Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Malware problems with iTunes

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Malware problems with iTunes

Unread postby GeniusMagic » December 5th, 2005, 10:13 pm

Hi,

I use the Itunes software by apple. Since a few days back it has stopped working. Nothing happens when I double click the itunes icon. Have tried uninstalling/installing, repair etc but to no avail.

I researched a bit on the problem and came to know that it could be a spyware problem. Tried a few suggestions by Apple, stopped all start up progrmas and services in msconfig and rebooted the system. Itunes worked as expected...but I am not sure which program/service is the killer. I cannot keep all of them stopped to use Itunes.

I am posting my HJT log in normal mode below. Was wondering if anyone could have a look n help :


Logfile of HijackThis v1.99.1
Scan saved at 9:09:51 PM, on 12/5/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\CA\eTrust\InoculateIT\InoRpc.exe
C:\Program Files\CA\eTrust\InoculateIT\InoRT.exe
C:\Program Files\CA\eTrust\InoculateIT\InoTask.exe
C:\WINDOWS\LogWatNT.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\CheckPoint\SecuRemote\bin\SR_Service.exe
C:\Program Files\CheckPoint\SecuRemote\bin\SR_WatchDog.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\QuickTime\qttask.exe
E:\iTunesHelper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\TFNF5.exe
C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
C:\Program Files\CA\eTrust\InoculateIT\realmon.exe
C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
C:\Program Files\Sony Corporation\Picture Package\Picture Package Menu\SonyTray.exe
C:\Program Files\Sony Corporation\Picture Package\Picture Package Applications\Residence.exe
C:\Program Files\LimeWire\LimeWire.exe
C:\Program Files\BitTornado\btdownloadgui.exe
C:\Program Files\BitTornado\btdownloadgui.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Yahoo!\Messenger\YPager.exe
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customi ... earch.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/def ... .yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/def ... .yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/def ... earch.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/def ... .yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/def ... .yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 69.248.208.1
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program Files\Yahoo!\Common\YIeTagBm.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "E:\iTunesHelper.exe"
O4 - HKLM\..\Run: [winsync] C:\WINDOWS\system32\iacrcw.exe reg_run
O4 - HKLM\..\Run: [TPSMain] TPSMain.exe
O4 - HKLM\..\Run: [TouchED] C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [TFNF5] TFNF5.exe
O4 - HKLM\..\Run: [TFncKy] TFncKy.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
O4 - HKLM\..\Run: [STOPzilla] C:\Program Files\STOPzilla!\Stopzilla.exe /autostart
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] C:\Program Files\Analog Devices\SoundMAX\Smax4.exe /tray
O4 - HKLM\..\Run: [SmoothView] C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
O4 - HKLM\..\Run: [Realtime Monitor] "C:\Program Files\CA\eTrust\InoculateIT\realmon.exe"
O4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [warez] "C:\Program Files\Warez P2P Client\warez.exe" -h
O4 - HKCU\..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
O4 - HKCU\..\Run: [SP2 Connection Patcher] "C:\Program Files\SP2 Connection Patcher\SP2ConnPatcher.exe" -n=200
O4 - Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe
O4 - Global Startup: Picture Package Menu.lnk = ?
O4 - Global Startup: Picture Package VCD Maker.lnk = ?
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {9E248641-0E24-4DDB-9A1F-705087832AD6} - C:\WINDOWS\system32\wuauclt.dll
O9 - Extra 'Tools' menuitem: Java - {9E248641-0E24-4DDB-9A1F-705087832AD6} - C:\WINDOWS\system32\wuauclt.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0246ECA8-996F-11D1-BE2F-00A0C9037DFE} (TDServer Control) - http://hindi.india-today.com/tdserver.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {4208FB4D-4E53-4F5A-BF7A-3E047DDB5281} (ActiveX Control) - http://www.icannnews.com/app/ST/ActiveX.ocx
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by10fd.bay10.hotmail.msn.com/res ... nPUpld.cab
O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.kodakgallery.com/downloads/B ... ofupld.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan ... asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/msnme ... loader.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-l ... cfscan.cab
O18 - Filter hijack: text/xml - (no CLSID) - (no file)
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: eTrust InoculateIT RPC Server (InoRPC) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust\InoculateIT\InoRpc.exe
O23 - Service: eTrust InoculateIT Realtime Server (InoRT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust\InoculateIT\InoRT.exe
O23 - Service: eTrust InoculateIT Job Server (InoTask) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust\InoculateIT\InoTask.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Event Log Watch (LogWatch) - Unknown owner - C:\WINDOWS\LogWatNT.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Check Point SecuRemote Service (SR_Service) - Check Point Software Technologies - C:\Program Files\CheckPoint\SecuRemote\bin\SR_Service.exe
O23 - Service: Check Point SecuRemote WatchDog (SR_WatchDog) - Check Point Software Technologies - C:\Program Files\CheckPoint\SecuRemote\bin\SR_WatchDog.exe


Thanks,

P.S : I am pretty sure I have malware as I do get a lot of unwanted pop ups. It would be nice to get rid of it but my primary concern is the Itunes software.
GeniusMagic
Regular Member
 
Posts: 77
Joined: June 20th, 2005, 11:28 pm
Advertisement
Register to Remove

Unread postby Perculator » December 7th, 2005, 4:53 am

Hello and Welcome to MalwareRemoval Forum


P.S : I am pretty sure I have malware


That is really an understatement, you have a serious problem, but do not worry we will help get your computer like new again ;)

first i want some additional information from you in order to help you.

Start HijackThis
Go to
Open the Misc Tools Session

Click ‘open uninstall manager’
Click the 'save list' button A notepad file will open itself now.
I want you to post the content of that file into your answer here
User avatar
Perculator
Regular Member
 
Posts: 470
Joined: March 30th, 2005, 4:55 pm
Location: netherlands

Unread postby GeniusMagic » December 8th, 2005, 12:53 am

Hi,

Thanks for the reply. What is the serious problem that I have ? Just curious to know what is so seriously wrong here.

Here is the additional information you asked for. Pls find below the contents of the file :

Ad-Aware SE Personal
Adobe Acrobat 5.0
Anti-Leech Plugin for Internet Explorer
ArcSoft Camera Suite 1.3
BitTornado 0.3.7
CCleaner (remove only)
CD/DVD Drive Acoustic Silencer
Check Point VPN-1 SecureClient NG_AI_R56
Citrix Web Client
Content Delivery Module
Display Utility
DVD-RAM Driver
eTrust InoculateIT
ewido security suite
Google Earth
HijackThis 1.99.1
ImageMixer VCD2
Intel(R) Extreme Graphics Driver
Intel(R) PRO Network Adapters and Drivers
InterVideo WinDVD Creator 2
InterVideo WinDVD for Toshiba
iPassConnect Infosys
iTunes
Java 2 Runtime Environment, SE v1.4.2_05
LimeWire 4.9.7
Macromedia Flash Player
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB886903)
Microsoft Office OneNote 2003
Microsoft Office Professional Edition 2003
Microsoft Project 2000
Mozilla Firefox (1.0.6)
MSN
MSN Messenger 6.2
MSN Music Assistant
Ofoto Easy Upload ActiveX Control
Panda ActiveScan
Picture Package
QuickTime
RealPlayer
SD Secure Module
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Windows XP (KB883939)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896422)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB896688)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899588)
Security Update for Windows XP (KB899589)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB903235)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Sony USB Driver
SoundMAX
SP2 Connection Patcher
Spybot - Search & Destroy 1.4
Synaptics Pointing Device Driver
TOSHIBA ConfigFree
TOSHIBA Console
TOSHIBA Controls
TOSHIBA Hotkey Utility for Display Devices
TOSHIBA PC Diagnostic Tool
TOSHIBA Power Saver
TOSHIBA SD Memory Card Format
TOSHIBA Software Modem
TOSHIBA TouchPad On/Off Utility V2.05.00
TOSHIBA Utilities
TOSHIBA Zooming Utility
Update for Windows XP (KB894391)
Update for Windows XP (KB896727)
Update for Windows XP (KB898461)
VideoLAN VLC media player 0.8.2
Windows Installer 3.1 (KB893803)
Windows Installer 3.1 (KB893803)
Windows Media Format Runtime
Windows Media Player 10
Windows XP Hotfix - KB867282
Windows XP Hotfix - KB873333
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB887742
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890047
Windows XP Hotfix - KB890175
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB890923
Windows XP Hotfix - KB891781
Windows XP Hotfix - KB893066
Windows XP Hotfix - KB893086
WinRAR archiver
WinZip
XviD MPEG-4 Video Codec
Yahoo! extras
Yahoo! Messenger


Thanks,
GeniusMagic
Regular Member
 
Posts: 77
Joined: June 20th, 2005, 11:28 pm

Unread postby Perculator » December 9th, 2005, 6:10 pm

You have the qoologic infection not the most friendly infection , we'll see if we can kill it now

Please download WebRoot SpySweeper from HERE
(It's a 2 week trial):
  • Click the Free Trial link under to "SpySweeper" to download the program.
  • Install it. Once the program is installed, it will open.
  • It will prompt you to update to the latest definitions, click Yes.
  • Once the definitions are installed, click Options on the left side.
  • Click the Sweep Options tab.
  • Under What to Sweep please put a check next to the following:
    • Sweep Memory
    • Sweep Registry
    • Sweep Cookies
    • Sweep All User Accounts
    • Enable Direct Disk Sweeping
    • Sweep Contents of Compressed Files
    • Sweep for Rootkits
    • Please UNCHECK Do not Sweep System Restore Folder.

*****
    *Restart the computer.
    *as soon as BIOS is loaded begin tapping the F8 key until the Advanced Options menu appears.
    *Use the arrow keys to select the Safe mode menu item
    *press Enter.

  • Open Spysweeper by pressing the Spysweeper icon.
  • Click Sweep Now on the left side.
  • Click the Start button.
  • When it's done scanning, click the Next button.
  • Make sure everything has a check next to it, then click the Next button.
  • It will remove all of the items found.
  • Click Session Log in the upper right corner, copy everything in that window.
  • Click the Summary tab and click Finish.
  • Paste the contents of the session log you copied into your next reply.



reboot the computer in windows' normal mode
and make and post a fresh hijackthis log along with the tresult of spysweeper
User avatar
Perculator
Regular Member
 
Posts: 470
Joined: March 30th, 2005, 4:55 pm
Location: netherlands

Unread postby GeniusMagic » December 9th, 2005, 9:53 pm

Hi,

Ran sweeper successfully. Here is the log :

********
8:23 PM: | Start of Session, Friday, December 09, 2005 |
8:23 PM: Spy Sweeper started
8:23 PM: Sweep initiated using definitions version 582
8:23 PM: Starting Memory Sweep
8:24 PM: Found Adware: clkoptimizer
8:24 PM: Detected running threat: C:\WINDOWS\system32\wuauclt.dll (ID = 143665)
8:24 PM: Memory Sweep Complete, Elapsed Time: 00:01:02
8:24 PM: Starting Registry Sweep
8:24 PM: Found Adware: apropos
8:24 PM: HKLM\software\aprps\ (8 subtraces) (ID = 103741)
8:24 PM: Found Adware: begin2search
8:24 PM: HKCR\btnetw.amo.1\ (3 subtraces) (ID = 104095)
8:24 PM: HKCR\btnetw.amo\ (5 subtraces) (ID = 104096)
8:24 PM: Found Adware: hotsearchbar toolbar
8:24 PM: HKCR\btnetw.amo\ (5 subtraces) (ID = 104096)
8:24 PM: HKCR\btnetw.iiittt.1\ (3 subtraces) (ID = 104097)
8:24 PM: HKCR\btnetw.iiittt\ (5 subtraces) (ID = 104098)
8:24 PM: HKCR\btnetw.iiittt\ (5 subtraces) (ID = 104098)
8:24 PM: HKCR\btnetw.momo.1\ (3 subtraces) (ID = 104099)
8:24 PM: HKCR\btnetw.momo\ (5 subtraces) (ID = 104100)
8:24 PM: HKCR\btnetw.momo\ (5 subtraces) (ID = 104100)
8:24 PM: HKCR\btnetw.ohb.1\ (3 subtraces) (ID = 104101)
8:24 PM: HKCR\btnetw.ohb\ (5 subtraces) (ID = 104102)
8:24 PM: HKCR\btnetw.ohb\ (5 subtraces) (ID = 104102)
8:24 PM: HKCR\clsid\{9ade0443-2ab2-4b23-a3f8-ac520773de12}\ (11 subtraces) (ID = 104109)
8:24 PM: HKCR\clsid\{9ade0443-2ab2-4b23-a3f8-ac520773de12}\ (11 subtraces) (ID = 104109)
8:24 PM: HKCR\clsid\{bc54b24c-5a97-4c19-9181-8b8a05b2e931}\ (11 subtraces) (ID = 104118)
8:24 PM: HKCR\clsid\{bc54b24c-5a97-4c19-9181-8b8a05b2e931}\ (11 subtraces) (ID = 104118)
8:24 PM: HKCR\clsid\{bd9584ef-c28c-4f6d-8d49-0cee3c0e442f}\ (22 subtraces) (ID = 104119)
8:24 PM: HKCR\clsid\{bd9584ef-c28c-4f6d-8d49-0cee3c0e442f}\ (22 subtraces) (ID = 104119)
8:24 PM: HKCR\clsid\{c7888681-1a83-4c14-b9a5-95f91240b44f}\ (11 subtraces) (ID = 104120)
8:24 PM: HKCR\clsid\{c7888681-1a83-4c14-b9a5-95f91240b44f}\ (11 subtraces) (ID = 104120)
8:24 PM: HKCR\interface\{6b882c34-a832-4f5b-bef1-7e198be3f094}\ (8 subtraces) (ID = 104124)
8:24 PM: HKCR\interface\{9b6b4031-1d6d-4c65-acba-021916853822}\ (8 subtraces) (ID = 104126)
8:24 PM: HKCR\interface\{9ff60a27-0c0c-4a6a-a15f-b21b644d67bb}\ (8 subtraces) (ID = 104127)
8:24 PM: HKCR\interface\{15d53b86-e055-43b1-bbee-a91a0f37bd2a}\ (8 subtraces) (ID = 104128)
8:24 PM: HKCR\interface\{f3c41c1d-22f1-4692-8a7a-88de70a2e9e2}\ (8 subtraces) (ID = 104139)
8:24 PM: HKCR\interface\{fa6fa7a5-2c49-4567-ba74-6dd1c36099ee}\ (8 subtraces) (ID = 104141)
8:24 PM: HKLM\software\classes\btnetw.amo.1\ (3 subtraces) (ID = 104145)
8:24 PM: HKLM\software\classes\btnetw.amo\ (5 subtraces) (ID = 104146)
8:24 PM: HKLM\software\classes\btnetw.amo\ (5 subtraces) (ID = 104146)
8:24 PM: HKLM\software\classes\btnetw.iiittt.1\ (3 subtraces) (ID = 104147)
8:24 PM: HKLM\software\classes\btnetw.iiittt\ (5 subtraces) (ID = 104148)
8:24 PM: HKLM\software\classes\btnetw.iiittt\ (5 subtraces) (ID = 104148)
8:24 PM: HKLM\software\classes\btnetw.momo.1\ (3 subtraces) (ID = 104149)
8:24 PM: HKLM\software\classes\btnetw.momo\ (5 subtraces) (ID = 104150)
8:24 PM: HKLM\software\classes\btnetw.momo\ (5 subtraces) (ID = 104150)
8:24 PM: HKLM\software\classes\btnetw.ohb.1\ (3 subtraces) (ID = 104151)
8:24 PM: HKLM\software\classes\btnetw.ohb\ (5 subtraces) (ID = 104152)
8:24 PM: HKLM\software\classes\btnetw.ohb\ (5 subtraces) (ID = 104152)
8:24 PM: HKLM\software\classes\clsid\{9ade0443-2ab2-4b23-a3f8-ac520773de12}\ (11 subtraces) (ID = 104159)
8:24 PM: HKLM\software\classes\clsid\{9ade0443-2ab2-4b23-a3f8-ac520773de12}\ (11 subtraces) (ID = 104159)
8:24 PM: HKLM\software\classes\clsid\{bc54b24c-5a97-4c19-9181-8b8a05b2e931}\ (11 subtraces) (ID = 104168)
8:24 PM: HKLM\software\classes\clsid\{bc54b24c-5a97-4c19-9181-8b8a05b2e931}\ (11 subtraces) (ID = 104168)
8:24 PM: HKLM\software\classes\clsid\{bd9584ef-c28c-4f6d-8d49-0cee3c0e442f}\ (22 subtraces) (ID = 104169)
8:24 PM: HKLM\software\classes\clsid\{bd9584ef-c28c-4f6d-8d49-0cee3c0e442f}\ (22 subtraces) (ID = 104169)
8:24 PM: HKLM\software\classes\clsid\{c7888681-1a83-4c14-b9a5-95f91240b44f}\ (11 subtraces) (ID = 104170)
8:24 PM: HKLM\software\classes\clsid\{c7888681-1a83-4c14-b9a5-95f91240b44f}\ (11 subtraces) (ID = 104170)
8:24 PM: HKLM\software\classes\interface\{6b882c34-a832-4f5b-bef1-7e198be3f094}\ (8 subtraces) (ID = 104174)
8:24 PM: HKLM\software\classes\interface\{9b6b4031-1d6d-4c65-acba-021916853822}\ (8 subtraces) (ID = 104176)
8:24 PM: HKLM\software\classes\interface\{9ff60a27-0c0c-4a6a-a15f-b21b644d67bb}\ (8 subtraces) (ID = 104177)
8:24 PM: HKLM\software\classes\interface\{15d53b86-e055-43b1-bbee-a91a0f37bd2a}\ (8 subtraces) (ID = 104178)
8:24 PM: HKLM\software\classes\interface\{f3c41c1d-22f1-4692-8a7a-88de70a2e9e2}\ (8 subtraces) (ID = 104189)
8:24 PM: HKLM\software\classes\interface\{fa6fa7a5-2c49-4567-ba74-6dd1c36099ee}\ (8 subtraces) (ID = 104191)
8:24 PM: HKLM\software\classes\typelib\{bf56be6a-0aea-45f3-8b10-7312876584a8}\ (9 subtraces) (ID = 104195)
8:24 PM: HKLM\software\classes\typelib\{bf56be6a-0aea-45f3-8b10-7312876584a8}\ (9 subtraces) (ID = 104195)
8:24 PM: HKCR\typelib\{bf56be6a-0aea-45f3-8b10-7312876584a8}\ (9 subtraces) (ID = 104238)
8:24 PM: HKCR\typelib\{bf56be6a-0aea-45f3-8b10-7312876584a8}\ (9 subtraces) (ID = 104238)
8:25 PM: Found Adware: bookedspace
8:25 PM: HKLM\software\configuration manager\cfgmgr52\ (120 subtraces) (ID = 104873)
8:25 PM: HKCR\clsid\{6ec11407-5b2e-4e25-8bdf-77445b52ab37}\ (6 subtraces) (ID = 105953)
8:25 PM: HKCR\folder\shellex\columnhandlers\{6ec11407-5b2e-4e25-8bdf-77445b52ab37}\ (1 subtraces) (ID = 106021)
8:25 PM: HKLM\software\classes\clsid\{6ec11407-5b2e-4e25-8bdf-77445b52ab37}\ (6 subtraces) (ID = 106049)
8:25 PM: HKLM\software\classes\folder\shellex\columnhandlers\{6ec11407-5b2e-4e25-8bdf-77445b52ab37}\ (1 subtraces) (ID = 106116)
8:25 PM: Found Adware: delfin
8:25 PM: HKLM\software\microsoft\windows\currentversion\uninstall\displayutility\ (2 subtraces) (ID = 124879)
8:25 PM: HKLM\software\mvu\ (5 subtraces) (ID = 124885)
8:25 PM: HKLM\software\vidctrl\ (2 subtraces) (ID = 124897)
8:25 PM: Found Adware: networkessentials
8:25 PM: HKLM\software\microsoft\windows\currentversion\uninstall\cdm\ (2 subtraces) (ID = 136172)
8:25 PM: HKLM\software\novo\ (3 subtraces) (ID = 136175)
8:25 PM: HKLM\software\np\ (2 subtraces) (ID = 136176)
8:25 PM: Found Adware: surfsidekick
8:25 PM: HKLM\software\surfsidekick3\ (2 subtraces) (ID = 143413)
8:25 PM: Found Adware: icannnews
8:25 PM: HKCR\activexctrl\ (3 subtraces) (ID = 169450)
8:25 PM: HKCR\clsid\{3bfadce2-1141-4b81-8878-49af625f0fdc}\ (3 subtraces) (ID = 169451)
8:25 PM: HKCR\clsid\{4208fb4d-4e53-4f5a-bf7a-3e047ddb5281}\ (21 subtraces) (ID = 169452)
8:25 PM: HKCR\interface\{980ad470-04ea-4d1d-bd26-e178b7bda6d8}\ (8 subtraces) (ID = 169454)
8:25 PM: HKCR\interface\{fd39937a-c583-4aac-9332-8a3e44988a67}\ (8 subtraces) (ID = 169455)
8:25 PM: HKCR\typelib\{ee5ac3d6-6f43-4047-af0a-d66fc2cf8f42}\ (9 subtraces) (ID = 169456)
8:25 PM: HKLM\software\classes\activexctrl\ (3 subtraces) (ID = 169457)
8:25 PM: HKLM\software\classes\clsid\{3bfadce2-1141-4b81-8878-49af625f0fdc}\ (3 subtraces) (ID = 169458)
8:25 PM: HKLM\software\classes\clsid\{4208fb4d-4e53-4f5a-bf7a-3e047ddb5281}\ (21 subtraces) (ID = 169459)
8:25 PM: HKLM\software\classes\interface\{980ad470-04ea-4d1d-bd26-e178b7bda6d8}\ (8 subtraces) (ID = 169461)
8:25 PM: HKLM\software\classes\interface\{fd39937a-c583-4aac-9332-8a3e44988a67}\ (8 subtraces) (ID = 169462)
8:25 PM: HKLM\software\classes\typelib\{ee5ac3d6-6f43-4047-af0a-d66fc2cf8f42}\ (9 subtraces) (ID = 169463)
8:25 PM: HKLM\software\microsoft\windows\currentversion\run\ || winsync (ID = 601545)
8:25 PM: HKLM\software\microsoft\internet explorer\extensions\{9e248641-0e24-4ddb-9a1f-705087832ad6}\ (2 subtraces) (ID = 753449)
8:25 PM: Found Adware: browseraid
8:25 PM: HKU\S-1-5-21-79099320-3589331423-903540309-500\software\a70f6a1d-0195-42a2-934c-d8ac0f7c08eb\ (1 subtraces) (ID = 105078)
8:25 PM: Found Adware: clearsearch
8:25 PM: HKU\S-1-5-21-79099320-3589331423-903540309-500\software\microsoft\internet explorer\new windows\allow\ || 69.28.210.175 (ID = 105744)
8:25 PM: HKU\S-1-5-21-79099320-3589331423-903540309-500\software\mvu\ (4 subtraces) (ID = 124884)
8:25 PM: Found Adware: drsnsrch.com hijack
8:25 PM: HKU\S-1-5-21-79099320-3589331423-903540309-500\software\microsoft\search assistant\ || defaultsearchurl (ID = 128205)
8:25 PM: Found Trojan Horse: trojan-downloader-pacisoft
8:25 PM: HKU\S-1-5-21-79099320-3589331423-903540309-500\software\psof1\ (17 subtraces) (ID = 136530)
8:25 PM: Found Adware: searchtoolbar
8:25 PM: HKU\S-1-5-21-79099320-3589331423-903540309-500\software\{12ee7a5e-0674-42f9-a76b-000000004d00}\ (3 subtraces) (ID = 141347)
8:25 PM: HKU\S-1-5-21-79099320-3589331423-903540309-500\software\surfsidekick3\ (3 subtraces) (ID = 143412)
8:25 PM: Registry Sweep Complete, Elapsed Time:00:00:12
8:25 PM: Starting Cookie Sweep
8:25 PM: Found Spy Cookie: websponsors cookie
8:25 PM: administrator@a.websponsors[2].txt (ID = 3665)
8:25 PM: Found Spy Cookie: yieldmanager cookie
8:25 PM: administrator@ad.yieldmanager[1].txt (ID = 3751)
8:25 PM: Found Spy Cookie: adecn cookie
8:25 PM: administrator@adecn[1].txt (ID = 2063)
8:25 PM: Found Spy Cookie: adknowledge cookie
8:25 PM: administrator@adknowledge[1].txt (ID = 2072)
8:25 PM: Found Spy Cookie: hbmediapro cookie
8:25 PM: administrator@adopt.hbmediapro[2].txt (ID = 2768)
8:25 PM: Found Spy Cookie: hotbar cookie
8:25 PM: administrator@adopt.hotbar[2].txt (ID = 4207)
8:25 PM: Found Spy Cookie: specificclick.com cookie
8:25 PM: administrator@adopt.specificclick[2].txt (ID = 3400)
8:25 PM: Found Spy Cookie: adrevolver cookie
8:25 PM: administrator@adrevolver[1].txt (ID = 2088)
8:25 PM: administrator@adrevolver[2].txt (ID = 2088)
8:25 PM: Found Spy Cookie: addynamix cookie
8:25 PM: administrator@ads.addynamix[1].txt (ID = 2062)
8:25 PM: Found Spy Cookie: pointroll cookie
8:25 PM: administrator@ads.pointroll[1].txt (ID = 3148)
8:25 PM: Found Spy Cookie: advertising cookie
8:25 PM: administrator@advertising[2].txt (ID = 2175)
8:25 PM: Found Spy Cookie: falkag cookie
8:25 PM: administrator@as-eu.falkag[1].txt (ID = 2650)
8:25 PM: administrator@as-us.falkag[1].txt (ID = 2650)
8:25 PM: administrator@as1.falkag[2].txt (ID = 2650)
8:25 PM: Found Spy Cookie: ask cookie
8:25 PM: administrator@ask[1].txt (ID = 2245)
8:25 PM: Found Spy Cookie: atlas dmt cookie
8:25 PM: administrator@atdmt[2].txt (ID = 2253)
8:25 PM: Found Spy Cookie: azjmp cookie
8:25 PM: administrator@azjmp[2].txt (ID = 2270)
8:25 PM: Found Spy Cookie: belnk cookie
8:25 PM: administrator@belnk[1].txt (ID = 2292)
8:25 PM: Found Spy Cookie: bs.serving-sys cookie
8:25 PM: administrator@bs.serving-sys[2].txt (ID = 2330)
8:25 PM: Found Spy Cookie: burstnet cookie
8:25 PM: administrator@burstnet[1].txt (ID = 2336)
8:25 PM: Found Spy Cookie: zedo cookie
8:25 PM: administrator@c5.zedo[1].txt (ID = 3763)
8:25 PM: Found Spy Cookie: casalemedia cookie
8:25 PM: administrator@casalemedia[2].txt (ID = 2354)
8:25 PM: Found Spy Cookie: centrport net cookie
8:25 PM: administrator@centrport[1].txt (ID = 2374)
8:25 PM: Found Spy Cookie: overture cookie
8:25 PM: administrator@data1.perf.overture[1].txt (ID = 3106)
8:25 PM: administrator@data4.perf.overture[2].txt (ID = 3106)
8:25 PM: administrator@dist.belnk[2].txt (ID = 2293)
8:25 PM: Found Spy Cookie: ru4 cookie
8:25 PM: administrator@edge.ru4[2].txt (ID = 3269)
8:25 PM: Found Spy Cookie: 2o7.net cookie
8:25 PM: administrator@entrepreneur.122.2o7[1].txt (ID = 1958)
8:25 PM: Found Spy Cookie: exitexchange cookie
8:25 PM: administrator@exitexchange[1].txt (ID = 2633)
8:25 PM: Found Spy Cookie: fastclick cookie
8:25 PM: administrator@fastclick[2].txt (ID = 2651)
8:25 PM: Found Spy Cookie: clickandtrack cookie
8:25 PM: administrator@hits.clickandtrack[2].txt (ID = 2397)
8:25 PM: Found Spy Cookie: linksynergy cookie
8:25 PM: administrator@linksynergy[1].txt (ID = 2926)
8:25 PM: Found Spy Cookie: maxserving cookie
8:25 PM: administrator@maxserving[2].txt (ID = 2966)
8:25 PM: administrator@media.fastclick[2].txt (ID = 2652)
8:25 PM: Found Spy Cookie: nextag cookie
8:25 PM: administrator@nextag[1].txt (ID = 5014)
8:25 PM: Found Spy Cookie: partypoker cookie
8:25 PM: administrator@partypoker[2].txt (ID = 3111)
8:25 PM: administrator@perf.overture[1].txt (ID = 3106)
8:25 PM: Found Spy Cookie: questionmarket cookie
8:25 PM: administrator@questionmarket[2].txt (ID = 3217)
8:25 PM: Found Spy Cookie: realmedia cookie
8:25 PM: administrator@realmedia[2].txt (ID = 3235)
8:25 PM: Found Spy Cookie: rn11 cookie
8:25 PM: administrator@rn11[2].txt (ID = 3261)
8:25 PM: Found Spy Cookie: serving-sys cookie
8:25 PM: administrator@serving-sys[2].txt (ID = 3343)
8:25 PM: Found Spy Cookie: reliablestats cookie
8:25 PM: administrator@stats1.reliablestats[1].txt (ID = 3254)
8:25 PM: Found Spy Cookie: targetnet cookie
8:25 PM: administrator@targetnet[1].txt (ID = 3489)
8:25 PM: Found Spy Cookie: trafficmp cookie
8:25 PM: administrator@trafficmp[2].txt (ID = 3581)
8:25 PM: Found Spy Cookie: tribalfusion cookie
8:25 PM: administrator@tribalfusion[2].txt (ID = 3589)
8:25 PM: Found Spy Cookie: coremetrics cookie
8:25 PM: administrator@twci.coremetrics[1].txt (ID = 2472)
8:25 PM: Found Spy Cookie: burstbeacon cookie
8:25 PM: administrator@www.burstbeacon[1].txt (ID = 2335)
8:25 PM: administrator@yieldmanager[1].txt (ID = 3749)
8:25 PM: Found Spy Cookie: adserver cookie
8:25 PM: administrator@z1.adserver[1].txt (ID = 2142)
8:25 PM: administrator@zedo[1].txt (ID = 3762)
8:25 PM: Cookie Sweep Complete, Elapsed Time: 00:00:01
8:25 PM: Starting File Sweep
8:25 PM: c:\windows\cfgmgr52 (28 subtraces) (ID = -2147479590)
8:25 PM: Found Adware: elitebar
8:25 PM: c:\windows\etb (1 subtraces) (ID = -2147476235)
8:25 PM: c:\windows\system32\upd (ID = -2147480530)
8:25 PM: c:\windows\system32\vidctrl (ID = -2147481117)
8:25 PM: c:\documents and settings\all users\application data\vidctrl (ID = -2147477475)
8:25 PM: c:\program files\aprps (8 subtraces) (ID = -2147481420)
8:26 PM: bsva-egihsg52.exe (ID = 95082)
8:26 PM: Found Adware: weirdontheweb
8:26 PM: weirdontheweb_ventura.exe (ID = 87900)
8:27 PM: wuauclt.dll (ID = 143665)
8:28 PM: vgactl.cpl (ID = 143664)
8:28 PM: sskknwrd.dll (ID = 77733)
8:28 PM: activex.ocx (ID = 93701)
8:30 PM: dice23.ico (ID = 51024)
8:31 PM: Found Trojan Horse: trojan-downloader-mainstreamdollars
8:31 PM: btnetw3_venturahot_246765.exe (ID = 80728)
8:31 PM: Found Trojan Horse: trojan-downloader-traf34
8:31 PM: gsm3-0511.exe (ID = 81005)
8:33 PM: uninstaller.exe (ID = 50178)
8:33 PM: cxtpls.exe (ID = 50095)
8:33 PM: stlb2.xml (ID = 51947)
8:34 PM: wingenerics.dll (ID = 50187)
8:35 PM: weirdontheweb.url (ID = 87896)
8:35 PM: sskcwrd.dll (ID = 77712)
8:35 PM: Found Adware: exact cashback/bargain buddy
8:35 PM: backup-20050623-200253-642.inf (ID = 50858)
8:39 PM: File Sweep Complete, Elapsed Time: 00:14:41
8:39 PM: Full Sweep has completed. Elapsed time 00:16:05
8:39 PM: Traces Found: 951
8:40 PM: Removal process initiated
8:41 PM: Quarantining All Traces: clearsearch
8:41 PM: Quarantining All Traces: clkoptimizer
8:41 PM: clkoptimizer is in use. It will be removed on reboot.
8:41 PM: C:\WINDOWS\system32\wuauclt.dll is in use. It will be removed on reboot.
8:41 PM: Quarantining All Traces: elitebar
8:41 PM: Quarantining All Traces: icannnews
8:41 PM: Quarantining All Traces: apropos
8:41 PM: Quarantining All Traces: begin2search
8:41 PM: Quarantining All Traces: delfin
8:41 PM: Quarantining All Traces: surfsidekick
8:41 PM: Quarantining All Traces: trojan-downloader-mainstreamdollars
8:41 PM: Quarantining All Traces: trojan-downloader-pacisoft
8:41 PM: Quarantining All Traces: trojan-downloader-traf34
8:41 PM: Quarantining All Traces: bookedspace
8:41 PM: Quarantining All Traces: browseraid
8:41 PM: Quarantining All Traces: drsnsrch.com hijack
8:41 PM: Quarantining All Traces: exact cashback/bargain buddy
8:41 PM: Quarantining All Traces: hotsearchbar toolbar
8:41 PM: Quarantining All Traces: networkessentials
8:41 PM: Quarantining All Traces: searchtoolbar
8:41 PM: Quarantining All Traces: weirdontheweb
8:41 PM: Quarantining All Traces: 2o7.net cookie
8:41 PM: Quarantining All Traces: addynamix cookie
8:41 PM: Quarantining All Traces: adecn cookie
8:41 PM: Quarantining All Traces: adknowledge cookie
8:41 PM: Quarantining All Traces: adrevolver cookie
8:41 PM: Quarantining All Traces: adserver cookie
8:41 PM: Quarantining All Traces: advertising cookie
8:41 PM: Quarantining All Traces: ask cookie
8:41 PM: Quarantining All Traces: atlas dmt cookie
8:41 PM: Quarantining All Traces: azjmp cookie
8:41 PM: Quarantining All Traces: belnk cookie
8:41 PM: Quarantining All Traces: bs.serving-sys cookie
8:41 PM: Quarantining All Traces: burstbeacon cookie
8:41 PM: Quarantining All Traces: burstnet cookie
8:41 PM: Quarantining All Traces: casalemedia cookie
8:41 PM: Quarantining All Traces: centrport net cookie
8:41 PM: Quarantining All Traces: clickandtrack cookie
8:41 PM: Quarantining All Traces: coremetrics cookie
8:41 PM: Quarantining All Traces: exitexchange cookie
8:41 PM: Quarantining All Traces: falkag cookie
8:41 PM: Quarantining All Traces: fastclick cookie
8:41 PM: Quarantining All Traces: hbmediapro cookie
8:41 PM: Quarantining All Traces: hotbar cookie
8:41 PM: Quarantining All Traces: linksynergy cookie
8:41 PM: Quarantining All Traces: maxserving cookie
8:41 PM: Quarantining All Traces: nextag cookie
8:41 PM: Quarantining All Traces: overture cookie
8:41 PM: Quarantining All Traces: partypoker cookie
8:41 PM: Quarantining All Traces: pointroll cookie
8:41 PM: Quarantining All Traces: questionmarket cookie
8:41 PM: Quarantining All Traces: realmedia cookie
8:41 PM: Quarantining All Traces: reliablestats cookie
8:41 PM: Quarantining All Traces: rn11 cookie
8:41 PM: Quarantining All Traces: ru4 cookie
8:41 PM: Quarantining All Traces: serving-sys cookie
8:41 PM: Quarantining All Traces: specificclick.com cookie
8:41 PM: Quarantining All Traces: targetnet cookie
8:41 PM: Quarantining All Traces: trafficmp cookie
8:41 PM: Quarantining All Traces: tribalfusion cookie
8:41 PM: Quarantining All Traces: websponsors cookie
8:41 PM: Quarantining All Traces: yieldmanager cookie
8:41 PM: Quarantining All Traces: zedo cookie
8:42 PM: Removal process completed. Elapsed time 00:01:51
********
8:13 PM: | Start of Session, Friday, December 09, 2005 |
8:13 PM: Spy Sweeper started
8:14 PM: Your spyware definitions have been updated.


and the Hijack this log

Logfile of HijackThis v1.99.1
Scan saved at 8:49:05 PM, on 12/9/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\QuickTime\qttask.exe
E:\iTunesHelper.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
C:\WINDOWS\system32\igfxtray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\system32\TFNF5.exe
C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
C:\Program Files\CA\eTrust\InoculateIT\realmon.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Warez P2P Client\warez.exe
C:\Program Files\Sony Corporation\Picture Package\Picture Package Menu\SonyTray.exe
C:\Program Files\Sony Corporation\Picture Package\Picture Package Applications\Residence.exe
C:\Program Files\LimeWire\LimeWire.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\CA\eTrust\InoculateIT\InoRpc.exe
C:\Program Files\CA\eTrust\InoculateIT\InoRT.exe
C:\Program Files\CA\eTrust\InoculateIT\InoTask.exe
C:\WINDOWS\LogWatNT.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\CheckPoint\SecuRemote\bin\SR_Service.exe
C:\Program Files\CheckPoint\SecuRemote\bin\SR_WatchDog.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customi ... earch.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/def ... .yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/def ... .yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/def ... earch.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/def ... .yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/def ... .yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 69.248.208.1
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program Files\Yahoo!\Common\YIeTagBm.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "E:\iTunesHelper.exe"
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] C:\Program Files\Analog Devices\SoundMAX\Smax4.exe /tray
O4 - HKLM\..\Run: [SmoothView] C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
O4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKLM\..\Run: [winsync] C:\WINDOWS\system32\iacrcw.exe reg_run
O4 - HKLM\..\Run: [TPSMain] TPSMain.exe
O4 - HKLM\..\Run: [TouchED] C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
O4 - HKLM\..\Run: [TFNF5] TFNF5.exe
O4 - HKLM\..\Run: [TFncKy] TFncKy.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
O4 - HKLM\..\Run: [STOPzilla] C:\Program Files\STOPzilla!\Stopzilla.exe /autostart
O4 - HKLM\..\Run: [Realtime Monitor] "C:\Program Files\CA\eTrust\InoculateIT\realmon.exe"
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet
O4 - HKCU\..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
O4 - HKCU\..\Run: [SP2 Connection Patcher] "C:\Program Files\SP2 Connection Patcher\SP2ConnPatcher.exe" -n=200
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [warez] "C:\Program Files\Warez P2P Client\warez.exe" -h
O4 - Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe
O4 - Global Startup: Picture Package Menu.lnk = ?
O4 - Global Startup: Picture Package VCD Maker.lnk = ?
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0246ECA8-996F-11D1-BE2F-00A0C9037DFE} (TDServer Control) - http://hindi.india-today.com/tdserver.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {4208FB4D-4E53-4F5A-BF7A-3E047DDB5281} - http://www.icannnews.com/app/ST/ActiveX.ocx
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by10fd.bay10.hotmail.msn.com/res ... nPUpld.cab
O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.kodakgallery.com/downloads/B ... ofupld.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan ... asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/msnme ... loader.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-l ... cfscan.cab
O18 - Filter hijack: text/xml - (no CLSID) - (no file)
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: eTrust InoculateIT RPC Server (InoRPC) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust\InoculateIT\InoRpc.exe
O23 - Service: eTrust InoculateIT Realtime Server (InoRT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust\InoculateIT\InoRT.exe
O23 - Service: eTrust InoculateIT Job Server (InoTask) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust\InoculateIT\InoTask.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Event Log Watch (LogWatch) - Unknown owner - C:\WINDOWS\LogWatNT.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Check Point SecuRemote Service (SR_Service) - Check Point Software Technologies - C:\Program Files\CheckPoint\SecuRemote\bin\SR_Service.exe
O23 - Service: Check Point SecuRemote WatchDog (SR_WatchDog) - Check Point Software Technologies - C:\Program Files\CheckPoint\SecuRemote\bin\SR_WatchDog.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe



Thanks,
GeniusMagic
Regular Member
 
Posts: 77
Joined: June 20th, 2005, 11:28 pm

Unread postby Perculator » December 10th, 2005, 12:46 pm

Open spysweeper

Click (on the left) Quarantained
Click (at the bottom) select all
Click (at the right bottom corner) Delete selected
and close spysweeper


You may want to print out these instructions for reference, since you will have to restart your computer during the fix.


Please download the trial version of Ewido Security Suite here:
http://www.ewido.net/en/download/
Open ewido and Update it (don't forget) But do not perform a scan yet.


Please download AproposFix from here:
http://swandog46.geekstogo.com/aproposfix.exe

Save it to your desktop but do NOT run it yet.

Then please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode.


Once in Safe Mode, please double-click aproposfix.exe and unzip it to the desktop. Open the aproposfix folder on your desktop and run RunThis.bat. Follow the prompts.

When the tool is finished,

You perform a full scan with Ewido
Save the report it makes to your desktop


please reboot back into normal mode, and post a new HijackThis log, along with the entire contents of the log.txt file in the aproposfix folder and the report from ewido.
User avatar
Perculator
Regular Member
 
Posts: 470
Joined: March 30th, 2005, 4:55 pm
Location: netherlands

Unread postby GeniusMagic » December 10th, 2005, 2:53 pm

Hi,

I cleaned up the Quarantined sweeper items and updated my ewido security suite definitions.

But when I tried to run RunThis.bat from the apropos fix folder...I got the following error message and the program terminated :


16 bit MS DOS Subsystem

C:\WINDOWS\system32\cmd.exe
The NTVDM CPU has encountered an illegal instruction.
CS: 0de3 IP: 00b7 OP :65 63 69 66 79 Choose 'close' to terminate the application.


I must mention that such a thing started to happen a couple of weeks ago. I am wondering if something has corrupted my cmd.exe

I did not run the Ewido security scan as I was not able to complete the previous step.

Thanks,
GeniusMagic
Regular Member
 
Posts: 77
Joined: June 20th, 2005, 11:28 pm

Unread postby Perculator » December 10th, 2005, 4:07 pm

Ok perfect

throw away the apropos folder,
Download XP fix.
Double-click the file and let it run.

after you've done that, reboot your computer

download the aproposfix again install it but do not use it yet

then reboot into safe mode and
resume with the fix like i gave you before

goodluck
User avatar
Perculator
Regular Member
 
Posts: 470
Joined: March 30th, 2005, 4:55 pm
Location: netherlands

Unread postby GeniusMagic » December 11th, 2005, 11:26 am

Hi,

I deleted the apropos folder. Downloaded and ran XP fix. It said something abt replacing missing XP files and completed successfuly.

I rebooted the comp, downloaded and installed apropos fix.

Rebooted again into the safe mode and tried to run RunThis.bat from the apropos folder but I got the same error aagin. A message box that read something like :

16 bit MS DOS Subsystem

C:\WINDOWS\system32\cmd.exe
The NTVDM CPU has encountered an illegal instruction.
CS: 0de3 IP: 00b7 OP :65 63 69 66 79 Choose 'close' to terminate the application.


I pressed Ignore 4-5 times on the messagebox...but the program did not seem to work.

Maybe some malware is not allowing me to use this program ?
I did not run the Ewido security suite after this.

Thanks,
GeniusMagic
Regular Member
 
Posts: 77
Joined: June 20th, 2005, 11:28 pm

Unread postby Perculator » December 12th, 2005, 6:02 pm

Hi, I'm working on your problem, i try to bring a solution on tomorrow
User avatar
Perculator
Regular Member
 
Posts: 470
Joined: March 30th, 2005, 4:55 pm
Location: netherlands

Unread postby Perculator » December 22nd, 2005, 4:43 pm

Hi download the apropos removal tool from the following link

Apropos removal tool by symantec

and run it on your computer

after that reboot your computer and show me a fresh hijackthis log

we still need some work to do by the way
User avatar
Perculator
Regular Member
 
Posts: 470
Joined: March 30th, 2005, 4:55 pm
Location: netherlands

Please help

Unread postby GeniusMagic » December 24th, 2005, 7:13 pm

I downloaded Fix Aprop from the link you gave and ran the tool. It did some scanning for a while and after it finished it came up with a message

Spyware.Apropos has not been found on your computer.


While it was peforming its scan... another spyware removal tool started on its own , something by the name of WinHound Spyware and started scanning the pc...reported that I have spyware on my computer...opened a webpage and even changed my wallpaper to a black scren with a message in red that says " Warning Spyware Detected on your computer. Install an antivirus or sopyware remover to clean your computer. Click here to see a list of top spyware removers".


This is really getting worse for me. It does not even let me change the wallpaper coz I cant even access the wallpaper and screen saver settings by right clickin on the desktop. Its really annoying.

I am sure my problem has worsened. I request some genuine help as soon as possible. Below is my latest HJT log :

Logfile of HijackThis v1.99.1
Scan saved at 6:05:20 PM, on 12/24/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\CA\eTrust\InoculateIT\InoRpc.exe
C:\Program Files\CA\eTrust\InoculateIT\InoRT.exe
C:\Program Files\CA\eTrust\InoculateIT\InoTask.exe
C:\WINDOWS\LogWatNT.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\CheckPoint\SecuRemote\bin\SR_Service.exe
C:\Program Files\CheckPoint\SecuRemote\bin\SR_WatchDog.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\QuickTime\qttask.exe
E:\iTunesHelper.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\TFNF5.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
C:\Program Files\CA\eTrust\InoculateIT\realmon.exe
C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
C:\WINDOWS\system32\links.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Warez P2P Client\warez.exe
C:\Program Files\Sony Corporation\Picture Package\Picture Package Menu\SonyTray.exe
C:\Program Files\Sony Corporation\Picture Package\Picture Package Applications\Residence.exe
C:\Program Files\LimeWire\LimeWire.exe
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customi ... earch.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/def ... .yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/def ... .yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/def ... earch.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/def ... .yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/def ... .yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 69.248.208.1
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program Files\Yahoo!\Common\YIeTagBm.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "E:\iTunesHelper.exe"
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [winsync] C:\WINDOWS\system32\iacrcw.exe reg_run
O4 - HKLM\..\Run: [TPSMain] TPSMain.exe
O4 - HKLM\..\Run: [TouchED] C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
O4 - HKLM\..\Run: [TFNF5] TFNF5.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
O4 - HKLM\..\Run: [STOPzilla] C:\Program Files\STOPzilla!\Stopzilla.exe /autostart
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKLM\..\Run: [SoundMAX] C:\Program Files\Analog Devices\SoundMAX\Smax4.exe /tray
O4 - HKLM\..\Run: [SmoothView] C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
O4 - HKLM\..\Run: [Realtime Monitor] "C:\Program Files\CA\eTrust\InoculateIT\realmon.exe"
O4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exe
O4 - HKLM\..\Run: [links] links.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [WinHound] C:\Program Files\WinHound\WinHound.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet
O4 - HKCU\..\Run: [SP2 Connection Patcher] "C:\Program Files\SP2 Connection Patcher\SP2ConnPatcher.exe" -n=200
O4 - HKCU\..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [warez] "C:\Program Files\Warez P2P Client\warez.exe" -h
O4 - Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe
O4 - Global Startup: Picture Package Menu.lnk = ?
O4 - Global Startup: Picture Package VCD Maker.lnk = ?
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0246ECA8-996F-11D1-BE2F-00A0C9037DFE} (TDServer Control) - http://hindi.india-today.com/tdserver.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {4208FB4D-4E53-4F5A-BF7A-3E047DDB5281} - http://www.icannnews.com/app/ST/ActiveX.ocx
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by10fd.bay10.hotmail.msn.com/res ... nPUpld.cab
O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.kodakgallery.com/downloads/B ... ofupld.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan ... asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/msnme ... loader.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-l ... cfscan.cab
O18 - Filter hijack: text/xml - (no CLSID) - (no file)
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: eTrust InoculateIT RPC Server (InoRPC) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust\InoculateIT\InoRpc.exe
O23 - Service: eTrust InoculateIT Realtime Server (InoRT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust\InoculateIT\InoRT.exe
O23 - Service: eTrust InoculateIT Job Server (InoTask) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust\InoculateIT\InoTask.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Event Log Watch (LogWatch) - Unknown owner - C:\WINDOWS\LogWatNT.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Check Point SecuRemote Service (SR_Service) - Check Point Software Technologies - C:\Program Files\CheckPoint\SecuRemote\bin\SR_Service.exe
O23 - Service: Check Point SecuRemote WatchDog (SR_WatchDog) - Check Point Software Technologies - C:\Program Files\CheckPoint\SecuRemote\bin\SR_WatchDog.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
GeniusMagic
Regular Member
 
Posts: 77
Joined: June 20th, 2005, 11:28 pm

Unread postby Perculator » December 25th, 2005, 6:14 am

Please read these instructions carefully. You may want to print them. Copy the text to a Notepad file and save it to your desktop! We will need the file later.
Be sure to follow ALL instructions!



***
Go to
Start
Control panel
Add/remove programs

And search in the list for
Winhound

And press the change/remove button.


***
Download smitRem.exe and save the file to your desktop.
Double click on the file to extract it to it's own folder on the desktop.

***

Please download the trial version of Ewido Security Suite here:
http://www.ewido.net/en/download/

Please read Ewido Setup Instructions
Install it, and update the definitions to the newest files. Do NOT run a scan yet.

***

If you have not already installed Ad-Aware SE 1.06, follow these download and setup instructions, otherwise, check for updates:
Ad-Aware SE Setup
Don't run it yet!

***

Next, please reboot your computer in SafeMode by doing the following:
  1. Restart your computer
  2. After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
  3. Instead of Windows loading as normal, a menu should appear
  4. Select the first option, to run Windows in Safe Mode.

***
===================================================
Now scan with HJT and place a checkmark next to each of the following items:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customi ... earch.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/def ... .yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/def ... .yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/def ... earch.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/def ... .yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/def ... .yahoo.com
O4 - HKLM\..\Run: [links] links.exe
O4 - HKLM\..\Run: [WinHound] C:\Program Files\WinHound\WinHound.exe

The next blue one will probably come back but check it anyway

O18 - Filter hijack: text/xml - (no CLSID) - (no file)

now click Fix checked
and close hijackthis
===================================================

***

Open the smitRem folder, then double click the RunThis.bat file to start the tool. Follow the prompts on screen.
Wait for the tool to complete and disk cleanup to finish.

The tool will create a log named smitfiles.txt in the root of your drive, eg; Local Disk C: or partition where your operating system is installed. Please post that log along with all others requested in your next reply.

***
remove the following folder if still present
C:\Program Files\WinHound

***

Open Ad-aware and do a full scan. Remove all it finds.

***

Run Ewido:
  • Click on scanner
  • Click on Complete System Scan and the scan will begin.
  • NOTE: During some scans with ewido it is finding cases of false positives.
  • You will need to step through the process of cleaning files one-by-one.
  • If ewido detects a file you KNOW to be legitimate, select none as the action.
  • DO NOT select "Perform action on all infections"
  • If you are unsure of any entry found select none for now.
  • When the scan is finished, click the Save report button at the bottom of the screen.
  • Save the report to your desktop
Close Ewido

***

Note: XP users using the XP theme may experience a change to the Classic Windows theme. This can be changed on the themes tab of desktop properties.

***

Reboot back into Windows and click the Panda ActiveScan shortcut, then do a full system scan.
Save the scan log and post it along with a new HijackThis Log, the contents of the smitfiles.txt log and the Ewido Log by using Add Reply.
Let us know if any problems persist.
User avatar
Perculator
Regular Member
 
Posts: 470
Joined: March 30th, 2005, 4:55 pm
Location: netherlands

Unread postby ChrisRLG » December 26th, 2005, 4:11 pm

Perculator

Sorry to say the email account used by this victim has been disabled or closed - I have received a bounced message - so you may not get any replies.
ChrisRLG
Administrator Emeritus
 
Posts: 17759
Joined: December 16th, 2004, 10:04 am
Location: Southend, Essex, UK

Unread postby NonSuch » January 9th, 2006, 3:39 am

Whilst we appreciate that you may be busy, it has been 14 days or more since we heard from you.

Infections can change and fresh instructions will now need to be given. This topic is now closed, if you still require assistance then please start a new topic in the Malware Removal Forum.

If you wish this topic reopened, please send us an email to 'admin at malwareremoval.com' with a link to your thread.

You can help support this site from this link :
Donations For Malware Removal

Do not bother contacting us if you are not the topic starter. A valid,
working link to the closed topic is required along with the user name used.
If the user name does not match the one in the thread linked, the email will be deleted.
User avatar
NonSuch
Administrator
Administrator
 
Posts: 28747
Joined: February 23rd, 2005, 7:08 am
Location: California
Advertisement
Register to Remove


  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 501 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware