Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

SpyAxe trouble.... Please help.

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

SpyAxe trouble.... Please help.

Unread postby cogoni » December 28th, 2005, 7:14 am

Hello. I have excatly the same problem that carrie has.

Here is my hijackthis logfile, Linkmaster if you would kindly review mine too. Cheers.

Logfile of HijackThis v1.99.1
Scan saved at 11:14:19, on 28/12/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\windows\System32\smss.exe
C:\windows\system32\winlogon.exe
C:\windows\system32\services.exe
C:\windows\system32\lsass.exe
C:\windows\system32\svchost.exe
C:\windows\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\windows\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\windows\system32\crypserv.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\windows\system32\nvsvc32.exe
C:\windows\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\windows\Explorer.EXE
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\WINDOWS\system32\ezSP_Px.exe
C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\windows\system32\ctfmon.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS\system32\UAService7.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\Documents and Settings\conrad\Desktop\KillBox.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\RegCleaner\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://forums.steampowered.com/forums
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\system32\ezSP_Px.exe
O4 - HKLM\..\Run: [SsAAD.exe] C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKLM\..\RunOnce: [MicrosoftAntiSpywareCleaner] C:\Program Files\Microsoft AntiSpyware\gcASCleaner.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\windows\system32\ctfmon.exe
O4 - Global Startup: adobe gamma loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O15 - Trusted Zone: *.sony-europe.com
O15 - Trusted Zone: *.sonystyle-europe.com
O15 - Trusted Zone: *.vaio-link.com
O16 - DPF: Yahoo! Chess - http://download.games.yahoo.com/games/c ... /ct2_x.cab
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/c ... pote_x.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid= ... lcid=0x409
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/Shar ... vSniff.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/ ... 1.2.76.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/Shar ... /cabsa.cab
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://us-housecall.trendmicro-europe.c ... hcImpl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan ... asinst.cab
O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://pdl.stream.aol.com/downloads/aol ... _en_dl.cab
O20 - Winlogon Notify: WRNotifier - C:\windows\SYSTEM32\WRLogonNTF.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Crypkey License - Kenonic Controls Ltd. - C:\windows\SYSTEM32\crypserv.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Macromedia Licensing Service - Macromedia - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\windows\system32\nvsvc32.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Sony DADC Austria AG. - C:\WINDOWS\system32\UAService7.exe

Edited by Kimberly - removed the code brackets (log is easier to read like that)
Last edited by cogoni on December 28th, 2005, 2:06 pm, edited 1 time in total.
cogoni
Active Member
 
Posts: 10
Joined: December 28th, 2005, 7:11 am
Advertisement
Register to Remove

Unread postby Kimberly » December 28th, 2005, 11:21 am

Hello cogoni,

Did you run the smitrem fix and Ewido in Safe Mode ? Did you let the spyaxe uninstaller do it's job ? If you took steps to cure, please can you post the log from the smitrem fix (c:\smitfiles.txt) and the log from the Ewido Scan please. - Which instructions did you follow ? Maybe SpySweeper did interfer with the fix.

Desktop problem:

Click Start, click Control Panel and then double-click Display. Click on the Desktop tab, then click the Customize Desktop button. Click on the Web tab. Under Web Pages you should see an checked entry called Security info or something similar. If it is there, select that entry and click the Delete button. Click Ok then Apply and Ok.

Next, click on the tab themes, select Windows XP in the dropdrown box and click Apply. Click on the Desktop tab and select the wallpaper of your choice and click Apply then Ok.

Let me know if that fixes it.
User avatar
Kimberly
MRU Teacher Emeritus
 
Posts: 3505
Joined: June 15th, 2005, 12:57 am

Unread postby cogoni » December 28th, 2005, 11:47 am

Kimberly wrote:Hello cogoni,

Did you run the smitrem fix and Ewido in Safe Mode ? Did you let the spyaxe uninstaller do it's job ? If you took steps to cure, please can you post the log from the smitrem fix (c:\smitfiles.txt) and the log from the Ewido Scan please. - Which instructions did you follow ? Maybe SpySweeper did interfer with the fix.

Desktop problem:

Click Start, click Control Panel and then double-click Display. Click on the Desktop tab, then click the Customize Desktop button. Click on the Web tab. Under Web Pages you should see an checked entry called Security info or something similar. If it is there, select that entry and click the Delete button. Click Ok then Apply and Ok.

Next, click on the tab themes, select Windows XP in the dropdrown box and click Apply. Click on the Desktop tab and select the wallpaper of your choice and click Apply then Ok.

Let me know if that fixes it.


Hi, yes i followed it step by step but still the smitrem didnt get rid of the problem.
I solved the dekstop problem. But smitrem doesnt nothing on my computer...

Here is the log:

smitRem © log file
version 2.8

by noahdfear


Microsoft Windows XP [Version 5.1.2600]
The current date is: 28/12/2005
The current time is: 12:37:14.00

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

checking for ShudderLTD key

ShudderLTD key not present!

checking for PSGuard.com key


PSGuard.com key not present!




~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

SpyAxeFix © by noahdfear

spyaxe directory present

spyaxe uninstaller present

Starting spyaxe uninstaller

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"
"{A2C8F6B1-7C2A-3D1C-A3C6-A1FDA113B43F}"="Security Update"

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Existing Pre-run Files


~~~ Program Files ~~~



~~~ Shortcuts ~~~



~~~ Favorites ~~~



~~~ system32 folder ~~~



~~~ Icons in System32 ~~~



~~~ Windows directory ~~~



~~~ Drive root ~~~


~~~ Miscellaneous Files/folders ~~~




~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~



Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 800 'explorer.exe'
Killing PID 800 'explorer.exe'

Starting registry repairs

Deleting files


Remaining Post-run Files


~~~ Program Files ~~~



~~~ Shortcuts ~~~



~~~ Favorites ~~~



~~~ system32 folder ~~~



~~~ Icons in System32 ~~~



~~~ Windows directory ~~~



~~~ Drive root ~~~



~~~ Miscellaneous Files/folders ~~~




~~~ Wininet.dll ~~~

CLEAN! :)

Here is the ewido log:

ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 21:45:36, 27/12/2005
+ Report-Checksum: AC42BA5F

+ Scan result:

C:\Program Files\RegCleaner\Backups\backup-20051227-140049-325.dll -> Downloader.Zlob.dk : Cleaned with backup
C:\Program Files\RegCleaner\Backups\backup-20051227-140145-584.dll -> Downloader.Zlob.dk : Cleaned with backup
C:\Program Files\RegCleaner\Backups\backup-20051227-153022-119.dll -> Downloader.Zlob.dk : Cleaned with backup
C:\Program Files\RegCleaner\Backups\backup-20051227-153158-601.dll -> Downloader.Zlob.dk : Cleaned with backup
C:\Program Files\RegCleaner\Backups\backup-20051227-153213-553.dll -> Downloader.Zlob.dk : Cleaned with backup


::Report End
cogoni
Active Member
 
Posts: 10
Joined: December 28th, 2005, 7:11 am

Unread postby cogoni » December 28th, 2005, 2:07 pm

Also please note, that Smitrem doesnt get rid of the spyware on my computer. Im sure its being constantly generated by a hidden trojan on start up.
cogoni
Active Member
 
Posts: 10
Joined: December 28th, 2005, 7:11 am

Unread postby Kimberly » December 28th, 2005, 3:14 pm

SpyAxeFix © by noahdfear

spyaxe directory present

spyaxe uninstaller present

Starting spyaxe uninstaller


Smitrem did his job, maybe you didn't follow the exact steps .... In any of the logs I can't see anything remaining related to Spyaxe, just a registry leftover.

Copy/paste the following text into a new Notepad document. Make sure that you have one blank line at the end of the document as shown in the quoted text.

REGEDIT4

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"


Save it to your desktop as Fixme.reg. Save it as :
File Type: All Files (not as a text document or it wont work).
Name: Fixme.reg

Locate Fixme.reg on your desktop and double-click it. When asked if you want to merge with the registry, click YES. Wait for the merged successfully prompt.
______________________________

Please do an online scan with Kaspersky Online Scanner

Click on Kaspersky Online Scanner

You will be promted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then start to download the latest definition files.
  • Once the scanner is installed and the definitions downloaded, click Next.
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
      • Extended (If available otherwise Standard)
    • Scan Options:
      • Scan Archives
      • Scan Mail Bases
  • Click OK
  • Now under select a target to scan select My Computer
  • The scan will take a while so be patient and let it run. Once the scan is complete it will display if your system has been infected.
  • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post.
______________________________

Please post the Kasperksy log, along with a new Hijack this log and let me know what exactly are the remaining problems.

Kim
User avatar
Kimberly
MRU Teacher Emeritus
 
Posts: 3505
Joined: June 15th, 2005, 12:57 am

Unread postby cogoni » December 28th, 2005, 3:33 pm

Kimberly wrote:
what exactly are the remaining problems.


The 'your computer is infected!' bubble in the task bar.

Karparsky scan is pending. Thanks.
cogoni
Active Member
 
Posts: 10
Joined: December 28th, 2005, 7:11 am

Unread postby Kimberly » December 28th, 2005, 5:11 pm

Post the results of the Kaspersky scan for now along with a new HijackThis log and we'll see from here on.
User avatar
Kimberly
MRU Teacher Emeritus
 
Posts: 3505
Joined: June 15th, 2005, 12:57 am

Unread postby cogoni » December 28th, 2005, 5:17 pm

------------------------------
KASPERSKY ON-LINE SCANNER REPORT
Wednesday, December 28, 2005 21:15:25
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky On-line Scanner version: 5.0.67.0
Kaspersky Anti-Virus database last update: 28/12/2005
Kaspersky Anti-Virus database records: 168063
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\
F:\
G:\
I:\

Scan Statistics:
Total number of scanned objects: 173255
Number of viruses found: 1
Number of infected objects: 1
Number of suspicious objects: 0
Duration of the scan process: 5793 sec

Infected Object Name - Virus Name
C:\Documents and Settings\conrad\.housecall\Quarantine\mscornet.exe.bac_a02572 Infected: Trojan-Downloader.Win32.Zlob.bv

Scan process completed.

======================================

And here is my hijackthis log file:


Logfile of HijackThis v1.99.1
Scan saved at 21:17:45, on 28/12/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\windows\System32\smss.exe
C:\windows\system32\winlogon.exe
C:\windows\system32\services.exe
C:\windows\system32\lsass.exe
C:\windows\system32\svchost.exe
C:\windows\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\windows\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\windows\system32\crypserv.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\windows\system32\nvsvc32.exe
C:\windows\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\system32\UAService7.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\windows\Explorer.EXE
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\WINDOWS\system32\ezSP_Px.exe
C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
C:\windows\system32\ctfmon.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\RegCleaner\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://forums.steampowered.com/forums
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\system32\ezSP_Px.exe
O4 - HKLM\..\Run: [SsAAD.exe] C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKCU\..\Run: [ctfmon.exe] C:\windows\system32\ctfmon.exe
O4 - Global Startup: adobe gamma loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O15 - Trusted Zone: *.sony-europe.com
O15 - Trusted Zone: *.sonystyle-europe.com
O15 - Trusted Zone: *.vaio-link.com
O16 - DPF: Yahoo! Chess - http://download.games.yahoo.com/games/c ... /ct2_x.cab
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/c ... pote_x.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/kws/ ... nicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid= ... lcid=0x409
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/Shar ... vSniff.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/ ... 1.2.76.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/Shar ... /cabsa.cab
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://us-housecall.trendmicro-europe.c ... hcImpl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan ... asinst.cab
O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://pdl.stream.aol.com/downloads/aol ... _en_dl.cab
O20 - Winlogon Notify: WRNotifier - C:\windows\SYSTEM32\WRLogonNTF.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Crypkey License - Kenonic Controls Ltd. - C:\windows\SYSTEM32\crypserv.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Macromedia Licensing Service - Macromedia - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\windows\system32\nvsvc32.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Sony DADC Austria AG. - C:\WINDOWS\system32\UAService7.exe
cogoni
Active Member
 
Posts: 10
Joined: December 28th, 2005, 7:11 am

Unread postby Kimberly » December 28th, 2005, 11:23 pm

Hello cogoni,

Please print out or copy these instructions\tutorials to Notepad as the internet will not be (while in Safe Mode) available to you at certain points of the removal process. Make sure to work through all the Steps in the exact order in which they are listed below. If there's anything that you don't understand, ask your question(s) before moving on with the fixes.

Let's go over the fix again, although your scans show up clean. Maybe something went wrong or incorrect. Please disable the following programs for now.

Disable Microsoft AntiSpyware
  1. Open Microsoft AntiSpyware.
  2. Click on Options, Settings.
  3. In the left pane, click on Real-time Protection.
  4. Under Startup Options uncheck Enable the Microsoft AntiSpyware Security Agents on startup (recommended).
  5. Under Real-time spyware threat protection uncheck Enable real-time spyware threat protection (recommended).
  6. After you unchecked these, click on the Save button and close Microsoft AntiSpyware.
  7. Right click on the Microsoft AntiSpyware Icon on the taskbar and select Shutdown Microsoft AntiSpyware.
Disable SpySweeper
  1. Open it and click Options over to the left then Program Options
  2. Uncheck Load At Windows Startup.
  3. Over to the left click Shields and uncheck all there.
  4. Uncheck Home Page Shield.
  5. Uncheck Automaticly Restore Default Without Notifiction.
______________________________

Delete the Smitrem.exe and the smitrem folder. Redownload it.
Please download SmitRem.exe by noahdfear to your Desktop.
http://noahdfear.geekstogo.com/click%20counter/click.php?id=1
Double-click the smitRem.exe and it will extract the files to a smitRem folder on your Desktop.
______________________________

You will need to update Ewido to the latest definition files. Start Ewido.
  • On the left-hand side of the main screen click the Update Button.
  • Click on Start.
The update will start and a progress bar will show the updates being installed.
Once finished updating, close Ewido.

If you are having problems with the updater, you can use this link to manually update ewido.
Ewido manual updates. Make sure to close Ewido before installing the update.
______________________________

If you already have the latest Ad-Aware SE 1.06 version, skip to Run Ad-Aware. Otherwise download Ad-Aware SE 1.06 from here and install it. Uncheck all the options before leaving the Install Wizard.

Run Ad-Aware and Click on the World Icon. Click the Connect button on the webupdate screen. If an update is available download it and install it. Click the Finish button to go back to the main screen.

Click on the Gear Icon (second from the left at the top of the window) to access the Configuration Window.

Click on the General Button on the left and select in green
  • Under Safety
    • Automatically save log-file
    • Automatically quarantine objects prior to removal
    • Safe Mode (always request confirmation)
  • Under Definitions
    • Prompt to udate outdated definitions - set to 7 days
Click on the Scanning Button of the left and select in green
  • Under Driver, Folders & Files
    • Scan Within Archives
  • Under Select drives & folders to scan
    • choose all hard drives
  • Under Memory & Registry
    • Scan Active Processes
    • Scan Registry
    • Deep Scan Registry
    • Scan my IE favorites for banned URL’s
    • Scan my Hosts file
Click on the Advanced Button on the left and select in green
  • Under Shell Integration
    • Move deleted files to Recycle Bin
  • Under Logfile Detail Level
    • Include addtional object information
    • DESELECT - Include negligible objects information (make it show a red X)
    • Include environment information
  • Under Alternate Data Streams
    • Don't log streams smaller than 0 bytes
    • Don't log ADS with the following names: CA_INOCULATEIT
Click the Tweak Button and select in green
  • Under the Scanning Engine (Click on the + sign to expand)
    • DESELECT Unload recognized processes & modules during scan (make it show a red X)
    • Scan registry for all users instead of current user only
  • Under the Cleaning Engine (Click on the + sign to expand)
    • Always try to unload modules before deletion
    • During Removal, unload Explorer and IE if necessary
    • Let Windows remove files in use at next reboot
  • Under the Log Files (Click on the + sign to expand)
    • Include basic Ad-aware SE settings in logfile
    • Include additional Ad-aware SE settings in logfile
    • Include reference summarry in log file
    • Include alternate data stream details in log file
Click on Proceed to save the settings and close the program.
______________________________

If not already installed, download and install the VX2 Cleaner 2.0 plugin from Lavasoft by following the instructions below.

Installing VX2 Cleaner 2.0
  1. Close Ad-Aware, if it is currently open.
  2. Download the VX2 Cleaner 2.0 Plug-in here.
  3. Install the VX2 Cleaner by clicking on vx2cleaner_inst.exe.
______________________________

Reboot your computer in Safe Mode.
  • If the computer is running, shut down Windows, and then turn off the power.
  • Wait 30 seconds, and then turn the computer on.
  • Start tapping the F8 key. The Windows Advanced Options Menu appears. If you begin tapping the F8 key too soon, some computers display a "keyboard error" message. To resolve this, restart the computer and try again.
  • Ensure that the Safe Mode option is selected.
  • Press Enter. The computer then begins to start in Safe mode.
______________________________

Open the smitRem Folder, then double-click the RunThis.bat file to start the tool. Follow the prompts on screen. Wait for the tool to complete and disk cleanup to finish.
The tool will create a log named smitfiles.txt in the root of your drive, eg: Local Disk C: or partition where your operating system is installed. Please post that log along with all others requested in your next reply.
______________________________

Navigate to C:\Windows\Prefetch
Click Edit, click Select All, press the DELETE key, and then click Yes to confirm that you want to send all the items to the Recycle Bin.

Navigate to C:\Windows\Temp
Click Edit, click Select All, press the DELETE key, and then click Yes to confirm that you want to send all the items to the Recycle Bin.

Navigate to C:\Documents and Settings\(EVERY LISTED USER)\Local Settings\Temp
Click Edit, click Select All, press the DELETE key, and then click Yes to confirm that you want to send all the items to the Recycle Bin.

Clean out your Temporary Internet files. Procede like this:
  • Quit Internet Explorer and quit any instances of Windows Explorer.
  • Click Start, click Control Panel, and then double-click Internet Options.
  • On the General tab, click Delete Files under Temporary Internet Files.
  • In the Delete Files dialog box, click to select the Delete all offline content check box , and then click OK.
  • On the General tab, click Delete Cookies under Temporary Internet Files, and then click OK.
  • Click on the Programs tab then click the Reset Web Settings button. Click Apply then OK.
  • Click OK.
Next Click Start, click Control Panel and then double-click Display. Click on the Desktop tab, then click the Customize Desktop button. Click on the Web tab. Under Web Pages you should see an checked entry called Security info or something similar. If it is there, select that entry and click the Delete button. Click Ok then Apply and Ok.

Empty the Recycle Bin by right-clicking the Recycle Bin icon on your Desktop, and then clicking Empty Recycle Bin.
______________________________

Close ALL open Windows / Programs / Folders. Please start Ewido Security Suite, and run a full scan.
  • Click on Scanner
  • Click on Settings
    • Under How to scan all boxes should be checked
    • Under Unwanted Software all boxes should be checked
    • Under What to scan select Scan every file
    • Click on Ok
  • Click on Complete System Scan to start the scan process.
  • Let the program scan the machine.
If Ewido finds anything, it will pop up a notification. When it asks if you want to clean the first file, put a checkmark in the lower left corner of the box that says Perform action on all infections, then choose clean and click Ok.

Once the scan has completed, there will be a button located on the bottom of the screen named Save Report.
  • Click Save Report button
  • Save the report to your Desktop
Close Ewido.
______________________________

Start Ad-Aware SE
  • Click on Add-ons
  • Select the VX2 Cleaner plug-in and click Run Tool
  • If your computer isn’t infected, click Close.
    OR
  • If you computer is infected with VX2, a dialog box with text such as New VX2 variant found or VX2 variant 1 found will appear.
  • Press Clean and a dialog box with text The first phase completed. Please reboot and perform a Smart Scan will appear.
  • Reboot your computer
  • Run Ad-Aware and Click on the Scan Now Button
    • Choose Perform Full System Scan
    • DESELECT Search for negligible risk entries, as negligible risk entries (MRU's) are not considered to be a threat. (make it show a red X)
    Click Next to begin the scan. When the scan is completed, the Performing System Scan screen will change name to Scan Complete.

    Click the Next Button to get to the Scanning Results Window where more information about the objects detected during the scan is available. Click the Critical Objects Tab. In general all of the items listed will be bad. To fix all the bad critical objects, right click on one of them, click the Select All entry in the pop-up menu to mark all entries. Click Next and then OK in the dialog box to confirm the removal.
Repeat this until the VX2 Cleaner reports System clean. Press Close to exit.

Run Ad-Aware one more time and perform a Perform Full System Scan of your computer to make sure VX2 has been found and removed. Reboot in Normal Mode
______________________________

Run Panda's ActiveScan and perform a full system scan.
  • Once you are on the Panda site click the Scan your PC button.
  • A new window will open...click the big Check Now button.
  • Enter your Country.
  • Enter your State/Province.
  • Enter your e-mail address.
  • Select either Home User or Company.
  • Click the big Scan Now button.
  • Allow the ActiveX component to install and download the files required for the scan. This may take a couple of minutes.
  • Click on Local Disks to start the scan.
Upon scan completion, if anything malicious is detected, click See Report, then click Save Report and save it to your Desktop.
______________________________

Download WinPFind.zip to your Desktop or to your usual Download Folder.
http://www.bleepingcomputer.com/files/winpfind.php
Extract it to your C:\ folder. This will create a folder called WinPFind in the C:\ folder.
Open the C:\WinPFind folder and double-click on WinPFind.exe.
Click on Configure Scan Options.
Remove all the checkmarks under Folder Options on the left side by clicking the button Remove All, uncheck Run Addon's and click Apply.
Click on the Start Scan button and wait for it to finish.

Please be patient while it works. When it is done, the results of the scan will be displayed and it will create a log file named C:\WinPFind\WinPFind.txt. Please copy that log into your next reply.
______________________________

Post a new HijackThis log along with the results from smitfiles.txt, the Ewido log, ActiveScan results and the C:\WinPFindWinPFind.txt. Your may need several replies to post the requested logs, otherwise they might get cut off.

Kim
User avatar
Kimberly
MRU Teacher Emeritus
 
Posts: 3505
Joined: June 15th, 2005, 12:57 am

Unread postby cogoni » December 29th, 2005, 8:24 am

Hi, here are my log files. In order of completion.


Code: Select all
 smitRem © log file
     version 2.8

     by noahdfear


Microsoft Windows XP [Version 5.1.2600]
The current date is: 29/12/2005 
The current time is:  8:52:18.95

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

 checking for ShudderLTD key

ShudderLTD key not present!

 checking for PSGuard.com key


PSGuard.com key not present!


 checking for WinHound.com key


WinHound.com key not present!

spyaxe uninstaller NOT present
Winhound uninstaller NOT present
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

 Existing Pre-run Files


 ~~~ Program Files ~~~



 ~~~ Shortcuts ~~~



 ~~~ Favorites ~~~



 ~~~ system32 folder ~~~

wbeconm.dll
svcp.csv


 ~~~ Icons in System32 ~~~



 ~~~ Windows directory ~~~



 ~~~ Drive root ~~~


 ~~~ Miscellaneous Files/folders ~~~




~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~



Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 800 'explorer.exe'
Killing PID 800 'explorer.exe'

Starting registry repairs

Deleting files


   Remaining Post-run Files


 ~~~ Program Files ~~~



 ~~~ Shortcuts ~~~



 ~~~ Favorites ~~~



 ~~~ system32 folder ~~~



 ~~~ Icons in System32 ~~~



 ~~~ Windows directory ~~~



 ~~~ Drive root ~~~



 ~~~ Miscellaneous Files/folders ~~~




 ~~~ Wininet.dll ~~~

 CLEAN! :)


Code: Select all
---------------------------------------------------------
 ewido anti-malware - Scan report
---------------------------------------------------------

 + Created on:			10:33:48, 29/12/2005
 + Report-Checksum:		2CC3996D

 + Scan result:

	C:\Program Files\Microsoft AntiSpyware\Quarantine\9B64BE5B-3986-44A5-91CE-559B2D\CBA4168F-301C-4990-90DD-C47DFD -> Adware.Spyaxe : Cleaned with backup
	C:\Program Files\Microsoft AntiSpyware\Quarantine\9E0864CD-5388-40C8-8D0D-C28C33\0FE0EE3E-FDE6-4DB6-8B2C-5CCC10 -> Adware.Spyaxe : Cleaned with backup


::Report End


Code: Select all
Ad-Aware SE Build 1.06r1
Logfile Created on:29 December 2005 10:41:15
Created with Ad-Aware SE Personal, free for private use.
Using definitions file:SE1R82 19.12.2005
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

References detected during the scan:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Malware.SpyAxe(TAC index:4):23 total references
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Definition File:
=========================
Definitions File Loaded:
Reference Number : SE1R82 19.12.2005
Internal build : 95
File location : C:\Program Files\Lavasoft\Ad-Aware SE Personal\defs.ref
File size : 568938 Bytes
Total size : 1707938 Bytes
Signature data size : 1673520 Bytes
Reference data size : 33906 Bytes
Signatures total : 47471
CSI Fingerprints total : 1252
CSI data size : 36173 Bytes
Target categories : 15
Target families : 807

29-12-2005 10:40:12 Performing WebUpdate...

Installing Update...
Definitions File Loaded:
Reference Number : SE1R82 19.12.2005
Internal build : 95
File location : C:\Program Files\Lavasoft\Ad-Aware SE Personal\defs.ref
File size : 568938 Bytes
Total size : 1707938 Bytes
Signature data size : 1673520 Bytes
Reference data size : 33906 Bytes
Signatures total : 47471
CSI Fingerprints total : 1252
CSI data size : 36173 Bytes
Target categories : 15
Target families : 807


29-12-2005 10:40:17 Success
Update successfully downloaded and installed.


Memory + processor status:
==========================
Number of processors : 1
Processor architecture : Intel Pentium III
Memory available:14 %
Total physical memory:261476 kb
Available physical memory:36516 kb
Total page file size:632504 kb
Available on page file:430716 kb
Total virtual memory:2097024 kb
Available virtual memory:2038220 kb
OS:Microsoft Windows XP Home Edition Service Pack 2 (Build 2600)

Ad-Aware SE Settings
===========================
Set : Safe mode (always request confirmation)
Set : Don't log streams smaller than 0 Bytes
Set : Scan active processes
Set : Scan registry
Set : Deep-scan registry
Set : Scan my IE Favorites for banned URLs
Set : Scan within archives
Set : Scan my Hosts file

Extended Ad-Aware SE Settings
===========================
Set : Unload recognized processes & modules during scan
Set : Scan registry for all users instead of current user only
Set : Always try to unload modules before deletion
Set : During removal, unload Explorer and IE if necessary
Set : Let Windows remove files in use at next reboot
Set : Delete quarantined objects after restoring
Set : Include basic Ad-Aware settings in log file
Set : Include additional Ad-Aware settings in log file
Set : Include reference summary in log file
Set : Include alternate data stream details in log file
Set : Play sound at scan completion if scan locates critical objects


29-12-2005 10:41:15 - Scan started. (Full System Scan)

Listing running processes
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

#:1 [smss.exe]
    FilePath           : \SystemRoot\System32\
    ProcessID          : 480
    ThreadCreationTime : 29-12-2005 10:37:29
    BasePriority       : Normal


#:2 [csrss.exe]
    FilePath           : \??\C:\windows\system32\
    ProcessID          : 540
    ThreadCreationTime : 29-12-2005 10:37:32
    BasePriority       : Normal


#:3 [winlogon.exe]
    FilePath           : \??\C:\windows\system32\
    ProcessID          : 568
    ThreadCreationTime : 29-12-2005 10:37:35
    BasePriority       : High


#:4 [services.exe]
    FilePath           : C:\windows\system32\
    ProcessID          : 612
    ThreadCreationTime : 29-12-2005 10:37:38
    BasePriority       : Normal
    FileVersion        : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
    ProductVersion     : 5.1.2600.2180
    ProductName        : Microsoft® Windows® Operating System
    CompanyName        : Microsoft Corporation
    FileDescription    : Services and Controller app
    InternalName       : services.exe
    LegalCopyright     : © Microsoft Corporation. All rights reserved.
    OriginalFilename   : services.exe

#:5 [lsass.exe]
    FilePath           : C:\windows\system32\
    ProcessID          : 624
    ThreadCreationTime : 29-12-2005 10:37:38
    BasePriority       : Normal
    FileVersion        : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
    ProductVersion     : 5.1.2600.2180
    ProductName        : Microsoft® Windows® Operating System
    CompanyName        : Microsoft Corporation
    FileDescription    : LSA Shell (Export Version)
    InternalName       : lsass.exe
    LegalCopyright     : © Microsoft Corporation. All rights reserved.
    OriginalFilename   : lsass.exe

#:6 [svchost.exe]
    FilePath           : C:\windows\system32\
    ProcessID          : 764
    ThreadCreationTime : 29-12-2005 10:37:42
    BasePriority       : Normal
    FileVersion        : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
    ProductVersion     : 5.1.2600.2180
    ProductName        : Microsoft® Windows® Operating System
    CompanyName        : Microsoft Corporation
    FileDescription    : Generic Host Process for Win32 Services
    InternalName       : svchost.exe
    LegalCopyright     : © Microsoft Corporation. All rights reserved.
    OriginalFilename   : svchost.exe

#:7 [svchost.exe]
    FilePath           : C:\windows\system32\
    ProcessID          : 856
    ThreadCreationTime : 29-12-2005 10:37:44
    BasePriority       : Normal
    FileVersion        : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
    ProductVersion     : 5.1.2600.2180
    ProductName        : Microsoft® Windows® Operating System
    CompanyName        : Microsoft Corporation
    FileDescription    : Generic Host Process for Win32 Services
    InternalName       : svchost.exe
    LegalCopyright     : © Microsoft Corporation. All rights reserved.
    OriginalFilename   : svchost.exe

#:8 [svchost.exe]
    FilePath           : C:\windows\System32\
    ProcessID          : 932
    ThreadCreationTime : 29-12-2005 10:37:46
    BasePriority       : Normal
    FileVersion        : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
    ProductVersion     : 5.1.2600.2180
    ProductName        : Microsoft® Windows® Operating System
    CompanyName        : Microsoft Corporation
    FileDescription    : Generic Host Process for Win32 Services
    InternalName       : svchost.exe
    LegalCopyright     : © Microsoft Corporation. All rights reserved.
    OriginalFilename   : svchost.exe

#:9 [svchost.exe]
    FilePath           : C:\windows\System32\
    ProcessID          : 1020
    ThreadCreationTime : 29-12-2005 10:37:46
    BasePriority       : Normal
    FileVersion        : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
    ProductVersion     : 5.1.2600.2180
    ProductName        : Microsoft® Windows® Operating System
    CompanyName        : Microsoft Corporation
    FileDescription    : Generic Host Process for Win32 Services
    InternalName       : svchost.exe
    LegalCopyright     : © Microsoft Corporation. All rights reserved.
    OriginalFilename   : svchost.exe

#:10 [svchost.exe]
    FilePath           : C:\windows\System32\
    ProcessID          : 1112
    ThreadCreationTime : 29-12-2005 10:37:47
    BasePriority       : Normal
    FileVersion        : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
    ProductVersion     : 5.1.2600.2180
    ProductName        : Microsoft® Windows® Operating System
    CompanyName        : Microsoft Corporation
    FileDescription    : Generic Host Process for Win32 Services
    InternalName       : svchost.exe
    LegalCopyright     : © Microsoft Corporation. All rights reserved.
    OriginalFilename   : svchost.exe

#:11 [lexbces.exe]
    FilePath           : C:\WINDOWS\system32\
    ProcessID          : 1252
    ThreadCreationTime : 29-12-2005 10:37:52
    BasePriority       : Normal
    FileVersion        : 7.4
    ProductVersion     : 7.4
    ProductName        : MarkVision for Windows (32 bit)
    CompanyName        : Lexmark International, Inc.
    FileDescription    : LexBce Service
    InternalName       : LexBce Service
    LegalCopyright     : (C) 1993 - 2002 Lexmark International, Inc.
    OriginalFilename   : LexBceS.exe

#:12 [spoolsv.exe]
    FilePath           : C:\windows\system32\
    ProcessID          : 1276
    ThreadCreationTime : 29-12-2005 10:37:52
    BasePriority       : Normal
    FileVersion        : 5.1.2600.2696 (xpsp_sp2_gdr.050610-1519)
    ProductVersion     : 5.1.2600.2696
    ProductName        : Microsoft® Windows® Operating System
    CompanyName        : Microsoft Corporation
    FileDescription    : Spooler SubSystem App
    InternalName       : spoolsv.exe
    LegalCopyright     : © Microsoft Corporation. All rights reserved.
    OriginalFilename   : spoolsv.exe

#:13 [lexpps.exe]
    FilePath           : C:\WINDOWS\system32\
    ProcessID          : 1284
    ThreadCreationTime : 29-12-2005 10:37:52
    BasePriority       : Normal
    FileVersion        : 7.4
    ProductVersion     : 7.4
    ProductName        : MarkVision for Windows (32 bit)
    CompanyName        : Lexmark International, Inc.
    FileDescription    : LEXPPS.EXE
    InternalName       : LEXPPS
    LegalCopyright     : (C) 1993 - 2002 Lexmark International, Inc.
    OriginalFilename   : LEXPPS.EXE
    Comments           : MarkVision for Windows '95 New P2P Server  (32-bit)

#:14 [avgamsvr.exe]
    FilePath           : C:\PROGRA~1\Grisoft\AVGFRE~1\
    ProcessID          : 1436
    ThreadCreationTime : 29-12-2005 10:37:53
    BasePriority       : Normal
    FileVersion        : 7,1,0,365
    ProductVersion     : 7.1.0.365
    ProductName        : AVG Anti-Virus System
    CompanyName        : GRISOFT, s.r.o.
    FileDescription    : AVG Alert Manager
    InternalName       : avgamsvr
    LegalCopyright     : Copyright © 2005, GRISOFT, s.r.o.
    OriginalFilename   : avgamsvr.EXE

#:15 [avgupsvc.exe]
    FilePath           : C:\PROGRA~1\Grisoft\AVGFRE~1\
    ProcessID          : 1616
    ThreadCreationTime : 29-12-2005 10:37:56
    BasePriority       : Normal
    FileVersion        : 7,1,0,349
    ProductVersion     : 7.1.0.349
    ProductName        : AVG 7.0 Anti-Virus System
    CompanyName        : GRISOFT, s.r.o.
    FileDescription    : AVG Update Service
    InternalName       : avgupsvc
    LegalCopyright     : Copyright © 2005, GRISOFT, s.r.o.
    OriginalFilename   : avgupdsvc.EXE

#:16 [avgemc.exe]
    FilePath           : C:\PROGRA~1\Grisoft\AVGFRE~1\
    ProcessID          : 1660
    ThreadCreationTime : 29-12-2005 10:37:56
    BasePriority       : Normal
    FileVersion        : 7,1,0,371
    ProductVersion     : 7.1.0.371
    ProductName        : AVG Anti-Virus System
    CompanyName        : GRISOFT, s.r.o.
    FileDescription    : AVG E-Mail Scanner
    InternalName       : avgemc
    LegalCopyright     : Copyright © 2005, GRISOFT, s.r.o.
    OriginalFilename   : avgemc.exe

#:17 [svchost.exe]
    FilePath           : C:\windows\system32\
    ProcessID          : 1688
    ThreadCreationTime : 29-12-2005 10:37:57
    BasePriority       : Normal
    FileVersion        : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
    ProductVersion     : 5.1.2600.2180
    ProductName        : Microsoft® Windows® Operating System
    CompanyName        : Microsoft Corporation
    FileDescription    : Generic Host Process for Win32 Services
    InternalName       : svchost.exe
    LegalCopyright     : © Microsoft Corporation. All rights reserved.
    OriginalFilename   : svchost.exe

#:18 [crypserv.exe]
    FilePath           : C:\windows\system32\
    ProcessID          : 1700
    ThreadCreationTime : 29-12-2005 10:37:57
    BasePriority       : High
    FileVersion        : 5.4.0
    ProductVersion     : 5.4
    ProductName        : CrypKey Software Licensing System
    CompanyName        : Kenonic Controls Ltd.
    FileDescription    : CrypKey NT Service
    InternalName       : crypserv
    LegalCopyright     : Copyright © 2000
    LegalTrademarks    : CrypKey
    OriginalFilename   : crypserv.exe
    Comments           : Operates in all directories, not just configured ones. Directory configuration only used for fille clean up and uninstall. 0/3 fixed problem with other partitions. 0/6 fixed problem with short paths

#:19 [explorer.exe]
    FilePath           : C:\windows\
    ProcessID          : 1728
    ThreadCreationTime : 29-12-2005 10:37:57
    BasePriority       : Normal
    FileVersion        : 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)
    ProductVersion     : 6.00.2900.2180
    ProductName        : Microsoft® Windows® Operating System
    CompanyName        : Microsoft Corporation
    FileDescription    : Windows Explorer
    InternalName       : explorer
    LegalCopyright     : © Microsoft Corporation. All rights reserved.
    OriginalFilename   : EXPLORER.EXE

#:20 [ewidoctrl.exe]
    FilePath           : C:\Program Files\ewido anti-malware\
    ProcessID          : 1760
    ThreadCreationTime : 29-12-2005 10:37:59
    BasePriority       : Normal
    FileVersion        : 3, 0, 0, 1
    ProductVersion     : 3, 0, 0, 1
    ProductName        : ewido control
    CompanyName        : ewido networks
    FileDescription    : ewido control
    InternalName       : ewido control
    LegalCopyright     : Copyright © 2004
    OriginalFilename   : ewidoctrl.exe

#:21 [mdm.exe]
    FilePath           : C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\
    ProcessID          : 1792
    ThreadCreationTime : 29-12-2005 10:38:00
    BasePriority       : Normal
    FileVersion        : 7.00.9466
    ProductVersion     : 7.00.9466
    ProductName        : Microsoft® Visual Studio .NET
    CompanyName        : Microsoft Corporation
    FileDescription    : Machine Debug Manager
    InternalName       : mdm.exe
    LegalCopyright     : © Microsoft Corporation.  All rights reserved.
    OriginalFilename   : mdm.exe

#:22 [nvsvc32.exe]
    FilePath           : C:\windows\system32\
    ProcessID          : 1832
    ThreadCreationTime : 29-12-2005 10:38:00
    BasePriority       : Normal
    FileVersion        : 6.14.10.5664
    ProductVersion     : 6.14.10.5664
    ProductName        : NVIDIA Driver Helper Service, Version 56.64
    CompanyName        : NVIDIA Corporation
    FileDescription    : NVIDIA Driver Helper Service, Version 56.64
    InternalName       : NVSVC
    LegalCopyright     : (C) NVIDIA Corporation. All rights reserved.
    OriginalFilename   : nvsvc32.exe

#:23 [svchost.exe]
    FilePath           : C:\windows\System32\
    ProcessID          : 1872
    ThreadCreationTime : 29-12-2005 10:38:00
    BasePriority       : Normal
    FileVersion        : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
    ProductVersion     : 5.1.2600.2180
    ProductName        : Microsoft® Windows® Operating System
    CompanyName        : Microsoft Corporation
    FileDescription    : Generic Host Process for Win32 Services
    InternalName       : svchost.exe
    LegalCopyright     : © Microsoft Corporation. All rights reserved.
    OriginalFilename   : svchost.exe

#:24 [wrsssdk.exe]
    FilePath           : C:\Program Files\Webroot\Spy Sweeper\
    ProcessID          : 1884
    ThreadCreationTime : 29-12-2005 10:38:01
    BasePriority       : Normal
    FileVersion        : 2,0,7,442
    ProductVersion     : 2, 0
    ProductName        : Spy Sweeper SDK
    CompanyName        : Webroot Software, Inc.
    FileDescription    : Spy Sweeper SDK
    LegalCopyright     : Copyright (C) 2002 - 2005, All Rights Reserved.
    LegalTrademarks    : Spy Sweeper is a trademark of Webroot Software, Inc.
    OriginalFilename   : SpySweeper.exe

#:25 [ezsp_px.exe]
    FilePath           : C:\WINDOWS\system32\
    ProcessID          : 256
    ThreadCreationTime : 29-12-2005 10:38:08
    BasePriority       : Normal


#:26 [uaservice7.exe]
    FilePath           : C:\WINDOWS\system32\
    ProcessID          : 408
    ThreadCreationTime : 29-12-2005 10:38:10
    BasePriority       : Normal
    FileVersion        : 1,1,0,0
    CompanyName        : Sony DADC Austria AG.
    FileDescription    : SecuROM User Access Service (V7).
    LegalCopyright     : Copyright (C) 2004/05 Sony DADC Austria AG
    OriginalFilename   : UAService7.exe
    Comments           : SecuROM User Access Service (V7).

#:27 [ssaad.exe]
    FilePath           : C:\PROGRA~1\Sony\SONICS~1\
    ProcessID          : 512
    ThreadCreationTime : 29-12-2005 10:38:11
    BasePriority       : Normal
    FileVersion        : 3.2.00.06030
    FileDescription    : SonicStage Atrac Hard Disk Monitor
    InternalName       : SonicStage Atrac Hard Disk Monitor
    LegalCopyright     : Copyright 2005 Sony Corporation

#:28 [mspmspsv.exe]
    FilePath           : C:\WINDOWS\System32\
    ProcessID          : 460
    ThreadCreationTime : 29-12-2005 10:38:11
    BasePriority       : Normal
    FileVersion        : 7.00.00.1956
    ProductVersion     : 7.00.00.1956
    ProductName        : Microsoft (R) DRM
    CompanyName        : Microsoft Corporation
    FileDescription    : WMDM PMSP Service
    InternalName       : MSPMSPSV.EXE
    LegalCopyright     : Copyright (C) Microsoft Corp. 1981-2000
    OriginalFilename   : MSPMSPSV.EXE

#:29 [avgcc.exe]
    FilePath           : C:\PROGRA~1\Grisoft\AVGFRE~1\
    ProcessID          : 1156
    ThreadCreationTime : 29-12-2005 10:38:20
    BasePriority       : Normal
    FileVersion        : 7,1,0,355
    ProductVersion     : 7.1.0.355
    ProductName        : AVG Anti-Virus System
    CompanyName        : GRISOFT, s.r.o.
    FileDescription    : AVG Control Center
    InternalName       : AvgCC
    LegalCopyright     : Copyright © 2005, GRISOFT, s.r.o.
    OriginalFilename   : AvgCC.EXE

#:30 [jusched.exe]
    FilePath           : C:\Program Files\Java\jre1.5.0_06\bin\
    ProcessID          : 1180
    ThreadCreationTime : 29-12-2005 10:38:21
    BasePriority       : Normal


#:31 [ctfmon.exe]
    FilePath           : C:\windows\system32\
    ProcessID          : 1208
    ThreadCreationTime : 29-12-2005 10:38:21
    BasePriority       : Normal
    FileVersion        : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
    ProductVersion     : 5.1.2600.2180
    ProductName        : Microsoft® Windows® Operating System
    CompanyName        : Microsoft Corporation
    FileDescription    : CTF Loader
    InternalName       : CTFMON
    LegalCopyright     : © Microsoft Corporation. All rights reserved.
    OriginalFilename   : CTFMON.EXE

#:32 [ssscsisv.exe]
    FilePath           : C:\Program Files\Common Files\Sony Shared\AVLib\
    ProcessID          : 2196
    ThreadCreationTime : 29-12-2005 10:38:34
    BasePriority       : Normal
    FileVersion        : 3.2.00.06030
    ProductVersion     : 3.2.00
    ProductName        : SonicStage
    CompanyName        : Sony Corporation
    FileDescription    : SonicStage Scsi I/F Server
    InternalName       : SSScsiSV
    LegalCopyright     : Copyright 2005 Sony Corporation
    OriginalFilename   : SSScsiSV.EXE

#:33 [alg.exe]
    FilePath           : C:\windows\System32\
    ProcessID          : 2404
    ThreadCreationTime : 29-12-2005 10:38:38
    BasePriority       : Normal
    FileVersion        : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
    ProductVersion     : 5.1.2600.2180
    ProductName        : Microsoft® Windows® Operating System
    CompanyName        : Microsoft Corporation
    FileDescription    : Application Layer Gateway Service
    InternalName       : ALG.exe
    LegalCopyright     : © Microsoft Corporation. All rights reserved.
    OriginalFilename   : ALG.exe

#:34 [wuauclt.exe]
    FilePath           : C:\windows\system32\
    ProcessID          : 2876
    ThreadCreationTime : 29-12-2005 10:39:14
    BasePriority       : Normal
    FileVersion        : 5.8.0.2469 built by: lab01_n(wmbla)
    ProductVersion     : 5.8.0.2469
    ProductName        : Microsoft® Windows® Operating System
    CompanyName        : Microsoft Corporation
    FileDescription    : Automatic Updates
    InternalName       : wuauclt.exe
    LegalCopyright     : © Microsoft Corporation. All rights reserved.
    OriginalFilename   : wuauclt.exe

#:35 [ad-aware.exe]
    FilePath           : C:\Program Files\Lavasoft\Ad-Aware SE Personal\
    ProcessID          : 3052
    ThreadCreationTime : 29-12-2005 10:40:01
    BasePriority       : Normal
    FileVersion        : 6.2.0.236
    ProductVersion     : SE 106
    ProductName        : Lavasoft Ad-Aware SE
    CompanyName        : Lavasoft Sweden
    FileDescription    : Ad-Aware SE Core application
    InternalName       : Ad-Aware.exe
    LegalCopyright     : Copyright © Lavasoft AB Sweden
    OriginalFilename   : Ad-Aware.exe
    Comments           : All Rights Reserved

Memory scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 0


Started registry scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

 Malware.SpyAxe Object Recognized!
    Type               : Regkey
    Data               : 
    TAC Rating         : 4
    Category           : Malware
    Comment            : 
    Rootkey            : HKEY_CLASSES_ROOT
    Object             : appid\{70f17c8c-1744-41b6-9d07-575db448dcc5}

 Malware.SpyAxe Object Recognized!
    Type               : Regkey
    Data               : 
    TAC Rating         : 4
    Category           : Malware
    Comment            : 
    Rootkey            : HKEY_CLASSES_ROOT
    Object             : typelib\{2bb3bcbf-411a-4c67-8e69-f4bb301dc333}

 Malware.SpyAxe Object Recognized!
    Type               : Regkey
    Data               : 
    TAC Rating         : 4
    Category           : Malware
    Comment            : 
    Rootkey            : HKEY_CLASSES_ROOT
    Object             : interface\{0f68a8aa-a9a8-4711-be36-ae363efa6443}

 Malware.SpyAxe Object Recognized!
    Type               : Regkey
    Data               : 
    TAC Rating         : 4
    Category           : Malware
    Comment            : 
    Rootkey            : HKEY_CLASSES_ROOT
    Object             : interface\{28420952-c82b-47d9-a042-fa2217d8a082}

 Malware.SpyAxe Object Recognized!
    Type               : Regkey
    Data               : 
    TAC Rating         : 4
    Category           : Malware
    Comment            : 
    Rootkey            : HKEY_CLASSES_ROOT
    Object             : interface\{3c099c83-8587-4b35-8af0-fc3a169ce14f}

 Malware.SpyAxe Object Recognized!
    Type               : Regkey
    Data               : 
    TAC Rating         : 4
    Category           : Malware
    Comment            : 
    Rootkey            : HKEY_CLASSES_ROOT
    Object             : interface\{3fe13f31-e890-4c37-8213-4b5f9a511c26}

 Malware.SpyAxe Object Recognized!
    Type               : Regkey
    Data               : 
    TAC Rating         : 4
    Category           : Malware
    Comment            : 
    Rootkey            : HKEY_CLASSES_ROOT
    Object             : interface\{4cad27dc-1b60-42f4-820e-316fe0a13512}

 Malware.SpyAxe Object Recognized!
    Type               : Regkey
    Data               : 
    TAC Rating         : 4
    Category           : Malware
    Comment            : 
    Rootkey            : HKEY_CLASSES_ROOT
    Object             : interface\{54874d12-c0c6-44cc-83fb-2c35202f881b}

 Malware.SpyAxe Object Recognized!
    Type               : Regkey
    Data               : 
    TAC Rating         : 4
    Category           : Malware
    Comment            : 
    Rootkey            : HKEY_CLASSES_ROOT
    Object             : interface\{54a3200b-d76e-48d1-b35c-d87eaf6d90bd}

 Malware.SpyAxe Object Recognized!
    Type               : Regkey
    Data               : 
    TAC Rating         : 4
    Category           : Malware
    Comment            : 
    Rootkey            : HKEY_CLASSES_ROOT
    Object             : interface\{663dfe59-032c-46fb-a09a-ffc2dc074f54}

 Malware.SpyAxe Object Recognized!
    Type               : Regkey
    Data               : 
    TAC Rating         : 4
    Category           : Malware
    Comment            : 
    Rootkey            : HKEY_CLASSES_ROOT
    Object             : interface\{69ce4fbc-4861-4206-8211-dd5a9ee79ad3}

 Malware.SpyAxe Object Recognized!
    Type               : Regkey
    Data               : 
    TAC Rating         : 4
    Category           : Malware
    Comment            : 
    Rootkey            : HKEY_CLASSES_ROOT
    Object             : interface\{afa9056f-aa11-4771-ae01-04ecfde18206}

 Malware.SpyAxe Object Recognized!
    Type               : Regkey
    Data               : 
    TAC Rating         : 4
    Category           : Malware
    Comment            : 
    Rootkey            : HKEY_CLASSES_ROOT
    Object             : interface\{b8f2487f-aa6a-4914-9a3f-db84e6868d66}

 Malware.SpyAxe Object Recognized!
    Type               : Regkey
    Data               : 
    TAC Rating         : 4
    Category           : Malware
    Comment            : 
    Rootkey            : HKEY_CLASSES_ROOT
    Object             : interface\{e4645720-e02f-4bb2-8e6d-be7653dd1bf2}

 Malware.SpyAxe Object Recognized!
    Type               : Regkey
    Data               : 
    TAC Rating         : 4
    Category           : Malware
    Comment            : 
    Rootkey            : HKEY_CLASSES_ROOT
    Object             : interface\{fa46b160-c9dd-4040-b9d9-ccf5d3db5438}

 Malware.SpyAxe Object Recognized!
    Type               : Regkey
    Data               : 
    TAC Rating         : 4
    Category           : Malware
    Comment            : 
    Rootkey            : HKEY_CLASSES_ROOT
    Object             : interface\{fc1f0c2c-8117-427d-816c-215b68524f74}

 Malware.SpyAxe Object Recognized!
    Type               : Regkey
    Data               : 
    TAC Rating         : 4
    Category           : Malware
    Comment            : 
    Rootkey            : HKEY_CLASSES_ROOT
    Object             : interface\{fd1eee96-8dc7-478d-be3b-7d06ac67fb66}

 Malware.SpyAxe Object Recognized!
    Type               : Regkey
    Data               : 
    TAC Rating         : 4
    Category           : Malware
    Comment            : 
    Rootkey            : HKEY_CLASSES_ROOT
    Object             : interface\{fd8e5ed7-0091-416f-a55b-1d072d58a24f}

Registry Scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 18
Objects found so far: 18


Started deep registry scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Deep registry scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 18


Started Tracking Cookie scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»


Tracking cookie scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 18



Deep scanning and examining files (C:)
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Disk Scan Result for C:\
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 18


Deep scanning and examining files (D:)
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Disk Scan Result for D:\
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 18


Scanning Hosts file......
Hosts file location:"C:\windows\system32\drivers\etc\hosts".
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Hosts file scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
704 entries scanned.
New critical objects:0
Objects found so far: 18




Performing conditional scans...
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

 Malware.SpyAxe Object Recognized!
    Type               : Regkey
    Data               : 
    TAC Rating         : 4
    Category           : Malware
    Comment            : 
    Rootkey            : HKEY_CLASSES_ROOT
    Object             : appid\spyaxe.exe

 Malware.SpyAxe Object Recognized!
    Type               : Regkey
    Data               : 
    TAC Rating         : 4
    Category           : Malware
    Comment            : 
    Rootkey            : HKEY_LOCAL_MACHINE
    Object             : software\microsoft\windows\currentversion\app paths\spyaxe.exe

 Malware.SpyAxe Object Recognized!
    Type               : File
    Data               : SpyAxe 3.0.lnk
    TAC Rating         : 4
    Category           : Malware
    Comment            : 
    Object             : C:\Documents and Settings\conrad\Start Menu\



 Malware.SpyAxe Object Recognized!
    Type               : File
    Data               : SpyAxe 3.0.lnk
    TAC Rating         : 4
    Category           : Malware
    Comment            : 
    Object             : C:\Documents and Settings\conrad\Application Data\microsoft\internet explorer\quick launch\



 Malware.SpyAxe Object Recognized!
    Type               : File
    Data               : SpyAxe.lnk
    TAC Rating         : 4
    Category           : Malware
    Comment            : 
    Object             : C:\Documents and Settings\conrad\Desktop\



Conditional scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 5
Objects found so far: 23

10:55:36 Scan Complete

Summary Of This Scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Total scanning time:00:14:21.563
Objects scanned:193304
Objects identified:23
Objects ignored:0
New critical objects:23


Code: Select all
Active scan:

Incident                      Status                        Location                                                                                                                                                                                                                                                        

Adware:adware/popupsandbannersNot desinfected               C:\WINDOWS\timessquare1.dat


Code: Select all
WARNING: not all files found by this scanner are bad. Consult with a knowledgable person before proceeding.

If you see a message in the titlebar saying "Not responding..." you can ignore it. Windows somethimes displays this message due to the high volume of disk I/O. As long as the hard disk light is flashing, the program is still working properly.

»»»»»»»»»»»»»»»»» Windows OS and Versions »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Product Name: Microsoft Windows XP    Current Build: Service Pack 2    Current Build Number: 2600
Internet Explorer Version: 6.0.2900.2180

»»»»»»»»»»»»»»»»» Checking Selected Standard Folders »»»»»»»»»»»»»»»»»»»»

»»»»»»»»»»»»»»»»» Checking Selected Startup Folders »»»»»»»»»»»»»»»»»»»»»

»»»»»»»»»»»»»»»»» Checking Selected Registry Keys »»»»»»»»»»»»»»»»»»»»»»»

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
	SV1	 = 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers]
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\AVG7 Shell Extension
	{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}	 = C:\Program Files\Grisoft\AVG Free\avgse.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\BriefcaseMenu
	{85BBD920-42A0-1069-A2E4-08002B30309D}	 = syncui.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Offline Files
	{750fdf0e-2a26-11d1-a3ea-080036587f03}	 = %SystemRoot%\System32\cscui.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With
	{09799AFB-AD67-11d1-ABCD-00C04FC30936}	 = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With EncryptionMenu
	{A470F8CF-A1E8-4f65-8335-227475AA5C46}	 = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Washer
	{6EE51AA0-77A0-11D7-B4E1-000347126E46}	 = C:\PROGRA~1\COMMON~1\WEBROO~1\SHELLW~1.DLL
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\WinRAR
	{B41DB860-8EE4-11D2-9906-E49FADC173CA}	 = C:\Program Files\WinRAR\rarext.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}
	Start Menu Pin	 = %SystemRoot%\system32\SHELL32.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\AVG7 Shell Extension
	{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}	 = C:\Program Files\Grisoft\AVG Free\avgse.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\BriefcaseMenu
	{85BBD920-42A0-1069-A2E4-08002B30309D}	 = syncui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\SpySweeper
	{7C9D5882-CB4A-4090-96C8-430BFE8B795B}	 = C:\PROGRA~1\Webroot\SPYSWE~1\SSCtxMnu.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\WinRAR
	{B41DB860-8EE4-11D2-9906-E49FADC173CA}	 = C:\Program Files\WinRAR\rarext.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\EncryptionMenu
	{A470F8CF-A1E8-4f65-8335-227475AA5C46}	 = %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Offline Files
	{750fdf0e-2a26-11d1-a3ea-080036587f03}	 = %SystemRoot%\System32\cscui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Sharing
	{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6}	 = ntshrui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Washer
	{6EE51AA0-77A0-11D7-B4E1-000347126E46}	 = C:\PROGRA~1\COMMON~1\WEBROO~1\SHELLW~1.DLL
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\WinRAR
	{B41DB860-8EE4-11D2-9906-E49FADC173CA}	 = C:\Program Files\WinRAR\rarext.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{0D2E74C4-3C34-11d2-A27E-00C04FC30871}
	 = %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F01-7B1C-11d1-838f-0000F80461CF}
	 = %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F02-7B1C-11d1-838f-0000F80461CF}
	 = %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{66742402-F9B9-11D1-A202-0000F81FEDEE}
	 = %SystemRoot%\system32\SHELL32.dll

[HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4528BBE0-4E08-11D5-AD55-00010333D0AD}
	 = 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4D5C8C25-D075-11d0-B416-00C04FB90376}
	&Tip of the Day = %SystemRoot%\system32\shdocvw.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{08B0E5C0-4FCB-11CF-AAA5-00401C608501}
	MenuText	 = Sun Java Console	: C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{32683183-48a0-441b-a342-7c2a440a9478}
	 = 
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{4528BBE0-4E08-11D5-AD55-00010333D0AD}
	 = 
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{C4EE31F3-4768-11D2-BE5C-00A0C9A83DA1}
	File Search Explorer Band = %SystemRoot%\system32\SHELL32.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E61-B078-11D0-89E4-00C04FC9E26E}
	Favorites Band = %SystemRoot%\system32\shdocvw.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E62-B078-11D0-89E4-00C04FC9E26E}
	History Band = %SystemRoot%\system32\shdocvw.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E64-B078-11D0-89E4-00C04FC9E26E}
	Explorer Band = %SystemRoot%\system32\shdocvw.dll

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser
	{0E5CBF21-D15F-11D0-8301-00AA005B4383} = &Links	: %SystemRoot%\system32\SHELL32.dll
	{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} = 	: 
	{2318C2B1-4965-11D4-9B18-009027A5CD4F} = 	: 
	{1C78AB3F-A857-482E-80C0-3A1E5238A565} = 	: 
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser
	{01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address	: %SystemRoot%\System32\browseui.dll
	{0E5CBF21-D15F-11D0-8301-00AA005B4383} = &Links	: %SystemRoot%\system32\SHELL32.dll
	{9595C62C-76C6-49A6-9BDA-3253DD7A34FF} = 	: 
	{2318C2B1-4965-11D4-9B18-009027A5CD4F} = 	: 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
	NvCplDaemon	RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
	gcasServ	"C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
	ezShieldProtector for Px	C:\WINDOWS\system32\ezSP_Px.exe
	SsAAD.exe	C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
	AVG7_CC	C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
	SunJavaUpdateSched	C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]
	IMAIL	Installed = 1
	MAPI	Installed = 1
	MSFS	Installed = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
	ctfmon.exe	C:\windows\system32\ctfmon.exe

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\load]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\services

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^broadband medic.lnk
	backup	C:\WINDOWS\pss\broadband medic.lnkCommon Startup
	location	Common Startup
	command	C:\PROGRA~1\ntl\BROADB~1\bin\matcli.exe -boot
	item	broadband medic
	backup	C:\WINDOWS\pss\broadband medic.lnkCommon Startup
	location	Common Startup
	command	C:\PROGRA~1\ntl\BROADB~1\bin\matcli.exe -boot
	item	broadband medic

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Works Calendar Reminders.lnk
	backup	C:\WINDOWS\pss\Microsoft Works Calendar Reminders.lnkCommon Startup
	location	Common Startup
	item	Microsoft Works Calendar Reminders
	backup	C:\WINDOWS\pss\Microsoft Works Calendar Reminders.lnkCommon Startup
	location	Common Startup
	item	Microsoft Works Calendar Reminders

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^VAIO Action Setup (Server).lnk
	backup	C:\WINDOWS\pss\VAIO Action Setup (Server).lnkCommon Startup
	location	Common Startup
	command	C:\PROGRA~1\Sony\VAIOAC~1\VAServ.exe 
	item	VAIO Action Setup (Server)
	backup	C:\WINDOWS\pss\VAIO Action Setup (Server).lnkCommon Startup
	location	Common Startup
	command	C:\PROGRA~1\Sony\VAIOAC~1\VAServ.exe 
	item	VAIO Action Setup (Server)

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\NvCplDaemon
	key	SOFTWARE\Microsoft\Windows\CurrentVersion\Run
	item	NvCpl
	hkey	HKLM
	command	RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
	inimapping	0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\state
	system.ini	0
	win.ini	0
	bootini	0
	services	0
	startup	2


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer
	NoCDBurning	0
	NoActiveDesktopChanges	0


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\run

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum
	{BDEADF00-C265-11D0-BCED-00A0C90AB50F} = C:\PROGRA~1\COMMON~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL
	{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF} = 
	{0DF44EAA-FF21-4412-828E-260A8728E7F1} = 


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
	dontdisplaylastusername	0
	legalnoticecaption	
	legalnoticetext	
	shutdownwithoutlogon	1
	undockwithoutlogon	1
	DisableTaskMgr	0


[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ActiveDesktop
	NoComponents	0
	NoAddingComponents	0
	NoDeletingComponents	0
	NoEditingComponents	0
	NoHTMLWallPaper	0
	NoChangingWallPaper	0
	NoCloseDragDropBands	0
	NoMovingBands	0

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
	NoDriveTypeAutoRun	145
	SpecifyDefaultButtons	0
	Btn_Search	0
	NoBandCustomize	0
	NoToolbarCustomize	0
	NoActiveDesktop	0
	NoSaveSettings	0
	ClassicShell	0
	NoThemesTab	0

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System
	DisableTaskMgr	0
	NoColorChoice	0
	NoSizeChoice	0
	NoDispScrSavPage	0
	NoDispCPL	0
	NoVisualStyleChoice	0
	NoDispSettingsPage	0
	NoDispAppearancePage	0
	NoDispBackgroundPage	0


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
	PostBootReminder               	{7849596a-48ea-486e-8937-a2a3009f31a9} = %SystemRoot%\system32\SHELL32.dll
	CDBurn                         	{fbeb8a05-beee-4442-804e-409d6c4515e9} = %SystemRoot%\system32\SHELL32.dll
	WebCheck                       	{E6FB5E20-DE35-11CF-9C87-00AA005127ED} = C:\windows\system32\xp2728112.dll
	SysTray                        	{35CEC8A3-2BE6-11D2-8773-92E220524153} = C:\WINDOWS\System32\stobject.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
	UserInit	= C:\WINDOWS\system32\userinit.exe,
	Shell		= Explorer.exe
	System		= 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain
	 = crypt32.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet
	 = cryptnet.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll
	 = cscdll.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp
	 = wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule
	 = wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy
	 = sclgntfy.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn
	 = WlNotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv
	 = wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon
	 = wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WRNotifier
	 = WRLogonNTF.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Your Image File Name Here without a path
	Debugger = ntsd -d

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
	AppInit_DLLs	


»»»»»»»»»»»»»»»»»»»»»»»» Scan Complete »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
WinPFind v1.4.1	- Log file written to "WinPFind.Txt" in the WinPFind folder.
Scan completed on 29/12/2005 12:22:42
cogoni
Active Member
 
Posts: 10
Joined: December 28th, 2005, 7:11 am

Unread postby cogoni » December 29th, 2005, 9:11 am

Logfile of HijackThis v1.99.1
Scan saved at 13:10:38, on 29/12/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\windows\System32\smss.exe
C:\windows\system32\winlogon.exe
C:\windows\system32\services.exe
C:\windows\system32\lsass.exe
C:\windows\system32\svchost.exe
C:\windows\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\windows\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\windows\system32\crypserv.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\windows\Explorer.EXE
C:\windows\system32\nvsvc32.exe
C:\windows\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\system32\ezSP_Px.exe
C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\windows\system32\ctfmon.exe
C:\WINDOWS\system32\UAService7.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\RegCleaner\HijackThis.exe

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\system32\ezSP_Px.exe
O4 - HKLM\..\Run: [SsAAD.exe] C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\windows\system32\ctfmon.exe
O4 - Global Startup: adobe gamma loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O15 - Trusted Zone: *.sony-europe.com
O15 - Trusted Zone: *.sonystyle-europe.com
O15 - Trusted Zone: *.vaio-link.com
O16 - DPF: Yahoo! Chess - http://download.games.yahoo.com/games/c ... /ct2_x.cab
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/c ... pote_x.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/kws/ ... nicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid= ... lcid=0x409
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/Shar ... vSniff.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/ ... 1.2.76.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/Shar ... /cabsa.cab
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://us-housecall.trendmicro-europe.c ... hcImpl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan ... asinst.cab
O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://pdl.stream.aol.com/downloads/aol ... _en_dl.cab
O18 - Filter: text/html - (no CLSID) - (no file)
O18 - Filter: text/plain - (no CLSID) - (no file)
O20 - Winlogon Notify: WRNotifier - C:\windows\SYSTEM32\WRLogonNTF.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Crypkey License - Kenonic Controls Ltd. - C:\windows\SYSTEM32\crypserv.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Macromedia Licensing Service - Macromedia - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\windows\system32\nvsvc32.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Sony DADC Austria AG. - C:\WINDOWS\system32\UAService7.exe
cogoni
Active Member
 
Posts: 10
Joined: December 28th, 2005, 7:11 am

Unread postby cogoni » December 29th, 2005, 9:13 am

I dont get annoying 'your computer is effected' bubble in the task bar anymore.
But there are lights flashing on my modem, which is unusual because im not connected to the internet when it happens.
My system is also laggy too. Not as much as before, but my hardrive light is flashing constantly for no apparent reason.....
cogoni
Active Member
 
Posts: 10
Joined: December 28th, 2005, 7:11 am

Unread postby Kimberly » December 29th, 2005, 10:03 am

Hello cogoni,

The smitrem fix found 2 more files, Ad-Aware found some shortcuts and registry entries, so obviously the first time the clean up didn't work as expected.

We did empty the prefetch folder, which might explain why your computer is running a little bit slower, after a few reboots, the folder will get populated again.

If your HDD is flashing when your computer is idle, the defrag utility might be running since we did erase an amount of files. Let's do a defrag and see if things are running better but first we'll reset system restore.

Please reset System Restore to remove eventual backups of the spyware and trojans.

Turn off System Restore
  1. Click Start, right-click My Computer, and then click Properties.
  2. Click the System Restore tab.
  3. Select the Turn off System Restore check box (or the Turn off System Restore on all drives check box), and then click OK.
  4. Click Yes when you receive the prompt to the turn off System Restore.
Reboot your computer.

Turn System Restore back on
  1. Click Start, right-click My Computer, and then click Properties.
  2. Click the System Restore tab.
  3. Clear the Turn off System Restore check box (or the Turn off System Restore on all drives check box), and then click OK.
A new restore point will be created automatically.
______________________________

Click Start > Run > type in CMD and hit enter.
In the CMD window, type chkdsk /f and hit enter. If you are using the NTFS system, you'll get a message that the volume is locked. It will ask you to run at next boot, anwser yes and close the CMD window. Reboot your computer and wait untill you see the desktop again. (It will reboot automatically just after the check)

When done, click on My Computer, select Local Disk (C), Right click to bring up the menu and click on Properties and go to Tools tab. Click on Defragment now and click on the Defragment button in the next window. This may take some time. Relax and have a cup of coffee or tea.

As for the modem, I don't know why this could happen, do you have a manual that explains the status of the lights ? It could just be a coincidence because malware or a cleanup of malware isn't suppose to do anything to a modem or other hardware.

Running SpySweeper and Microsoft Antispyware's real time protection together, could eventually slow down the PC and even create conflicts. I would recommend running only 1.

Let me know how things run after the defrag and if you still have trouble.

Kim
User avatar
Kimberly
MRU Teacher Emeritus
 
Posts: 3505
Joined: June 15th, 2005, 12:57 am

Unread postby cogoni » December 29th, 2005, 10:13 am

Thanks, you have been a great help.


I do t think theres something wrong with the modem, just since this malware came there has been many occurences where internet is slow and my HD light is constantly flashing.
Still is.... maybe its something else....
I think it maybe something bad trying to send something via the net or remotly connecting to my pc, like it did before.

I did the hd scan and rebooted.... is there suppose to be some results?

I thought you were going to mention about that virus Active scan detected. But iv deleted it and hope it wont come back. Cheers.

If theres any other problems ill let you know.
Last edited by cogoni on December 29th, 2005, 10:29 am, edited 1 time in total.
cogoni
Active Member
 
Posts: 10
Joined: December 28th, 2005, 7:11 am

Unread postby Kimberly » December 29th, 2005, 10:26 am

Oops, yes forgot to mention to delete C:\WINDOWS\timessquare1.dat indeed. Good initiative. :)
User avatar
Kimberly
MRU Teacher Emeritus
 
Posts: 3505
Joined: June 15th, 2005, 12:57 am
Advertisement
Register to Remove

Next

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 334 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware