Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Norton Deletion Problems


  • Please log in to reply
20 replies to this topic

#1 obededom

obededom

  • Members
  • 112 posts
  • OFFLINE
  •  
  • Location:Wichita
  • Local time:02:01 AM

Posted 24 November 2005 - 12:04 AM

Ok, I have 2 problems.

:thumbsup: I know (simply by looking at the log) that there is some spyware in there. I have d/l and installed AdAward, Spybot Search & Destroy, System Security Suite (from a previous topic/problem) and AntiVir XP. Basically, I just want to get rid of all the spyware that those programs AdAware and and Spybot didn't find.

:flowers: I d/l AntiVir XP, as I previously stated, and I want to get rid of Norton (it drives me crazy and a member of the HJT team also told me previously to get rid of it b/c he believes it is useless, as do I). There are four "programs" associated with Norton, and I was able to delete one. The other three are: LiveReg (Symantec Corporation), Norton Internet Security (Symantec Corporation) and Norton WMI Update (I was able to delete the other one, but I don't remember what it was). However, with these three, there is an error every time I try to remove them using Add/Remove Programs (also, I disable Norton Internet Security and Norton AntiVirus). Here are the screenshots of the errors associated with those three:

LiveReg (Symantec Corporation):
Posted Image

Norton Internet Security (Symantec Corporation):
Posted Image

2 Errors with Norton WMI Update:
Posted ImagePosted Image

Let me know if there's any other information you need to know



:trumpet: HJT Logfile:
Logfile of HijackThis v1.99.1
Scan saved at 10:32:51 PM, on 11/23/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\AVPersonal\AVWUPSRV.EXE
C:\Program Files\AVPersonal\AVGUARD.EXE
C:\Program Files\AVPersonal\AVGNT.EXE
C:\Program Files\HijackThis\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: CNisExtBho Class - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
O4 - HKLM\..\Run: [AVGCtrl] "C:\Program Files\AVPersonal\AVGNT.EXE" /min
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O23 - Service: AntiVir Service (AntiVirService) - H+BEDV Datentechnik GmbH - C:\Program Files\AVPersonal\AVGUARD.EXE
O23 - Service: AntiVir Update (AVWUpSrv) - H+BEDV Datentechnik GmbH, Germany - C:\Program Files\AVPersonal\AVWUPSRV.EXE
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

Thanks ahead of time,
~obededom~
"Advertisements contain the only truths to be relied on in a newspaper." - Mark Twain

BC AdBot (Login to Remove)

 


#2 Skate_Punk_21

Skate_Punk_21

    Crapware Killing Canuck!


  • Members
  • 185 posts
  • OFFLINE
  •  
  • Local time:02:01 AM

Posted 29 November 2005 - 10:11 AM

check out this thread.
:thumbsup:
Skate
If I've helped you in any way, please consider a donation to help me continue the fight: Posted Image
Posted Image

#3 obededom

obededom
  • Topic Starter

  • Members
  • 112 posts
  • OFFLINE
  •  
  • Location:Wichita
  • Local time:02:01 AM

Posted 02 December 2005 - 11:23 PM

Ok I followed the guide and was able to delete all Norton/Symantec programs. However, I had a problem before I restarted this comp after deleting everything - when I tried to go to a website, I got a "Server not responding" error (and it has to do with an ftp error). This only happened with some websites - for example, I was still able to access this website and google.com, but I got an error when I tried to visit hotmail.com, gmail.com or even cnn.com. Now, like I said, this problem was occuring before I restarted. Now that I've restarted, I'm able to access all of those previously mentioned website. Is it random? I don't know. Hopefully, by deleting/removing all Norton/Symantec programs, that took care of the problem. Anyway, that's the situation right now and I would still like to get this log clean (for instance, web savings from ebates is in my Add/Remove programs list but not in my HJT log):

Logfile of HijackThis v1.99.1
Scan saved at 10:13:18 PM, on 12/2/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\AVPersonal\AVGUARD.EXE
C:\Program Files\AVPersonal\AVWUPSRV.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
C:\Program Files\AVPersonal\AVGNT.EXE
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\HijackThis\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
O4 - HKLM\..\Run: [AVGCtrl] "C:\Program Files\AVPersonal\AVGNT.EXE" /min
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O23 - Service: AntiVir Service (AntiVirService) - H+BEDV Datentechnik GmbH - C:\Program Files\AVPersonal\AVGUARD.EXE
O23 - Service: AntiVir Update (AVWUpSrv) - H+BEDV Datentechnik GmbH, Germany - C:\Program Files\AVPersonal\AVWUPSRV.EXE
O23 - Service: iPod Service (iPodService) - Unknown owner - C:\Program Files\iPod\bin\iPodService.exe (file missing)
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

Thanks again guys,
~obededom~
"Advertisements contain the only truths to be relied on in a newspaper." - Mark Twain

#4 Skate_Punk_21

Skate_Punk_21

    Crapware Killing Canuck!


  • Members
  • 185 posts
  • OFFLINE
  •  
  • Local time:02:01 AM

Posted 03 December 2005 - 06:03 PM

Ok, i got a few things we can try to find them hidden buggers.

Please download ewido security suite it is a free version of the program.
  • Install ewido security suite
  • When installing, under "Additional Options" uncheck..
    • Install background guard
    • Install scan via context menu
  • Launch ewido, there should be an icon on your desktop, double-click it.
  • The program will now open to the main screen.
  • When you run ewido for the first time, you may get a warning "Database could not be found!". Click OK. We will fix this in a moment.
  • You will need to update ewido to the latest definition files.
    • On the left hand side of the main screen click update.
    • Then click on Start Update.
  • The update will start and a progress bar will show the updates being installed.
    (the status bar at the bottom will display ("Update successful")
If you are having problems with the updater, you can use this link to manually update ewido.
ewido manual updates


Restart your computer and boot into Safe Mode by hitting the F8 key repeatedly until a menu shows up (and choose Safe Mode from the list). In some systems, this may be the F5 key, so try that if F8 doesn't work.


Once in safe mode Open Ewido Security Suite and do the following:
  • Click on scanner
  • Click on Complete System Scan and the scan will begin.
  • You will be prompted to clean the first infection.
  • Select "Perform action on all infections", then proceed.
  • Once the scan has completed, there will be a button located on the bottom of the screen named Save report
  • Click Save report.
  • Save the report .txt file to your desktop or a location where you can find it easily.
Close ewido security suite.

Reboot back to normal mode and post that log

Please download Trend Micro™ Anti-Spyware for the Web Utility (by clicking the "Scan and Clean your PC" button).
  • Save it to your desktop.
  • Double-click the new icon on your desktop (tmas-web-scan.exe)
  • It will say "Loading TrendMicro definitions".
  • Once the definitions are loaded, the program will appear to close then re-open.
  • Click Start Scan
  • After it's done scanning, click Scan Results
  • Make sure all items found have a check next to them, then click Clean Threats Now.
  • Click Exit.
Reboot your computer. In place of the TrendMicro icon will be a text file called Antispyware.log, please double-click that log and copy the entire contents and paste them here.

Post back with those logs and we can continue from there.

Edited by Skate_Punk_21, 03 December 2005 - 06:04 PM.

If I've helped you in any way, please consider a donation to help me continue the fight: Posted Image
Posted Image

#5 obededom

obededom
  • Topic Starter

  • Members
  • 112 posts
  • OFFLINE
  •  
  • Location:Wichita
  • Local time:02:01 AM

Posted 10 December 2005 - 03:02 AM

ok, well, sorry about the delay... I followed all of your instructions, but I wasn't able to get the trend micro log - the first time I clicked on your link it only did an online scan and it never gave the option of downloading, only installing through active x. however, I was able to download it AFTER I scanned and cleaned, but here's the log anyway:

Started Scanning
Internet Cookies
Programs in Memory
Windows Registry
Found '' in 'Software\Altnet'
Internet URL Shortcuts
Files and Directories
Finished Scanning
Started Backup
Finished Backup
Started Cleaning
[SCANMODS] WARNING: Unable to remove registry keys under 'HKLM\'Software\Altnet'. Error=5.
Finished Cleaning


:thumbsup: I did get the Ewido log, and that is here (I know, most of it is cookies):

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 2:12:34 PM, 12/6/2005
+ Report-Checksum: 391DE34A

+ Scan result:

HKLM\SOFTWARE\Altnet -> Spyware.Altnet : Error during cleaning
HKLM\SOFTWARE\Altnet\Dashboard -> Spyware.Altnet : Error during cleaning
HKLM\SOFTWARE\Altnet\Dashboard\Settings -> Spyware.Altnet : Error during cleaning
HKLM\SOFTWARE\BTIEIN -> Spyware.WebSearch : Error during cleaning
HKLM\SOFTWARE\BTIEIN\BTIEIN -> Spyware.WebSearch : Error during cleaning
HKLM\SOFTWARE\BTIEIN\BTIEIN\taskcache -> Spyware.WebSearch : Error during cleaning
C:\Documents and Settings\BIG DADDY\Application Data\Hotbar -> Spyware.HotBar : Cleaned with backup
C:\Documents and Settings\BIG DADDY\Application Data\Hotbar\reports.txt -> Spyware.HotBar : Cleaned with backup
C:\Documents and Settings\christina\Cookies\christina@112.2o7[2].txt -> Spyware.Cookie.2o7 : Cleaned with backup
C:\Documents and Settings\christina\Cookies\christina@2o7[2].txt -> Spyware.Cookie.2o7 : Cleaned with backup
C:\Documents and Settings\christina\Cookies\christina@ad.yieldmanager[2].txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\christina\Cookies\christina@adopt.specificclick[1].txt -> Spyware.Cookie.Specificclick : Cleaned with backup
C:\Documents and Settings\christina\Cookies\christina@ads.addynamix[1].txt -> Spyware.Cookie.Addynamix : Cleaned with backup
C:\Documents and Settings\christina\Cookies\christina@ads.pointroll[2].txt -> Spyware.Cookie.Pointroll : Cleaned with backup
C:\Documents and Settings\christina\Cookies\christina@ads18.bpath[2].txt -> Spyware.Cookie.Bpath : Cleaned with backup
C:\Documents and Settings\christina\Cookies\christina@as-us.falkag[1].txt -> Spyware.Cookie.Falkag : Cleaned with backup
C:\Documents and Settings\christina\Cookies\christina@casalemedia[1].txt -> Spyware.Cookie.Casalemedia : Cleaned with backup
C:\Documents and Settings\christina\Cookies\christina@centrport[1].txt -> Spyware.Cookie.Centrport : Cleaned with backup
C:\Documents and Settings\christina\Cookies\christina@citi.bridgetrack[1].txt -> Spyware.Cookie.Bridgetrack : Cleaned with backup
C:\Documents and Settings\christina\Cookies\christina@cnn.122.2o7[1].txt -> Spyware.Cookie.2o7 : Cleaned with backup
C:\Documents and Settings\christina\Cookies\christina@com[2].txt -> Spyware.Cookie.Com : Cleaned with backup
C:\Documents and Settings\christina\Cookies\christina@estat[1].txt -> Spyware.Cookie.Estat : Cleaned with backup
C:\Documents and Settings\christina\Cookies\christina@msnportal.112.2o7[1].txt -> Spyware.Cookie.2o7 : Cleaned with backup
C:\Documents and Settings\christina\Cookies\christina@mysearch[1].txt -> Spyware.Cookie.Mysearch : Cleaned with backup
C:\Documents and Settings\christina\Cookies\christina@overture[2].txt -> Spyware.Cookie.Overture : Cleaned with backup
C:\Documents and Settings\christina\Cookies\christina@perf.overture[1].txt -> Spyware.Cookie.Overture : Cleaned with backup
C:\Documents and Settings\christina\Cookies\christina@questionmarket[1].txt -> Spyware.Cookie.Questionmarket : Cleaned with backup
C:\Documents and Settings\christina\Cookies\christina@revenue[1].txt -> Spyware.Cookie.Revenue : Cleaned with backup
C:\Documents and Settings\christina\Cookies\christina@rotator.adjuggler[1].txt -> Spyware.Cookie.Adjuggler : Cleaned with backup
C:\Documents and Settings\christina\Cookies\christina@server.iad.liveperson[1].txt -> Spyware.Cookie.Liveperson : Cleaned with backup
C:\Documents and Settings\christina\Cookies\christina@serving-sys[1].txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
C:\Documents and Settings\christina\Cookies\christina@stat.onestat[2].txt -> Spyware.Cookie.Onestat : Cleaned with backup
C:\Documents and Settings\christina\Cookies\christina@statcounter[2].txt -> Spyware.Cookie.Statcounter : Cleaned with backup
C:\Documents and Settings\christina\Cookies\christina@tradedoubler[2].txt -> Spyware.Cookie.Tradedoubler : Cleaned with backup
C:\Documents and Settings\christina\Cookies\christina@trafficmp[2].txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
C:\Documents and Settings\christina\Cookies\christina@tribalfusion[2].txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
C:\Documents and Settings\christina\Cookies\christina@www.myaffiliateprogram[1].txt -> Spyware.Cookie.Myaffiliateprogram : Cleaned with backup
C:\Documents and Settings\christina\Cookies\christina@www.smartadserver[1].txt -> Spyware.Cookie.Smartadserver : Cleaned with backup
C:\Documents and Settings\christina\Cookies\christina@yieldmanager[1].txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\christina\Cookies\christina@z1.adserver[1].txt -> Spyware.Cookie.Adserver : Cleaned with backup
C:\Documents and Settings\christina\Local Settings\Temporary Internet Files\Content.IE5\MPN0L8RM\mm[2].js -> Spyware.Chitika : Cleaned with backup
C:\Documents and Settings\Sylvia.COLORTYM-EK4CIH\Local Settings\Temporary Internet Files\Content.IE5\9SZWIWC9\mm[2].js -> Spyware.Chitika : Cleaned with backup
C:\Program Files\hbinst\Hbinst.exe -> Spyware.HotBar : Cleaned with backup
C:\WINDOWS\NDNuninstall6_10.exe -> Spyware.NewDotNet : Cleaned with backup
C:\WINDOWS\NDNuninstall6_22.exe -> Spyware.NewDotNet : Cleaned with backup


::Report End

:flowers: also, here's a fresh HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 1:56:55 AM, on 12/10/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\PROGRAM FILES\AVPERSONAL\AVGUARD.EXE
C:\Program Files\AVPersonal\AVWUPSRV.EXE
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
C:\Program Files\AVPersonal\AVGNT.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\HijackThis\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
O4 - HKLM\..\Run: [AVGCtrl] "C:\Program Files\AVPersonal\AVGNT.EXE" /min
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {B1826A9F-4AA0-4510-BA77-9013E74E4B9B} - http://www.trendmicro.com/spyware-scan/as4web.cab
O23 - Service: AntiVir Service (AntiVirService) - H+BEDV Datentechnik GmbH - C:\PROGRAM FILES\AVPERSONAL\AVGUARD.EXE
O23 - Service: AntiVir Update (AVWUpSrv) - H+BEDV Datentechnik GmbH, Germany - C:\Program Files\AVPersonal\AVWUPSRV.EXE
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

Thanks,
~obededom~

Edited by obededom, 10 December 2005 - 03:24 AM.

"Advertisements contain the only truths to be relied on in a newspaper." - Mark Twain

#6 Skate_Punk_21

Skate_Punk_21

    Crapware Killing Canuck!


  • Members
  • 185 posts
  • OFFLINE
  •  
  • Local time:02:01 AM

Posted 10 December 2005 - 07:25 PM

While TeaTimer is an excellent tool for the prevention of spyware, it can sometimes prevent HijackThis from fixing certain things.
Please disable TeaTimer for now until you are clean. TeaTimer can be re-activated once your HijackThis log is clean.
  • Open Spybot Search & Destroy.
  • In the Mode menu click "Advanced mode" if not already selected.
  • Choose "Yes" at the Warning prompt.
  • Expand the "Tools" menu.
  • Click "Resident".
  • Uncheck the "Resident "TeaTimer" (Protection of overall system settings) active." box.
  • In the File menu click "Exit" to exit Spybot Search & Destroy
Please copy and paste the following into notepad exactly as it appears:

REGEDIT4

[-HKEY_LOCAL_MACHINE\Software\Altnet]
[-HKEY_LOCAL_MACHINE\SOFTWARE\BTIEIN]

Save this file to your desktop as "fix.reg" WITH the quotation marks. Now double click the and, when prompted, allow it to merge with the registry.


Now run Ewido once again please, and post the log along with any other troubles you might be having.

Edited by Skate_Punk_21, 10 December 2005 - 07:26 PM.

If I've helped you in any way, please consider a donation to help me continue the fight: Posted Image
Posted Image

#7 obededom

obededom
  • Topic Starter

  • Members
  • 112 posts
  • OFFLINE
  •  
  • Location:Wichita
  • Local time:02:01 AM

Posted 20 December 2005 - 02:02 PM

I'm sorry about the delay - I've been really busy and this is a friend's computer. Your instructions WILL be carried out, it just may be another couple of days. Please, don't lose me or don't lock the topic if at all possible. Thanks again for your help!
"Advertisements contain the only truths to be relied on in a newspaper." - Mark Twain

#8 Skate_Punk_21

Skate_Punk_21

    Crapware Killing Canuck!


  • Members
  • 185 posts
  • OFFLINE
  •  
  • Local time:02:01 AM

Posted 20 December 2005 - 02:45 PM

Not a problem, will definetly leave it open :thumbsup:
If I've helped you in any way, please consider a donation to help me continue the fight: Posted Image
Posted Image

#9 obededom

obededom
  • Topic Starter

  • Members
  • 112 posts
  • OFFLINE
  •  
  • Location:Wichita
  • Local time:02:01 AM

Posted 24 December 2005 - 11:40 PM

While TeaTimer is an excellent tool for the prevention of spyware, it can sometimes prevent HijackThis from fixing certain things.
Please disable TeaTimer for now until you are clean. TeaTimer can be re-activated once your HijackThis log is clean.

  • Open Spybot Search & Destroy.
  • In the Mode menu click "Advanced mode" if not already selected.
  • Choose "Yes" at the Warning prompt.
  • Expand the "Tools" menu.
  • Click "Resident".
  • Uncheck the "Resident "TeaTimer" (Protection of overall system settings) active." box.
  • In the File menu click "Exit" to exit Spybot Search & Destroy
Please copy and paste the following into notepad exactly as it appears:

REGEDIT4

[-HKEY_LOCAL_MACHINE\Software\Altnet]
[-HKEY_LOCAL_MACHINE\SOFTWARE\BTIEIN]

Save this file to your desktop as "fix.reg" WITH the quotation marks. Now double click the and, when prompted, allow it to merge with the registry.


Now run Ewido once again please, and post the log along with any other troubles you might be having.


should I do all of this in safe mode? or only the Ewido scan?
"Advertisements contain the only truths to be relied on in a newspaper." - Mark Twain

#10 Skate_Punk_21

Skate_Punk_21

    Crapware Killing Canuck!


  • Members
  • 185 posts
  • OFFLINE
  •  
  • Local time:02:01 AM

Posted 26 December 2005 - 01:27 AM

good question, make the reg file in normal mode, but merge it and run ewido from safe mode.
If I've helped you in any way, please consider a donation to help me continue the fight: Posted Image
Posted Image

#11 new comer

new comer

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:01:01 AM

Posted 26 December 2005 - 03:30 AM

I just joined the forum yesterday. and I found your thread help me to solve my computer problem. Just like to drop a note to say thank you.

I have a strange problem on my computer. I can browse internet just fine; however, as soon as I attempt to sign in any account (secure), I got an error message say server refused. I lost ability to sign in yahoo mail, company mail, quicken, etc.

I have suspect it is my personal firewall acting up. In this case, it is norton internet security. I tried to remove it from my computer using add/remove programs but with no success. Just when I'm considering to wipe out computer back to original state, I decide to check out the web to see if I can get any help. Found your thread on how to remove Norton Internet Security and followed the instructions. After reboot, everything works fine.

Good job State_Punk_21, and Thanks you!

#12 obededom

obededom
  • Topic Starter

  • Members
  • 112 posts
  • OFFLINE
  •  
  • Location:Wichita
  • Local time:02:01 AM

Posted 26 December 2005 - 03:49 AM

new comer:
that is exactly what was happening in my situation. exactly. :thumbsup:


anyway, yes thanks Skate_Punk_21 and I'll finish this topic as soon as possible. :flowers:
"Advertisements contain the only truths to be relied on in a newspaper." - Mark Twain

#13 obededom

obededom
  • Topic Starter

  • Members
  • 112 posts
  • OFFLINE
  •  
  • Location:Wichita
  • Local time:02:01 AM

Posted 15 January 2006 - 12:09 AM

Ok, sorry about the incredibly long delay - that darn Ewido scan just takes forever. I merged the reg file in Safe Mode like you said - I'm assuming that's all I had to do, then scan with Ewido. Anyway, here's a fresh HJT Log and the Ewido Scan log:

:thumbsup:
Logfile of HijackThis v1.99.1
Scan saved at 11:05:27 PM, on 1/14/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\PROGRAM FILES\AVPERSONAL\AVGUARD.EXE
C:\Program Files\AVPersonal\AVWUPSRV.EXE
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
C:\Program Files\AVPersonal\AVGNT.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
O4 - HKLM\..\Run: [AVGCtrl] "C:\Program Files\AVPersonal\AVGNT.EXE" /min
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {B1826A9F-4AA0-4510-BA77-9013E74E4B9B} - http://www.trendmicro.com/spyware-scan/as4web.cab
O23 - Service: AntiVir Service (AntiVirService) - H+BEDV Datentechnik GmbH - C:\PROGRAM FILES\AVPERSONAL\AVGUARD.EXE
O23 - Service: AntiVir Update (AVWUpSrv) - H+BEDV Datentechnik GmbH, Germany - C:\Program Files\AVPersonal\AVWUPSRV.EXE
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe


:flowers:
---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 10:59:31 PM, 1/14/2006
+ Report-Checksum: 21C0417A

+ Scan result:

HKLM\SOFTWARE\Altnet -> Spyware.Altnet : Error during cleaning
HKLM\SOFTWARE\Altnet\Dashboard -> Spyware.Altnet : Error during cleaning
HKLM\SOFTWARE\Altnet\Dashboard\Settings -> Spyware.Altnet : Error during cleaning
HKLM\SOFTWARE\BTIEIN -> Spyware.WebSearch : Error during cleaning
HKLM\SOFTWARE\BTIEIN\BTIEIN -> Spyware.WebSearch : Error during cleaning
HKLM\SOFTWARE\BTIEIN\BTIEIN\taskcache -> Spyware.WebSearch : Error during cleaning

::Report End



Thanks again,
~obededom~
"Advertisements contain the only truths to be relied on in a newspaper." - Mark Twain

#14 Skate_Punk_21

Skate_Punk_21

    Crapware Killing Canuck!


  • Members
  • 185 posts
  • OFFLINE
  •  
  • Local time:02:01 AM

Posted 15 January 2006 - 10:26 AM

Download, install & launch - Webroot SpySweeper (Trial) (8.3 MB Download)

When SpySweeper starts, please accept any prompts to update definitions.

Then configure it as followed:
  • From the left pane, click Options
  • Select the Sweep Options tab & ensure the following are ticked:
    • Sweep Memory
    • Sweep Registry
    • Sweep Cookies
    • Sweep All Users accounts
    • Do Not Sweep System Restore Folder
    • Enable Direct Disk Sweeping
    • Sweep For Rootkits
  • After that's done, select Sweep from the left pane & click on the Start button
  • Allow Spysweeper to reboot your machine to remove the infected files.
After rebooting, launch SpySweeper & select Results from the left pane
Click the 'Session Log' tab & choose Save to File to create a log.

Post that in your next reply along with a new HJT log.

Edited by Skate_Punk_21, 15 January 2006 - 10:27 AM.

If I've helped you in any way, please consider a donation to help me continue the fight: Posted Image
Posted Image

#15 obededom

obededom
  • Topic Starter

  • Members
  • 112 posts
  • OFFLINE
  •  
  • Location:Wichita
  • Local time:02:01 AM

Posted 16 January 2006 - 11:11 PM

:thumbsup: Spy Sweeper Log:

********
9:24 PM: | Start of Session, Monday, January 16, 2006 |
9:24 PM: Spy Sweeper started
9:24 PM: Sweep initiated using definitions version 602
9:25 PM: Warning: Stream read error
9:25 PM: Warning: Stream read error
9:25 PM: Warning: Stream read error
9:25 PM: Warning: Stream read error
9:25 PM: Warning: TIdentify2700Obj.Identify: Unable to map user: S-1-5-21-1078081533-789336058-1957994488-1008.bak
9:25 PM: Starting Memory Sweep
9:29 PM: Memory Sweep Complete, Elapsed Time: 00:04:08
9:29 PM: Starting Registry Sweep
9:29 PM: Found Adware: altnet
9:29 PM: HKLM\software\altnet\ (20 subtraces) (ID = 103481)
9:29 PM: Found Adware: blazefind
9:29 PM: HKLM\software\microsoft\windows\currentversion\moduleusage\c:/windows/downloaded program files/bridge.dll\ (2 subtraces) (ID = 104526)
9:29 PM: HKLM\software\microsoft\windows\currentversion\shareddlls\ || c:\windows\downloaded program files\bridge.dll (ID = 104541)
9:29 PM: Found Adware: websearch toolbar
9:29 PM: HKLM\software\btiein\ (14 subtraces) (ID = 146369)
9:29 PM: HKLM\software\microsoft\windows\currentversion\moduleusage\c:/windows/downloaded program files/qdow.dll\ (2 subtraces) (ID = 146481)
9:29 PM: HKLM\software\microsoft\windows\currentversion\shareddlls\ || c:\windows\downloaded program files\qdow.dll (ID = 146496)
9:29 PM: Found Adware: win comm
9:29 PM: HKLM\software\microsoft\windows\currentversion\moduleusage\c:/windows/downloaded program files/wincommx.dll\ (2 subtraces) (ID = 146974)
9:29 PM: HKLM\software\microsoft\windows\currentversion\shareddlls\ || c:\windows\downloaded program files\wincommx.dll (ID = 146976)
9:30 PM: Found Adware: commonname
9:30 PM: HKU\WRSS_Profile_S-1-5-21-1078081533-789336058-1957994488-1009\software\commonname\ (8 subtraces) (ID = 106881)
9:30 PM: HKU\WRSS_Profile_S-1-5-21-1078081533-789336058-1957994488-1009\software\microsoft\internet explorer\menuext\add a page note\ (2 subtraces) (ID = 106887)
9:30 PM: HKU\WRSS_Profile_S-1-5-21-1078081533-789336058-1957994488-1009\software\microsoft\internet explorer\menuext\bookmark this page\ (2 subtraces) (ID = 106888)
9:30 PM: HKU\WRSS_Profile_S-1-5-21-1078081533-789336058-1957994488-1009\software\microsoft\internet explorer\menuext\email this link\ (2 subtraces) (ID = 106889)
9:30 PM: HKU\WRSS_Profile_S-1-5-21-1078081533-789336058-1957994488-1009\software\microsoft\internet explorer\menuext\search using commonname\ (2 subtraces) (ID = 106890)
9:30 PM: Found Adware: hotbar
9:30 PM: HKU\WRSS_Profile_S-1-5-21-1078081533-789336058-1957994488-1009\software\hotbar\ (10 subtraces) (ID = 127565)
9:30 PM: Found Adware: internetoptimizer
9:30 PM: HKU\WRSS_Profile_S-1-5-21-1078081533-789336058-1957994488-1009\software\avenue media\ (ID = 128887)
9:30 PM: HKU\WRSS_Profile_S-1-5-21-1078081533-789336058-1957994488-1009\software\policies\avenue media\ (ID = 128928)
9:30 PM: Found Adware: 180search assistant/zango
9:30 PM: HKU\WRSS_Profile_S-1-5-21-1078081533-789336058-1957994488-1009\software\180solutions\ (9 subtraces) (ID = 135617)
9:30 PM: Found Adware: virtumonde
9:30 PM: HKU\WRSS_Profile_S-1-5-21-1078081533-789336058-1957994488-1009\software\microsoft\sysupd\ (5 subtraces) (ID = 145667)
9:30 PM: Found Adware: webrebates
9:30 PM: HKU\WRSS_Profile_S-1-5-21-1078081533-789336058-1957994488-1009\software\microsoft\internet explorer\menuext\web rebates\ (2 subtraces) (ID = 146297)
9:30 PM: HKU\WRSS_Profile_S-1-5-21-1078081533-789336058-1957994488-1009\software\btiein\ (3 subtraces) (ID = 146368)
9:30 PM: HKU\WRSS_Profile_S-1-5-21-1078081533-789336058-1957994488-1009\software\microsoft\internet explorer\urlsearchhooks\ || _{8952a998-1e7e-4716-b23d-3dbe03910972} (ID = 146465)
9:30 PM: HKU\WRSS_Profile_S-1-5-21-1078081533-789336058-1957994488-1009\software\toolbar\ (11 subtraces) (ID = 146513)
9:30 PM: Found Adware: sidesearch
9:30 PM: HKU\WRSS_Profile_S-1-5-21-1078081533-789336058-1957994488-1009\software\microsoft\internet explorer\extensions\cmdmapping\ || {000007c6-17df-4438-92a4-de5537471ba3} (ID = 530423)
9:30 PM: HKU\WRSS_Profile_S-1-5-21-1078081533-789336058-1957994488-1009\software\toolbar\ (11 subtraces) (ID = 646239)
9:30 PM: Warning: Stream read error
9:30 PM: Warning: Stream read error
9:30 PM: Warning: Stream read error
9:30 PM: Warning: Stream read error
9:30 PM: Warning: TIdentifyRegistryObj.Identify: Unable to map user: S-1-5-21-1078081533-789336058-1957994488-1008.bak
9:30 PM: HKU\WRSS_Profile_S-1-5-21-1078081533-789336058-1957994488-1006\software\microsoft\internet explorer\urlsearchhooks\ || _{8952a998-1e7e-4716-b23d-3dbe03910972} (ID = 146465)
9:30 PM: HKU\WRSS_Profile_S-1-5-21-1078081533-789336058-1957994488-1006\software\microsoft\internet explorer\extensions\cmdmapping\ || {000007c6-17df-4438-92a4-de5537471ba3} (ID = 530423)
9:30 PM: Registry Sweep Complete, Elapsed Time:00:01:00
9:30 PM: Warning: Stream read error
9:30 PM: Warning: Stream read error
9:30 PM: Warning: Stream read error
9:30 PM: Warning: Stream read error
9:31 PM: Warning: Stream read error
9:31 PM: Warning: Stream read error
9:31 PM: Warning: TIdentifyCookieObj.GetCookiePaths(): Unable to map user: S-1-5-21-1078081533-789336058-1957994488-1008.bak
9:31 PM: Starting Cookie Sweep
9:31 PM: Cookie Sweep Complete, Elapsed Time: 00:00:01
9:31 PM: Starting File Sweep
9:36 PM: Warning: Failed to open file "c:\recycler\\dc23.lnk". The system cannot find the file specified
9:49 PM: winnet.ini (ID = 53846)
9:49 PM: Warning: Stream read error
9:50 PM: Warning: Stream read error
9:50 PM: Warning: Stream read error
9:50 PM: Warning: Stream read error
9:50 PM: Warning: TWinStartupScanner.Initialize(): could not map user [S-1-5-21-1078081533-789336058-1957994488-1008.bak]
9:50 PM: peer points manager.lnk (ID = 49852)
9:54 PM: default.inf (ID = 53773)
9:54 PM: File Sweep Complete, Elapsed Time: 00:23:25
9:54 PM: Full Sweep has completed. Elapsed time 00:29:43
9:54 PM: Traces Found: 188
9:59 PM: Removal process initiated
9:59 PM: Quarantining All Traces: 180search assistant/zango
9:59 PM: Quarantining All Traces: virtumonde
9:59 PM: Quarantining All Traces: websearch toolbar
10:00 PM: Quarantining All Traces: blazefind
10:00 PM: Quarantining All Traces: commonname
10:00 PM: Quarantining All Traces: hotbar
10:00 PM: Quarantining All Traces: internetoptimizer
10:00 PM: Quarantining All Traces: sidesearch
10:00 PM: Quarantining All Traces: altnet
10:00 PM: Quarantining All Traces: webrebates
10:00 PM: Quarantining All Traces: win comm
10:00 PM: Warning: Stream read error
10:00 PM: Warning: Stream read error
10:00 PM: Warning: Stream read error
10:00 PM: Warning: Stream read error
10:01 PM: Removal process completed. Elapsed time 00:01:50
********
9:22 PM: | Start of Session, Monday, January 16, 2006 |
9:22 PM: Spy Sweeper started
9:23 PM: Warning: Stream read error
9:23 PM: Warning: Stream read error
9:23 PM: Warning: Stream read error
9:23 PM: Warning: Stream read error
9:23 PM: Warning: TCSIDLs.Refresh: could not map user [S-1-5-21-1078081533-789336058-1957994488-1008.bak]
9:23 PM: Your spyware definitions have been updated.
9:24 PM: | End of Session, Monday, January 16, 2006 |


:flowers: HJT Log:

Logfile of HijackThis v1.99.1
Scan saved at 10:08:15 PM, on 1/16/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\PROGRAM FILES\AVPERSONAL\AVGUARD.EXE
C:\Program Files\AVPersonal\AVWUPSRV.EXE
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
C:\Program Files\AVPersonal\AVGNT.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
O4 - HKLM\..\Run: [AVGCtrl] "C:\Program Files\AVPersonal\AVGNT.EXE" /min
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {B1826A9F-4AA0-4510-BA77-9013E74E4B9B} - http://www.trendmicro.com/spyware-scan/as4web.cab
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: AntiVir Service (AntiVirService) - H+BEDV Datentechnik GmbH - C:\PROGRAM FILES\AVPERSONAL\AVGUARD.EXE
O23 - Service: AntiVir Update (AVWUpSrv) - H+BEDV Datentechnik GmbH, Germany - C:\Program Files\AVPersonal\AVWUPSRV.EXE
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe

Edited by obededom, 16 January 2006 - 11:11 PM.

"Advertisements contain the only truths to be relied on in a newspaper." - Mark Twain




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users