\MsPMSPSv.exe (autostart)
Security Center: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Automatic Updates: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Wireless Zero Configuration: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)


--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

PostBootReminder: C:\WINDOWS\system32\SHELL32.dll
CDBurn: C:\WINDOWS\system32\SHELL32.dll
WebCheck: C:\WINDOWS\System32\webcheck.dll
SysTray: C:\WINDOWS\System32\stobject.dll

--------------------------------------------------
End of report, 14,680 bytes
Report generated in 0.230 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only

I hope this helps-the RK-files operation seemed to work properly in Safe Mode and that is the only log I can locate

Thanks again for you help
valdestana
Regular Member
 
Posts: 17
Joined: October 27th, 2005, 3:05 pm

Unread postby Middle Of Nowhere » November 28th, 2005, 5:17 am

Hi :)

Thanks for the latest informations, i'll go over it and get back to you shortly.

Can you tell me if you have any User Accounts on your computer or do you use the one area only?

Thanks
User avatar
Middle Of Nowhere
Retired Graduate
 
Posts: 677
Joined: May 30th, 2005, 2:08 pm
Location: Derbyshire, UK

Unread postby valdestana » November 28th, 2005, 1:17 pm

Hi fiona,

We have three accounts on the machine but I think only one is ever used

All the best,

:roll:
valdestana
Regular Member
 
Posts: 17
Joined: October 27th, 2005, 3:05 pm
Advertisement
Register to Remove

PreviousNext

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 27 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware