Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

4 Spyware Infections Found With Panda Activescan


  • Please log in to reply
24 replies to this topic

#1 I_am_CanadianEh?

I_am_CanadianEh?

  • Members
  • 489 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:48 AM

Posted 06 January 2006 - 02:51 PM

Hello,

I'm new to this forum so I just wanted to say HI! I've been reading a number of the posts and I'll say I'm very impressed with your experience so I'm placing my trust in you to aleviate some spyware problems that I might have.

Here's what I did, in this EXACT order as shown. All was performed in normal mode:

1) Turned TeaTimer OFF, turned Norton Antivirus Realtime protection OFF.
2) Updated and ran Ewido (Full Scan) - nothing found
3) Updated and ran Ad-Aware SE Personal (Complete Scan) - nothing found
4) Updated, immunized, and ran Spybot S&D - nothing found
5) Updated, ran Norton Antivirus (all hard drives) - nothing found
6) Ran CCleaner, cleaned almost everything (except folder settings and passwords)
7) Ran CCleaner registry analyzer - nothing found

8) Ran a program called REGCLEANER. Went to Tools-Cleanup-OLE Cleaner, removed 1 entry. Then to Orphan File Ref, removed 1 entry. Then to Automatic Registry Cleaner - cleaned about 7-10 entries.

Saved the UNINSTALL information as I've found some items that I do not recognize and are not in the Add/Remove section of control panel. See here:

************

RegCleaner 4.3 by Jouni Vuorio
Software in Windows' Uninstall Menu. You can uninstall them or just remove them from this list
[syntax: Software ]

{5B239A98-4222-4D8C-AF38-1A8EC07F956B}
{5D0930A0-1033-433A-8BB9-602665550DD0}
{F90DA605-4E92-11D4-A319-00104BCAB4AB}
Ad-Aware SE Personal
AddressBook
Adobe Download Manager 1.2 (Remove Only)
Adobe Photoshop Album 2.0 Starter Edition
Adobe Reader 7.0.5
Air Canada TravelDesk
ALi AGP Driver 1.80
ALi Audio Accelerator WDM Driver
Bluetooth Stack for Windows by Toshiba
Branding
CCleaner (remove only)
Connection Manager
DirectAnimation
DirectDrawEx
DXM_Runtime
eDrawings 2006
ewido security suite
Fontcore
Google Toolbar for Internet Explorer
HexDump plug-in for Ad-Aware SE
HijackThis 1.99.1
ICW
IE40
IE4Data
IE5BAKEX
IEData
Intel® PRO Ethernet Adapter and Software
Internet Explorer Exception pack
Internet Explorer Q903235
Internet Explorer ReadMe
InterVideo WinDVD
Java 2 Runtime Environment, SE v1.4.1_02
Java Web Start
KB884016
Kensington MouseWorks
Lavasoft VX2 Cleaner
Lexmark Printer Software Uninstall
LiveUpdate 2.6 (Symantec Corporation)
Macromedia Flash Player 8
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB886903)
Microsoft Base Smart Card Cryptographic Service Provider Package
Microsoft NetShow Player 2.0
Microsoft Office 2000 SR-1 Professional
Microsoft Project 2000 SR-1
Microsoft VGX Q833989
Microsoft Windows Journal Viewer
Microsoft XML Parser and SDK
MobileOptionPack
MPlayer2
MSI30a-KB884016
MSI30-Beta1
MSI30-Beta2
MSI30-KB884016
MSI30-RC1
MSI30-RC2
MSI31-Beta
MSI31-RC1
MsJavaVM
NetMeeting
Network Device Switch
Network Device Switch 3
Norton AntiVirus Corporate Edition
OutlookExpress
Panda ActiveScan
Panda spyXposer
QuickTime
RealJukebox 1.0
RealPlayer
Registry Toolkit 1.2.9
SchedulingAgent
Security Update for Windows 2000 (KB904706)
SPANworks 2000
Spybot - Search & Destroy 1.4
SpywareBlaster v3.5.1
Toshiba Client Manager
TOSHIBA Console
Toshiba Hotkey Utility for Display Devices
TOSHIBA Mobile Extension3 V3.09.00
Toshiba Power Saver
TOSHIBA Software Modem
Toshiba Utilities
TSAUNINST
Tweak-SE plug-in for Ad-Aware SE
Update Rollup 1 for Windows 2000 SP4
WebFldrs
Windows 2000 Hotfix - KB834707
Windows 2000 Hotfix - KB842773
Windows 2000 Hotfix - KB867282
Windows 2000 Hotfix - KB883939
Windows 2000 Hotfix - KB887797
Windows 2000 Hotfix - KB889293
Windows 2000 Hotfix - KB890046
Windows 2000 Hotfix - KB890923
Windows 2000 Hotfix - KB893756
Windows 2000 Hotfix - KB894320
Windows 2000 Hotfix - KB896358
Windows 2000 Hotfix - KB896422
Windows 2000 Hotfix - KB896423
Windows 2000 Hotfix - KB896424
Windows 2000 Hotfix - KB896688
Windows 2000 Hotfix - KB896727
Windows 2000 Hotfix - KB897715
Windows 2000 Hotfix - KB899587
Windows 2000 Hotfix - KB899588
Windows 2000 Hotfix - KB899589
Windows 2000 Hotfix - KB900725
Windows 2000 Hotfix - KB901017
Windows 2000 Hotfix - KB901214
Windows 2000 Hotfix - KB902400
Windows 2000 Hotfix - KB904368
Windows 2000 Hotfix - KB905414
Windows 2000 Hotfix - KB905495
Windows 2000 Hotfix - KB905749
Windows 2000 Hotfix - KB905915
Windows 2000 Hotfix - KB908523
Windows 2000 Hotfix - KB912919
Windows 2000 Hotfix (SP5) Q818043
Windows 2000 Professional
Windows 2000 Service Pack 4
Windows Genuine Advantage v1.3.0254.0
Windows Installer 3.1 (KB893803)
Windows Media Player 9 Hotfix [See KB885492 for more information]
Windows Media Player Hotfix [See KB837272 for more information]
Windows Media Player Hotfix [See wm828026 for more information]
Windows Media Player system update (9 Series)
WinZip
Wireless Hotkey

9) Ran REGISTRY TOOLKIT and cleaned 6 entries. Note that I always keep getting back "syscookies.txt" that seems to be related to RealPlayer 6. I also keep getting back, some log files referencing a Lexmark printer.

10) Restarted the computer.

11) Ran Panda ActiveScan (entire computer) and found 4 spyware entries :thumbsup:

Here's the Panda Log:

Incident Status Location

Spyware:spyware/shopnav Not disinfected C:\WINNT\SYSTEM32\ie_spy.dll
Adware:adware/startpage.amb Not disinfected C:\Documents and Settings\timp\Favorites\Insurance
Adware:adware/commad Not disinfected Windows Registry
Spyware:Cookie/Enhance Not disinfected C:\Documents and Settings\Default User\Cookies\system@c.enhance[1].txt

12) Finally, ran Hijack This and here's my log.

Logfile of HijackThis v1.99.1
Scan saved at 2:06:43 PM, on 01/06/06
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\LEXBCES.EXE
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\cisvc.exe
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\SYSTEM32\THOTKEY.EXE
C:\Program Files\TOSHIBA\TME3\Tmesbs3.exe
C:\Program Files\TOSHIBA\TME3\Tmesrv3.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\MsgSys.EXE
C:\WINNT\Explorer.EXE
C:\WINNT\system32\TPWRTRAY.EXE
C:\WINNT\system32\TFNF5.exe
C:\Program Files\TOSHIBA\Wireless Hotkey\TosHKCW.exe
C:\Program Files\NavNT\vptray.exe
C:\WINNT\system32\hpnra.exe
C:\WINNT\system32\kmw_run.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\TOSHIBA\Network Device Switch 3\NDSTray.exe
C:\WINNT\system32\KMW_SHOW.EXE
C:\Program Files\TOSHIBA\NetDevSw\NetDevSW.exe
C:\WINNT\System32\cidaemon.exe
C:\Documents and Settings\timp\My Documents\HijackThis!\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.google.com/ie
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://172.16.1.5/index.asp
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redir.dll?p...er=6&ar=msnhome
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?p...B_PVER}&ar=home
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.google.com/keyword/%s
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe
O4 - HKLM\..\Run: [Tpwrtray] TPWRTRAY.EXE
O4 - HKLM\..\Run: [TMESRV.EXE] C:\Program Files\TOSHIBA\TME3\TMESRV3.EXE /Logon
O4 - HKLM\..\Run: [TMESBS.EXE] C:\Program Files\TOSHIBA\TME3\TMESBS3.EXE /logon
O4 - HKLM\..\Run: [TFNF5] TFNF5.exe
O4 - HKLM\..\Run: [TosHKCW.exe] C:\Program Files\TOSHIBA\Wireless Hotkey\TosHKCW.exe
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [HP Network Registry Agent] C:\WINNT\system32\hpnra.exe
O4 - HKLM\..\Run: [kmw_run.exe] kmw_run.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ntdll.dll] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exe
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_5 -reboot 1
O4 - Startup: Outlook Express.lnk = C:\Program Files\Outlook Express\msimn.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Network Device Switch.lnk = C:\Program Files\TOSHIBA\NetDevSw\NetDevSW.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O15 - Trusted Zone: *.aeroplan.ca
O15 - Trusted Zone: *.aircanada.ca
O15 - Trusted Zone: *.aircanada.com
O15 - Trusted Zone: *.canadiantire.ca
O15 - Trusted Zone: *.ebay.ca
O15 - Trusted Zone: *.ebay.com
O15 - Trusted Zone: *.fedex.com
O15 - Trusted Zone: *.google.ca
O15 - Trusted Zone: *.google.com
O15 - Trusted Zone: *.mapquest.com
O15 - Trusted Zone: *.microsoft.com
O15 - Trusted Zone: *.pandasoftware.com
O15 - Trusted Zone: *.paypal.com
O15 - Trusted Zone: *.royalbank.com
O15 - Trusted Zone: *.symantec.com
O15 - Trusted Zone: *.ups.com
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/download/ipixx.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - https://www-secure.symantec.com/techsupp/asa/LSSupCtl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1121267163188
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1121267122680
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/asa/SymAData.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = msb.local
O17 - HKLM\System\CCS\Services\Tcpip\..\{650C4EDD-C0F8-4859-B611-35EBAD733980}: NameServer = 172.16.1.22,172.16.52.5,66.163.0.161
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = msb.local
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = msb.local
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = msb.local
O20 - Winlogon Notify: NavLogon - C:\WINNT\System32\NavLogon.dll
O23 - Service: ASP.NET State Service (aspnet_state) - Unknown owner - C:\WINNT\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe (file missing)
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINNT\system32\LEXBCES.EXE
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: ptssvc - Unknown owner - C:\Documents and Settings\timp\My Documents\Kodak EasyShare software\bin\ptssvc.exe (file missing)
O23 - Service: THotkey (THOTKEY) - TOSHIBA Corp. - C:\WINNT\SYSTEM32\THOTKEY.EXE
O23 - Service: Tmesbs3 (Tmesbs) - Unknown owner - C:\Program Files\TOSHIBA\TME3\Tmesbs3.exe" /Service (file missing)
O23 - Service: Tmesrv3 (Tmesrv) - Unknown owner - C:\Program Files\TOSHIBA\TME3\Tmesrv3.exe" /Service (file missing)

I've googled ie_spy.dll and it says it might be legitimate; used for Kennsington Mouseworks, which I have installed. However it also mentions that a malicious version of ie_spy.dll is from ShopNav?? :flowers:

Please help me with these 4 spys found in Panda. Thanks a lot!!

I_am_CanadianEh?

BC AdBot (Login to Remove)

 


#2 I_am_CanadianEh?

I_am_CanadianEh?
  • Topic Starter

  • Members
  • 489 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:48 AM

Posted 10 January 2006 - 04:37 PM

I did some extra things as well, all in SAFE mode:

1) Ran Ewido again, and it found a few objects, here's the report:

---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 11:25:36 AM, 1/9/2006
+ Report-Checksum: 34B5EFA3

+ Scan result:

C:\Documents and Settings\timp\Cookies\timp@com[2].txt -> Spyware.Cookie.Com : Cleaned with backup
C:\Documents and Settings\timp\Local Settings\Temporary Internet Files\Content.IE5\KO0WGSY0\mm[2].js -> Spyware.Chitika : Cleaned with backup


::Report End

2) Ran AboutBuster and it found a crap load of stuff!! I didn't save a log (don't even know if you can) but it mentioned something about there appearing to be an infection of CWS HomeSearch. The files it showed appeared to be .bmp files related to my pre-installed Windows wallpaper with Win2K.

I also used Hijack This and looked for Spy Ads. That log is listed here (I searched all folders). Are any of these legitimate or are they malicious?
******************************************************
C:\Documents and Settings\timp\Application Data\Microsoft\Internet Explorer\Quick Launch\Show Desktop.scf : SebiesnrMkudrfcoIaamtykdDa (112 bytes)
C:\Documents and Settings\timp\My Documents\Blank Forms & Logos\ABC LOGO.jpg : Q30lsldxJoudresxAaaqpcawXc (6320 bytes)
C:\Documents and Settings\timp\My Documents\My Pictures\Wallpaper\palms.bmp : Q30lsldxJoudresxAaaqpcawXc (6088 bytes)
C:\Documents and Settings\timp\My Documents\My Pictures\Wallpaper\private.bmp : Q30lsldxJoudresxAaaqpcawXc (8284 bytes)
C:\Documents and Settings\timp\My Documents\My Pictures\Wallpaper\seclusion.bmp : Q30lsldxJoudresxAaaqpcawXc (5288 bytes)
C:\kmouse\help\AccelerationTab.gif : Q30lsldxJoudresxAaaqpcawXc (7532 bytes)
C:\kmouse\help\ButtonsTabAdvanced.gif : Q30lsldxJoudresxAaaqpcawXc (7548 bytes)
C:\kmouse\help\ButtonsTabBasic.gif : Q30lsldxJoudresxAaaqpcawXc (7160 bytes)
C:\kmouse\help\ClickSpeedTab.gif : Q30lsldxJoudresxAaaqpcawXc (6252 bytes)
C:\kmouse\help\DirectLaunchTab.gif : Q30lsldxJoudresxAaaqpcawXc (6584 bytes)
C:\kmouse\help\KensingtonTab.gif : Q30lsldxJoudresxAaaqpcawXc (7392 bytes)
C:\kmouse\help\MovementTab.gif : Q30lsldxJoudresxAaaqpcawXc (7024 bytes)
C:\kmouse\help\RestReminderTab.gif : Q30lsldxJoudresxAaaqpcawXc (7436 bytes)
C:\kmouse\help\ScrollingTab.gif : Q30lsldxJoudresxAaaqpcawXc (7336 bytes)
C:\kmouse\help\Tile.gif : Q30lsldxJoudresxAaaqpcawXc (3176 bytes)
C:\kmouse\setupdir\0007\setup.bmp : Q30lsldxJoudresxAaaqpcawXc (5980 bytes)
C:\kmouse\setupdir\0009\setup.bmp : Q30lsldxJoudresxAaaqpcawXc (5988 bytes)
C:\kmouse\setupdir\000a\setup.bmp : Q30lsldxJoudresxAaaqpcawXc (5980 bytes)
C:\kmouse\setupdir\0010\setup.bmp : Q30lsldxJoudresxAaaqpcawXc (5976 bytes)
C:\kmouse\setupdir\040c\setup.bmp : Q30lsldxJoudresxAaaqpcawXc (6000 bytes)
C:\Program Files\Actify\BACKUP\sfdhelp.jpg : Q30lsldxJoudresxAaaqpcawXc (6368 bytes)
C:\Program Files\Air Canada\HTMLFiles\images\img_palmOS2.jpg : Q30lsldxJoudresxAaaqpcawXc (7184 bytes)
C:\Program Files\Air Canada\HTMLFiles\images\img_pc2.jpg : Q30lsldxJoudresxAaaqpcawXc (7544 bytes)
C:\Program Files\Air Canada\HTMLFiles\images\img_pdf2.jpg : Q30lsldxJoudresxAaaqpcawXc (9424 bytes)
C:\Program Files\Air Canada\HTMLFiles\images\img_pocketPC2.jpg : Q30lsldxJoudresxAaaqpcawXc (6764 bytes)
C:\Program Files\Air Canada TravelDesk\HTML\images\CoverImage.jpg : Q30lsldxJoudresxAaaqpcawXc (4080 bytes)
C:\Program Files\Air Canada TravelDesk\HTML\images\CoverImageOld.jpg : Q30lsldxJoudresxAaaqpcawXc (4308 bytes)
C:\Program Files\Air Canada TravelDesk\HTML\images\install.bmp : Q30lsldxJoudresxAaaqpcawXc (4040 bytes)
C:\Program Files\Air Canada TravelDesk\HTML\magazine\AC\330_300.gif : Q30lsldxJoudresxAaaqpcawXc (1760 bytes)
C:\Program Files\Air Canada TravelDesk\HTML\magazine\AC\330_300.jpg : Q30lsldxJoudresxAaaqpcawXc (1760 bytes)
C:\Program Files\Air Canada TravelDesk\HTML\magazine\AC\340_300.gif : Q30lsldxJoudresxAaaqpcawXc (1788 bytes)
C:\Program Files\Air Canada TravelDesk\HTML\magazine\AC\340_300.jpg : Q30lsldxJoudresxAaaqpcawXc (1796 bytes)
C:\Program Files\Air Canada TravelDesk\HTML\magazine\AC\340_500.jpg : Q30lsldxJoudresxAaaqpcawXc (1804 bytes)
C:\Program Files\Air Canada TravelDesk\HTML\magazine\AC\763-159y.gif : Q30lsldxJoudresxAaaqpcawXc (2108 bytes)
C:\Program Files\Air Canada TravelDesk\HTML\magazine\AC\763-159y.jpg : Q30lsldxJoudresxAaaqpcawXc (2088 bytes)
C:\Program Files\Air Canada TravelDesk\HTML\magazine\AC\763-179y.gif : Q30lsldxJoudresxAaaqpcawXc (2088 bytes)
C:\Program Files\Air Canada TravelDesk\HTML\magazine\AC\763-179y.jpg : Q30lsldxJoudresxAaaqpcawXc (2024 bytes)
C:\Program Files\Air Canada TravelDesk\HTML\magazine\AC\763-187y.gif : Q30lsldxJoudresxAaaqpcawXc (2020 bytes)
C:\Program Files\Air Canada TravelDesk\HTML\magazine\AC\763-187y.jpg : Q30lsldxJoudresxAaaqpcawXc (2128 bytes)
C:\Program Files\Air Canada TravelDesk\HTML\magazine\AC\767_200.gif : Q30lsldxJoudresxAaaqpcawXc (2196 bytes)
C:\Program Files\Air Canada TravelDesk\HTML\magazine\AC\A345.gif : Q30lsldxJoudresxAaaqpcawXc (1796 bytes)
C:\Program Files\Air Canada TravelDesk\HTML\magazine\AC\aclogo.bmp : Q30lsldxJoudresxAaaqpcawXc (2084 bytes)
C:\Program Files\Air Canada TravelDesk\HTML\magazine\AC\cp_747_74E.gif : Q30lsldxJoudresxAaaqpcawXc (2108 bytes)
C:\Program Files\Air Canada TravelDesk\HTML\magazine\AC\f333.gif : Q30lsldxJoudresxAaaqpcawXc (1968 bytes)
C:\Program Files\Air Canada TravelDesk\HTML\magazine\AC\f343.gif : Q30lsldxJoudresxAaaqpcawXc (1980 bytes)
C:\Program Files\Air Canada TravelDesk\HTML\magazine\AC\f763-159y.gif : Q30lsldxJoudresxAaaqpcawXc (2068 bytes)
C:\Program Files\Air Canada TravelDesk\HTML\magazine\AC\f763-179y.gif : Q30lsldxJoudresxAaaqpcawXc (2084 bytes)
C:\Program Files\Air Canada TravelDesk\HTML\magazine\AC\f763-187y.gif : Q30lsldxJoudresxAaaqpcawXc (1828 bytes)
C:\Program Files\Air Canada TravelDesk\HTML\magazine\AC\f767.gif : Q30lsldxJoudresxAaaqpcawXc (2208 bytes)
C:\Program Files\Air Canada TravelDesk\HTML\magazine\AC\fA345.gif : Q30lsldxJoudresxAaaqpcawXc (1804 bytes)
C:\Program Files\Air Canada TravelDesk\HTML\magazine\AC\fcp_747.gif : Q30lsldxJoudresxAaaqpcawXc (2136 bytes)
C:\Program Files\Air Canada TravelDesk\HTML\magazine\AC\map_FRA.gif : Q30lsldxJoudresxAaaqpcawXc (4876 bytes)
C:\Program Files\Air Canada TravelDesk\HTML\magazine\AC\map_IAD.gif : Q30lsldxJoudresxAaaqpcawXc (6704 bytes)
C:\Program Files\Air Canada TravelDesk\HTML\magazine\AC\map_LHR.gif : Q30lsldxJoudresxAaaqpcawXc (5960 bytes)
C:\Program Files\Air Canada TravelDesk\HTML\magazine\AC\map_ORD.gif : Q30lsldxJoudresxAaaqpcawXc (4888 bytes)
C:\Program Files\Air Canada TravelDesk\HTML\magazine\AC\map_YUL.gif : Q30lsldxJoudresxAaaqpcawXc (3892 bytes)
C:\Program Files\Air Canada TravelDesk\HTML\magazine\AC\map_YVR.gif : Q30lsldxJoudresxAaaqpcawXc (4296 bytes)
C:\Program Files\Air Canada TravelDesk\HTML\magazine\AC\map_YYC.gif : Q30lsldxJoudresxAaaqpcawXc (3612 bytes)
C:\Program Files\Air Canada TravelDesk\HTML\magazine\AC\map_YYZ.gif : Q30lsldxJoudresxAaaqpcawXc (3652 bytes)
C:\Program Files\Air Canada TravelDesk\HTML\magazine\aclogo.bmp : Q30lsldxJoudresxAaaqpcawXc (2084 bytes)
C:\Program Files\Common Files\eDrawings2006\lang\english\H1TitleBar.gif : Q30lsldxJoudresxAaaqpcawXc (400 bytes)
C:\Program Files\Hewlett-Packard\LaserJet All-in-one\Help\lj1200\Users Guide\images\chap022a.gif : Q30lsldxJoudresxAaaqpcawXc (4924 bytes)
C:\Program Files\Hewlett-Packard\LaserJet All-in-one\Help\lj1200\Users Guide\images\china1198.gif : Q30lsldxJoudresxAaaqpcawXc (4656 bytes)
C:\Program Files\Hewlett-Packard\LaserJet All-in-one\Help\lj1200\Users Guide\images\splash.gif : Q30lsldxJoudresxAaaqpcawXc (4748 bytes)
C:\Program Files\Hewlett-Packard\LaserJet All-in-one\Help\lj1200\Users Guide\wwhgifs\splash.gif : Q30lsldxJoudresxAaaqpcawXc (4748 bytes)
C:\Program Files\InterVideo\WinDVD\Skins\Capuccino\Background.bmp : Q30lsldxJoudresxAaaqpcawXc (1792 bytes)
C:\Program Files\InterVideo\WinDVD\Skins\Capuccino\Background_Mask.bmp : Q30lsldxJoudresxAaaqpcawXc (512 bytes)
C:\Program Files\InterVideo\WinDVD\Skins\Capuccino\Background_Mask_Second.bmp : Q30lsldxJoudresxAaaqpcawXc (1720 bytes)
C:\Program Files\InterVideo\WinDVD\Skins\Capuccino\Splash.jpg : Q30lsldxJoudresxAaaqpcawXc (5404 bytes)
C:\Program Files\InterVideo\WinDVD\Skins\Capuccino\Splash256.jpg : Q30lsldxJoudresxAaaqpcawXc (5400 bytes)
C:\Program Files\InterVideo\WinDVD\Skins\Dark Gray Marble\Background.bmp : Q30lsldxJoudresxAaaqpcawXc (1880 bytes)
C:\Program Files\InterVideo\WinDVD\Skins\Dark Gray Marble\Background_Mask.bmp : Q30lsldxJoudresxAaaqpcawXc (512 bytes)
C:\Program Files\InterVideo\WinDVD\Skins\Dark Gray Marble\Background_Mask_Second.bmp : Q30lsldxJoudresxAaaqpcawXc (1720 bytes)
C:\Program Files\InterVideo\WinDVD\Skins\Dark Gray Marble\Splash.jpg : Q30lsldxJoudresxAaaqpcawXc (5404 bytes)
C:\Program Files\InterVideo\WinDVD\Skins\Dark Gray Marble\Splash256.jpg : Q30lsldxJoudresxAaaqpcawXc (5400 bytes)
C:\Program Files\InterVideo\WinDVD\Skins\Dark Green Marble\Background.bmp : Q30lsldxJoudresxAaaqpcawXc (1828 bytes)
C:\Program Files\InterVideo\WinDVD\Skins\Dark Green Marble\Background_Mask.bmp : Q30lsldxJoudresxAaaqpcawXc (512 bytes)
C:\Program Files\InterVideo\WinDVD\Skins\Dark Green Marble\Background_Mask_Second.bmp : Q30lsldxJoudresxAaaqpcawXc (1720 bytes)
C:\Program Files\InterVideo\WinDVD\Skins\Dark Green Marble\Splash.jpg : Q30lsldxJoudresxAaaqpcawXc (5404 bytes)
C:\Program Files\InterVideo\WinDVD\Skins\Dark Green Marble\Splash256.jpg : Q30lsldxJoudresxAaaqpcawXc (5400 bytes)
C:\Program Files\InterVideo\WinDVD\Skins\Navy Blue\Background.bmp : Q30lsldxJoudresxAaaqpcawXc (1800 bytes)
C:\Program Files\InterVideo\WinDVD\Skins\Navy Blue\Background_Mask.bmp : Q30lsldxJoudresxAaaqpcawXc (512 bytes)
C:\Program Files\InterVideo\WinDVD\Skins\Navy Blue\Background_Mask_Second.bmp : Q30lsldxJoudresxAaaqpcawXc (1720 bytes)
C:\Program Files\InterVideo\WinDVD\Skins\Navy Blue\Splash.jpg : Q30lsldxJoudresxAaaqpcawXc (5404 bytes)
C:\Program Files\InterVideo\WinDVD\Skins\Navy Blue\Splash256.jpg : Q30lsldxJoudresxAaaqpcawXc (5400 bytes)
C:\Program Files\InterVideo\WinDVD\Skins\Violet\Background.bmp : Q30lsldxJoudresxAaaqpcawXc (1836 bytes)
C:\Program Files\InterVideo\WinDVD\Skins\Violet\Background_Mask.bmp : Q30lsldxJoudresxAaaqpcawXc (512 bytes)
C:\Program Files\InterVideo\WinDVD\Skins\Violet\Background_Mask_Second.bmp : Q30lsldxJoudresxAaaqpcawXc (1720 bytes)
C:\Program Files\InterVideo\WinDVD\Skins\Violet\Splash.jpg : Q30lsldxJoudresxAaaqpcawXc (5404 bytes)
C:\Program Files\InterVideo\WinDVD\Skins\Violet\Splash256.jpg : Q30lsldxJoudresxAaaqpcawXc (5400 bytes)
C:\Program Files\InterVideo\WinDVD\Skins\WinDVD\Background.bmp : Q30lsldxJoudresxAaaqpcawXc (2236 bytes)
C:\Program Files\InterVideo\WinDVD\Skins\WinDVD\Background_Mask.bmp : Q30lsldxJoudresxAaaqpcawXc (888 bytes)
C:\Program Files\InterVideo\WinDVD\Skins\WinDVD\Background_No_Logo.BMP : Q30lsldxJoudresxAaaqpcawXc (2164 bytes)
C:\Program Files\InterVideo\WinDVD\Skins\WinDVD\Splash.jpg : Q30lsldxJoudresxAaaqpcawXc (6044 bytes)
C:\Program Files\InterVideo\WinDVD\Skins\WinDVD Plus\Splash.bmp : Q30lsldxJoudresxAaaqpcawXc (4840 bytes)
C:\Program Files\InterVideo\WinDVD\Skins\WinDVD Plus\Splash.jpg : Q30lsldxJoudresxAaaqpcawXc (3076 bytes)
C:\Program Files\InterVideo\WinDVD\Skins\WinDVD Plus\Splash256.jpg : Q30lsldxJoudresxAaaqpcawXc (3156 bytes)
C:\Program Files\InterVideo\WinDVD\Skins\WinDVD Plus\TempBaseBmp.BMP : Q30lsldxJoudresxAaaqpcawXc (1292 bytes)
C:\Program Files\InterVideo\WinDVD\Skins\WinDVD Plus\WinDVD_Player_Base.BMP : Q30lsldxJoudresxAaaqpcawXc (2508 bytes)
C:\Program Files\InterVideo\WinDVD\Skins\WinDVD Plus\WinDVD_Player_Base_Disable.BMP : Q30lsldxJoudresxAaaqpcawXc (2388 bytes)
C:\Program Files\InterVideo\WinDVD\Skins\WinDVD Plus\WinDVD_Player_Base_Highlight.BMP : Q30lsldxJoudresxAaaqpcawXc (2764 bytes)
C:\Program Files\InterVideo\WinDVD\Skins\WinDVD Plus\WinDVD_Player_Base_Selected.BMP : Q30lsldxJoudresxAaaqpcawXc (2708 bytes)
C:\Program Files\InterVideo\WinDVD\Skins\WinDVD2\Background.bmp : Q30lsldxJoudresxAaaqpcawXc (2012 bytes)
C:\Program Files\InterVideo\WinDVD\Skins\WinDVD2\Background_Mask.bmp : Q30lsldxJoudresxAaaqpcawXc (512 bytes)
C:\Program Files\InterVideo\WinDVD\Skins\WinDVD2\Background_Mask_Second.bmp : Q30lsldxJoudresxAaaqpcawXc (1720 bytes)
C:\Program Files\InterVideo\WinDVD\Skins\WinDVD2\Splash.jpg : Q30lsldxJoudresxAaaqpcawXc (5404 bytes)
C:\Program Files\InterVideo\WinDVD\Skins\WinDVD2\Splash256.jpg : Q30lsldxJoudresxAaaqpcawXc (5400 bytes)
C:\Program Files\Java Web Start\resources\copyright.jpg : Q30lsldxJoudresxAaaqpcawXc (2880 bytes)
C:\Program Files\Microsoft Office\Office\1033\MSPC.GIF : Q30lsldxJoudresxAaaqpcawXc (4676 bytes)
C:\Program Files\Microsoft Office\Templates\1033\left-aligned column_image001.jpg : Q30lsldxJoudresxAaaqpcawXc (5072 bytes)
C:\Program Files\Microsoft Office\Templates\1033\right-aligned column_image001.jpg : Q30lsldxJoudresxAaaqpcawXc (4840 bytes)
C:\Program Files\Windows NT\Pinball\table.bmp : Q30lsldxJoudresxAaaqpcawXc (8336 bytes)
C:\WINNT\DISCOVER\EASY2USE\ANIMAT\IMGMANIP\CONTUPD1.GIF : Q30lsldxJoudresxAaaqpcawXc (5196 bytes)
C:\WINNT\DISCOVER\EASY2USE\WORKREMO\IMAGES\OFFLNWB.JPG : Q30lsldxJoudresxAaaqpcawXc (7980 bytes)
C:\WINNT\DISCOVER\EASY2USE\WRKONWEB\IMAGES\FAVORITE.JPG : Q30lsldxJoudresxAaaqpcawXc (5468 bytes)
C:\WINNT\DISCOVER\EASY2USE\WRKWFILE\IMAGES\SS_MYDOC.JPG : Q30lsldxJoudresxAaaqpcawXc (4136 bytes)
C:\WINNT\DISCOVER\POWERFUL\SECURITY\IMAGES\SECONFMN.JPG : Q30lsldxJoudresxAaaqpcawXc (5328 bytes)
C:\WINNT\ServicePackFiles\i386\winnt256.bmp : Q30lsldxJoudresxAaaqpcawXc (2756 bytes)
C:\WINNT\system32\ALILOGO.bmp : Q30lsldxJoudresxAaaqpcawXc (3444 bytes)
C:\WINNT\system32\DirectX\Dinput\act_rs.png : Q30lsldxJoudresxAaaqpcawXc (5460 bytes)
C:\WINNT\system32\DirectX\Dinput\glmda.png : Q30lsldxJoudresxAaaqpcawXc (3504 bytes)
C:\WINNT\system32\DirectX\Dinput\glmdiggp.png : Q30lsldxJoudresxAaaqpcawXc (3432 bytes)
C:\WINNT\system32\DirectX\Dinput\gr3001.png : Q30lsldxJoudresxAaaqpcawXc (3464 bytes)
C:\WINNT\system32\DirectX\Dinput\gr4005.png : Q30lsldxJoudresxAaaqpcawXc (3716 bytes)
C:\WINNT\system32\DirectX\Dinput\ia3002_1.png : Q30lsldxJoudresxAaaqpcawXc (4164 bytes)
C:\WINNT\system32\DirectX\Dinput\ia3002_2.png : Q30lsldxJoudresxAaaqpcawXc (4064 bytes)
C:\WINNT\system32\DirectX\Dinput\lgc207.png : Q30lsldxJoudresxAaaqpcawXc (2608 bytes)
C:\WINNT\system32\DirectX\Dinput\lgc209.png : Q30lsldxJoudresxAaaqpcawXc (2868 bytes)
C:\WINNT\system32\DirectX\Dinput\lgc20a.png : Q30lsldxJoudresxAaaqpcawXc (2792 bytes)
C:\WINNT\system32\DirectX\Dinput\ms1b.png : Q30lsldxJoudresxAaaqpcawXc (2620 bytes)
C:\WINNT\system32\DirectX\Dinput\ms26.png : Q30lsldxJoudresxAaaqpcawXc (772 bytes)
C:\WINNT\system32\DirectX\Dinput\ms27.png : Q30lsldxJoudresxAaaqpcawXc (2612 bytes)
C:\WINNT\system32\DirectX\Dinput\ms28.png : Q30lsldxJoudresxAaaqpcawXc (3028 bytes)
C:\WINNT\system32\DirectX\Dinput\ms34.png : Q30lsldxJoudresxAaaqpcawXc (4496 bytes)
C:\WINNT\system32\DirectX\Dinput\ms3b.png : Q30lsldxJoudresxAaaqpcawXc (3284 bytes)
C:\WINNT\system32\DirectX\Dinput\ms56.png : Q30lsldxJoudresxAaaqpcawXc (2596 bytes)
C:\WINNT\system32\DirectX\Dinput\ms6.png : Q30lsldxJoudresxAaaqpcawXc (2556 bytes)
C:\WINNT\system32\DirectX\Dinput\ms7.png : Q30lsldxJoudresxAaaqpcawXc (772 bytes)
C:\WINNT\system32\DirectX\Dinput\ms8.png : Q30lsldxJoudresxAaaqpcawXc (2592 bytes)
C:\WINNT\system32\DirectX\Dinput\mse.png : Q30lsldxJoudresxAaaqpcawXc (2916 bytes)
C:\WINNT\system32\DirectX\Dinput\msf1f.png : Q30lsldxJoudresxAaaqpcawXc (2412 bytes)
C:\WINNT\system32\DirectX\Dinput\msprw.png : Q30lsldxJoudresxAaaqpcawXc (4356 bytes)
C:\WINNT\system32\DirectX\Dinput\SV-262e1.png : Q30lsldxJoudresxAaaqpcawXc (4072 bytes)
C:\WINNT\system32\DirectX\Dinput\SV-262e3.png : Q30lsldxJoudresxAaaqpcawXc (4332 bytes)
C:\WINNT\system32\DirectX\Dinput\SV-262e4.png : Q30lsldxJoudresxAaaqpcawXc (5448 bytes)
C:\WINNT\system32\DirectX\Dinput\sv2511.png : Q30lsldxJoudresxAaaqpcawXc (4012 bytes)
C:\WINNT\system32\DirectX\Dinput\sv2512.png : Q30lsldxJoudresxAaaqpcawXc (3260 bytes)
C:\WINNT\system32\ntimage.gif : Q30lsldxJoudresxAaaqpcawXc (1256 bytes)
C:\WINNT\system32\setup.bmp : Q30lsldxJoudresxAaaqpcawXc (2980 bytes)
C:\WINNT\Web\classic.bmp : Q30lsldxJoudresxAaaqpcawXc (5124 bytes)
C:\WINNT\Web\Wallpaper\Chateau.jpg : Q30lsldxJoudresxAaaqpcawXc (5532 bytes)
C:\WINNT\Web\Wallpaper\Gold Petals.jpg : Q30lsldxJoudresxAaaqpcawXc (2400 bytes)
C:\WINNT\Web\Wallpaper\Ocean Wave.jpg : Q30lsldxJoudresxAaaqpcawXc (3020 bytes)
C:\WINNT\Web\Wallpaper\Paradise.jpg : Q30lsldxJoudresxAaaqpcawXc (4728 bytes)
C:\WINNT\Web\Wallpaper\Snow Trees.jpg : Q30lsldxJoudresxAaaqpcawXc (4976 bytes)
C:\WINNT\Web\Wallpaper\Windows 2000.jpg : Q30lsldxJoudresxAaaqpcawXc (2864 bytes)

3) Rebooted to normal mode, scanned with Panda and found 3 spyware entries (I deleted 1 of them earlier by deleting that Favourites folder, see my previous post).

Here's the latest Panda Scan:

Incident Status Location

Spyware:spyware/shopnav Not disinfected C:\WINNT\SYSTEM32\ie_spy.dll
Adware:adware/commad Not disinfected Windows Registry
Spyware:Cookie/Enhance Not disinfected C:\Documents and Settings\Default User\Cookies\system@c.enhance[1].txt

I don't want to have to pay for ActiveScan Pro to get rid of these. Is there another way?

Finally, here's my latest Hijack log:
Logfile of HijackThis v1.99.1
Scan saved at 9:49:20 AM, on 01/10/06
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\LEXBCES.EXE
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\cisvc.exe
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\SYSTEM32\THOTKEY.EXE
C:\Program Files\TOSHIBA\TME3\Tmesbs3.exe
C:\Program Files\TOSHIBA\TME3\Tmesrv3.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\MsgSys.EXE
C:\WINNT\system32\TPWRTRAY.EXE
C:\WINNT\system32\TFNF5.exe
C:\Program Files\TOSHIBA\Wireless Hotkey\TosHKCW.exe
C:\Program Files\NavNT\vptray.exe
C:\WINNT\system32\hpnra.exe
C:\WINNT\system32\kmw_run.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\TOSHIBA\Network Device Switch 3\NDSTray.exe
C:\WINNT\system32\KMW_SHOW.EXE
C:\Program Files\TOSHIBA\NetDevSw\NetDevSW.exe
C:\WINNT\System32\cidaemon.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Documents and Settings\timp\My Documents\HijackThis!\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://home.microsoft.com/search/search.asp
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?p...er=6&ar=msnhome
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.microsoft.com/isapi/redir.dll?p...er=6&ar=msnhome
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.google.com/ie
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://172.16.1.5/index.asp
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redir.dll?p...er=6&ar=msnhome
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://home.microsoft.com/search/search.asp
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.microsoft.com/isapi/redir.dll?p...er=6&ar=msnhome
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?p...B_PVER}&ar=home
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://home.microsoft.com/search/search.asp
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.google.com/keyword/%s
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = http://www.microsoft.com/isapi/redir.dll?p...er=6&ar=msnhome
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = http://home.microsoft.com/search/search.asp
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe
O4 - HKLM\..\Run: [Tpwrtray] TPWRTRAY.EXE
O4 - HKLM\..\Run: [TMESRV.EXE] C:\Program Files\TOSHIBA\TME3\TMESRV3.EXE /Logon
O4 - HKLM\..\Run: [TMESBS.EXE] C:\Program Files\TOSHIBA\TME3\TMESBS3.EXE /logon
O4 - HKLM\..\Run: [TFNF5] TFNF5.exe
O4 - HKLM\..\Run: [TosHKCW.exe] C:\Program Files\TOSHIBA\Wireless Hotkey\TosHKCW.exe
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [HP Network Registry Agent] C:\WINNT\system32\hpnra.exe
O4 - HKLM\..\Run: [kmw_run.exe] kmw_run.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ntdll.dll] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exe
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_5 -reboot 1
O4 - Startup: Outlook Express.lnk = C:\Program Files\Outlook Express\msimn.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Network Device Switch.lnk = C:\Program Files\TOSHIBA\NetDevSw\NetDevSW.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O15 - Trusted Zone: *.aeroplan.ca
O15 - Trusted Zone: *.aircanada.ca
O15 - Trusted Zone: *.aircanada.com
O15 - Trusted Zone: *.canadiantire.ca
O15 - Trusted Zone: *.ebay.ca
O15 - Trusted Zone: *.ebay.com
O15 - Trusted Zone: *.fedex.com
O15 - Trusted Zone: *.google.ca
O15 - Trusted Zone: *.google.com
O15 - Trusted Zone: *.mapquest.com
O15 - Trusted Zone: *.microsoft.com
O15 - Trusted Zone: *.pandasoftware.com
O15 - Trusted Zone: *.paypal.com
O15 - Trusted Zone: *.royalbank.com
O15 - Trusted Zone: *.symantec.com
O15 - Trusted Zone: *.ups.com
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/download/ipixx.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - https://www-secure.symantec.com/techsupp/asa/LSSupCtl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1121267163188
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1121267122680
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/asa/SymAData.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = msb.local
O17 - HKLM\System\CCS\Services\Tcpip\..\{650C4EDD-C0F8-4859-B611-35EBAD733980}: NameServer = 172.16.1.22,172.16.52.5,66.163.0.161
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = msb.local
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = msb.local
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = msb.local
O20 - Winlogon Notify: NavLogon - C:\WINNT\System32\NavLogon.dll
O23 - Service: ASP.NET State Service (aspnet_state) - Unknown owner - C:\WINNT\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe (file missing)
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINNT\system32\LEXBCES.EXE
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: ptssvc - Unknown owner - C:\Documents and Settings\timp\My Documents\Kodak EasyShare software\bin\ptssvc.exe (file missing)
O23 - Service: THotkey (THOTKEY) - TOSHIBA Corp. - C:\WINNT\SYSTEM32\THOTKEY.EXE
O23 - Service: Tmesbs3 (Tmesbs) - Unknown owner - C:\Program Files\TOSHIBA\TME3\Tmesbs3.exe" /Service (file missing)
O23 - Service: Tmesrv3 (Tmesrv) - Unknown owner - C:\Program Files\TOSHIBA\TME3\Tmesrv3.exe" /Service (file missing)

I know you're busy, but if you could help me ASAP, that would be great!! :thumbsup:

:flowers:

#3 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,540 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:04:48 AM

Posted 16 January 2006 - 02:44 PM

Sorry for the delay. If you are still having problems please post a brand new HijackThis log as a reply to this topic. Before posting the log, please make sure you follow all the steps found in this topic:

Preparation Guide For Use Before Posting A Hijackthis Log

#4 I_am_CanadianEh?

I_am_CanadianEh?
  • Topic Starter

  • Members
  • 489 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:48 AM

Posted 17 January 2006 - 12:30 PM

Hi! Thanks for responding. I followed the instructions as suggested.

1) Deleted all in Temporary Internet Files, Temp Files & recycle bin. However, 2 temp files (.tmp) could not be deleted since they were in use. Upon reboot, they still did not go away and I could not delete them. There were in the path: C:\Documents and Settings\<myname>\Local Settings\Temp

2) AD-AWARE - clean on 1st run
3) Spybot S&D - clean on 1st run
4) Panda ActiveScan - 3 SPIES FOUND!!! (see below)
5) McAfee Stinger - clean
6) Latest HijackThis! (see below)
********************************************************
Here are the Panda & HijackThis logs:

PANDA

Incident Status Location

Spyware:spyware/shopnav Not disinfected C:\WINNT\SYSTEM32\ie_spy.dll
Adware:adware/commad Not disinfected Windows Registry
Spyware:Cookie/go Not disinfected C:\RECYCLER\S-1-5-21-682003330-1677128483-1343024091-500\Dc5.txt
HIJACK THIS!

Logfile of HijackThis v1.99.1
Scan saved at 11:58:16 AM, on 01/17/06
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\LEXBCES.EXE
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\cisvc.exe
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\SYSTEM32\THOTKEY.EXE
C:\Program Files\TOSHIBA\TME3\Tmesbs3.exe
C:\Program Files\TOSHIBA\TME3\Tmesrv3.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\MsgSys.EXE
C:\WINNT\Explorer.EXE
C:\WINNT\system32\TPWRTRAY.EXE
C:\WINNT\system32\TFNF5.exe
C:\Program Files\TOSHIBA\Wireless Hotkey\TosHKCW.exe
C:\Program Files\NavNT\vptray.exe
C:\WINNT\system32\hpnra.exe
C:\WINNT\system32\kmw_run.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\TOSHIBA\Network Device Switch 3\NDSTray.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\WINNT\system32\KMW_SHOW.EXE
C:\Program Files\TOSHIBA\NetDevSw\NetDevSW.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINNT\System32\cidaemon.exe
C:\Documents and Settings\timp\My Documents\HijackThis!\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://home.microsoft.com/search/search.asp
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?p...er=6&ar=msnhome
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.microsoft.com/isapi/redir.dll?p...er=6&ar=msnhome
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://172.16.1.5/index.asp
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redir.dll?p...er=6&ar=msnhome
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://home.microsoft.com/search/search.asp
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.microsoft.com/isapi/redir.dll?p...er=6&ar=msnhome
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?p...B_PVER}&ar=home
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.google.com/keyword/%s
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe
O4 - HKLM\..\Run: [Tpwrtray] TPWRTRAY.EXE
O4 - HKLM\..\Run: [TMESRV.EXE] C:\Program Files\TOSHIBA\TME3\TMESRV3.EXE /Logon
O4 - HKLM\..\Run: [TMESBS.EXE] C:\Program Files\TOSHIBA\TME3\TMESBS3.EXE /logon
O4 - HKLM\..\Run: [TFNF5] TFNF5.exe
O4 - HKLM\..\Run: [TosHKCW.exe] C:\Program Files\TOSHIBA\Wireless Hotkey\TosHKCW.exe
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [HP Network Registry Agent] C:\WINNT\system32\hpnra.exe
O4 - HKLM\..\Run: [kmw_run.exe] kmw_run.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ntdll.dll] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - Startup: Outlook Express.lnk = C:\Program Files\Outlook Express\msimn.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Network Device Switch.lnk = C:\Program Files\TOSHIBA\NetDevSw\NetDevSW.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O15 - Trusted Zone: *.aeroplan.ca
O15 - Trusted Zone: *.aircanada.ca
O15 - Trusted Zone: *.aircanada.com
O15 - Trusted Zone: *.canadiantire.ca
O15 - Trusted Zone: *.ebay.ca
O15 - Trusted Zone: *.ebay.com
O15 - Trusted Zone: *.fedex.com
O15 - Trusted Zone: *.google.ca
O15 - Trusted Zone: *.google.com
O15 - Trusted Zone: *.ingdirect.ca
O15 - Trusted Zone: *.mapquest.com
O15 - Trusted Zone: *.microsoft.com
O15 - Trusted Zone: *.pandasoftware.com
O15 - Trusted Zone: *.paypal.com
O15 - Trusted Zone: www.resorts-ontario.com
O15 - Trusted Zone: *.royalbank.com
O15 - Trusted Zone: *.symantec.com
O15 - Trusted Zone: *.ups.com
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/download/ipixx.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - https://www-secure.symantec.com/techsupp/asa/LSSupCtl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1121267163188
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1121267122680
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/asa/SymAData.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = msb.local
O17 - HKLM\System\CCS\Services\Tcpip\..\{650C4EDD-C0F8-4859-B611-35EBAD733980}: NameServer = 172.16.1.22,172.16.52.5,66.163.0.161
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = msb.local
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = msb.local
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = msb.local
O20 - Winlogon Notify: NavLogon - C:\WINNT\System32\NavLogon.dll
O23 - Service: ASP.NET State Service (aspnet_state) - Unknown owner - C:\WINNT\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe (file missing)
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINNT\system32\LEXBCES.EXE
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: ptssvc - Unknown owner - C:\Documents and Settings\timp\My Documents\Kodak EasyShare software\bin\ptssvc.exe (file missing)
O23 - Service: THotkey (THOTKEY) - TOSHIBA Corp. - C:\WINNT\SYSTEM32\THOTKEY.EXE
O23 - Service: Tmesbs3 (Tmesbs) - Unknown owner - C:\Program Files\TOSHIBA\TME3\Tmesbs3.exe" /Service (file missing)
O23 - Service: Tmesrv3 (Tmesrv) - Unknown owner - C:\Program Files\TOSHIBA\TME3\Tmesrv3.exe" /Service (file missing)

Thanks!!

:thumbsup:

#5 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,540 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:04:48 AM

Posted 17 January 2006 - 01:17 PM

Click on start, settings, control panel and double-click on add/remove programs. From with add/remove program uninstall the following if they exist:

QuickTime

Then,

Print out these instructions and then close all windows including Internet Explorer.

Then I want you to fix some of those entries. Please do the following:

Please make sure that you can view all hidden files. Instructions on how to do this can be found here:

How to see hidden files in Windows

Run Hijackthis again, click scan, and Put a checkmark next to each of these. Then click the Fix button:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://home.microsoft.com/search/search.asp
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?p...er=6&ar=msnhome
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.microsoft.com/isapi/redir.dll?p...er=6&ar=msnhome
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redir.dll?p...er=6&ar=msnhome
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.microsoft.com/isapi/redir.dll?p...er=6&ar=msnhome
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?p...B_PVER}&ar=home
O4 - HKLM\..\Run: [ntdll.dll] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O15 - Trusted Zone: *.aeroplan.ca
O15 - Trusted Zone: *.aircanada.ca
O15 - Trusted Zone: *.aircanada.com
O15 - Trusted Zone: *.canadiantire.ca
O15 - Trusted Zone: *.ebay.ca
O15 - Trusted Zone: *.ebay.com
O15 - Trusted Zone: *.fedex.com
O15 - Trusted Zone: *.google.ca
O15 - Trusted Zone: *.google.com
O15 - Trusted Zone: *.ingdirect.ca
O15 - Trusted Zone: *.mapquest.com
O15 - Trusted Zone: *.microsoft.com
O15 - Trusted Zone: *.pandasoftware.com
O15 - Trusted Zone: *.paypal.com
O15 - Trusted Zone: www.resorts-ontario.com
O15 - Trusted Zone: *.royalbank.com
O15 - Trusted Zone: *.symantec.com
O15 - Trusted Zone: *.ups.com

Reboot your computer into Safe Mode

Then delete these files or directories (Do not be concerned if they do not exist)

C:\Program Files\QuickTime\
C:\WINNT\SYSTEM32\ie_spy.dll

Reboot your computer to go back to normal mode and post a new log.

#6 I_am_CanadianEh?

I_am_CanadianEh?
  • Topic Starter

  • Members
  • 489 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:48 AM

Posted 17 January 2006 - 03:34 PM

OK, here you are. I deleted the files you said, both were visible.

BTW - Was there a problem with the Quicktime software? I'm suprised you asked me to remove it. I still have the self-extractor install file, let me know if I can re-install it after I'm clean.

Also, the trusted web sites I added myself as I find these sites legitimite. Can I add these back after I'm clean?

Anyways, here's the latest log.

Logfile of HijackThis v1.99.1
Scan saved at 3:25:47 PM, on 01/17/06
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\LEXBCES.EXE
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\cisvc.exe
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\SYSTEM32\THOTKEY.EXE
C:\Program Files\TOSHIBA\TME3\Tmesbs3.exe
C:\Program Files\TOSHIBA\TME3\Tmesrv3.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\MsgSys.EXE
C:\WINNT\system32\TPWRTRAY.EXE
C:\WINNT\system32\TFNF5.exe
C:\Program Files\TOSHIBA\Wireless Hotkey\TosHKCW.exe
C:\Program Files\NavNT\vptray.exe
C:\WINNT\system32\hpnra.exe
C:\WINNT\system32\kmw_run.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\TOSHIBA\Network Device Switch 3\NDSTray.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\WINNT\system32\KMW_SHOW.EXE
C:\Program Files\TOSHIBA\NetDevSw\NetDevSW.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Documents and Settings\timp\My Documents\HijackThis!\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://172.16.1.5/index.asp
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://home.microsoft.com/search/search.asp
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.google.com/keyword/%s
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe
O4 - HKLM\..\Run: [Tpwrtray] TPWRTRAY.EXE
O4 - HKLM\..\Run: [TMESRV.EXE] C:\Program Files\TOSHIBA\TME3\TMESRV3.EXE /Logon
O4 - HKLM\..\Run: [TMESBS.EXE] C:\Program Files\TOSHIBA\TME3\TMESBS3.EXE /logon
O4 - HKLM\..\Run: [TFNF5] TFNF5.exe
O4 - HKLM\..\Run: [TosHKCW.exe] C:\Program Files\TOSHIBA\Wireless Hotkey\TosHKCW.exe
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [HP Network Registry Agent] C:\WINNT\system32\hpnra.exe
O4 - HKLM\..\Run: [kmw_run.exe] kmw_run.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - Startup: Outlook Express.lnk = C:\Program Files\Outlook Express\msimn.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Network Device Switch.lnk = C:\Program Files\TOSHIBA\NetDevSw\NetDevSW.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/download/ipixx.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - https://www-secure.symantec.com/techsupp/asa/LSSupCtl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1121267163188
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1121267122680
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/asa/SymAData.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = msb.local
O17 - HKLM\System\CCS\Services\Tcpip\..\{650C4EDD-C0F8-4859-B611-35EBAD733980}: NameServer = 172.16.1.22,172.16.52.5,66.163.0.161
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = msb.local
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = msb.local
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = msb.local
O20 - Winlogon Notify: NavLogon - C:\WINNT\System32\NavLogon.dll
O23 - Service: ASP.NET State Service (aspnet_state) - Unknown owner - C:\WINNT\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe (file missing)
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINNT\system32\LEXBCES.EXE
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: ptssvc - Unknown owner - C:\Documents and Settings\timp\My Documents\Kodak EasyShare software\bin\ptssvc.exe (file missing)
O23 - Service: THotkey (THOTKEY) - TOSHIBA Corp. - C:\WINNT\SYSTEM32\THOTKEY.EXE
O23 - Service: Tmesbs3 (Tmesbs) - Unknown owner - C:\Program Files\TOSHIBA\TME3\Tmesbs3.exe" /Service (file missing)
O23 - Service: Tmesrv3 (Tmesrv) - Unknown owner - C:\Program Files\TOSHIBA\TME3\Tmesrv3.exe" /Service (file missing)


:thumbsup:

#7 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,540 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:04:48 AM

Posted 17 January 2006 - 11:29 PM

Quicktime is legit..but its not normal for it to have a name of ntdll.dll. Thats just downright strange and most likely malware related. Thats why i want you remove quicktime and reinstall it after we are clean.

As for the trusted sites, I do not believe in them. They really add no benefit to you and just lower your security. If you really want them in, go for it, but they are unnecessary and can only harm you.

Also forgot to tell you to delete this file as well:

C:\Documents and Settings\timp\Favorites\Insurance

Other than that ... you look good.

#8 I_am_CanadianEh?

I_am_CanadianEh?
  • Topic Starter

  • Members
  • 489 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:48 AM

Posted 18 January 2006 - 02:46 PM

Thanks for your help!

However, I still have 1 spy from Panda. See below:


Incident Status Location

Adware:adware/commad Not disinfected Windows Registry
It does not give the location in the registry. However, you can find a detailed description of it HERE:

http://www.pandasoftware.com/virus_info/en...eteccion=219235

I have no symptoms of the infection and my computer is not acting strange, there are no popups, hijackings etc. Perhaps this is just some inactive deadwood left over in the registry?? I don't know.

Unfortunately, Panda does not tell me where in the registry it is located. I suppose I can BUY the ActiveScan Pro to remove it but I'd rather not. Maybe there's another way?

Here's the latest Hijack Log:

Logfile of HijackThis v1.99.1
Scan saved at 2:41:13 PM, on 01/18/06
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\LEXBCES.EXE
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\cisvc.exe
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\SYSTEM32\THOTKEY.EXE
C:\Program Files\TOSHIBA\TME3\Tmesbs3.exe
C:\Program Files\TOSHIBA\TME3\Tmesrv3.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\MsgSys.EXE
C:\WINNT\Explorer.EXE
C:\WINNT\system32\TPWRTRAY.EXE
C:\WINNT\system32\TFNF5.exe
C:\Program Files\TOSHIBA\Wireless Hotkey\TosHKCW.exe
C:\Program Files\NavNT\vptray.exe
C:\WINNT\system32\hpnra.exe
C:\WINNT\system32\kmw_run.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\TOSHIBA\Network Device Switch 3\NDSTray.exe
C:\WINNT\system32\KMW_SHOW.EXE
C:\Program Files\TOSHIBA\NetDevSw\NetDevSW.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINNT\System32\cidaemon.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\timp\My Documents\HijackThis!\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://172.16.1.5/index.asp
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://home.microsoft.com/search/search.asp
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.google.com/keyword/%s
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe
O4 - HKLM\..\Run: [Tpwrtray] TPWRTRAY.EXE
O4 - HKLM\..\Run: [TMESRV.EXE] C:\Program Files\TOSHIBA\TME3\TMESRV3.EXE /Logon
O4 - HKLM\..\Run: [TMESBS.EXE] C:\Program Files\TOSHIBA\TME3\TMESBS3.EXE /logon
O4 - HKLM\..\Run: [TFNF5] TFNF5.exe
O4 - HKLM\..\Run: [TosHKCW.exe] C:\Program Files\TOSHIBA\Wireless Hotkey\TosHKCW.exe
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [HP Network Registry Agent] C:\WINNT\system32\hpnra.exe
O4 - HKLM\..\Run: [kmw_run.exe] kmw_run.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - Startup: Outlook Express.lnk = C:\Program Files\Outlook Express\msimn.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Network Device Switch.lnk = C:\Program Files\TOSHIBA\NetDevSw\NetDevSW.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/download/ipixx.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - https://www-secure.symantec.com/techsupp/asa/LSSupCtl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1121267163188
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1121267122680
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/asa/SymAData.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = msb.local
O17 - HKLM\System\CCS\Services\Tcpip\..\{650C4EDD-C0F8-4859-B611-35EBAD733980}: NameServer = 172.16.1.22,172.16.52.5,66.163.0.161
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = msb.local
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = msb.local
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = msb.local
O20 - Winlogon Notify: NavLogon - C:\WINNT\System32\NavLogon.dll
O23 - Service: ASP.NET State Service (aspnet_state) - Unknown owner - C:\WINNT\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe (file missing)
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINNT\system32\LEXBCES.EXE
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: ptssvc - Unknown owner - C:\Documents and Settings\timp\My Documents\Kodak EasyShare software\bin\ptssvc.exe (file missing)
O23 - Service: THotkey (THOTKEY) - TOSHIBA Corp. - C:\WINNT\SYSTEM32\THOTKEY.EXE
O23 - Service: Tmesbs3 (Tmesbs) - Unknown owner - C:\Program Files\TOSHIBA\TME3\Tmesbs3.exe" /Service (file missing)
O23 - Service: Tmesrv3 (Tmesrv) - Unknown owner - C:\Program Files\TOSHIBA\TME3\Tmesrv3.exe" /Service (file missing)


Finally, looking at this log, I'm wondering if these keys are of any use:

O23 - Service: ASP.NET State Service (aspnet_state) - Unknown owner - C:\WINNT\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe (file missing) - I HAVE UNINSTALLED NETWORK FRAME 2.0
O23 - Service: ptssvc - Unknown owner - C:\Documents and Settings\timp\My Documents\Kodak EasyShare software\bin\ptssvc.exe (file missing)
O23 - Service: Tmesbs3 (Tmesbs) - Unknown owner - C:\Program Files\TOSHIBA\TME3\Tmesbs3.exe" /Service (file missing)
O23 - Service: Tmesrv3 (Tmesrv) - Unknown owner - C:\Program Files\TOSHIBA\TME3\Tmesrv3.exe" /Service (file missing)

Thanks again.
:thumbsup:

#9 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,540 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:04:48 AM

Posted 18 January 2006 - 08:51 PM

If you are not using these services, then remove them:

Download the attached bat file and run it. It will remove the services.



About commad, do this:

Download RegSrch.zip from here:

http://billsway.com/vbspage/vbsfiles/RegSrch.zip

Unzip it and then double-click on the regsrch.vbs file. When it runs it will prompt you for a string to search for. Enter commad into that field and press enter.

It will run for a while silently and then create a report. Please paste the contents of that report into a reply to this topic.

*Note: If you have Norton script blocking installed, disable it or allow the script to run or this tool won't work!


Also post a new hijackthis log with your reply.

Attached Files



#10 I_am_CanadianEh?

I_am_CanadianEh?
  • Topic Starter

  • Members
  • 489 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:48 AM

Posted 19 January 2006 - 09:10 AM

Ran the batch file. OK.

Here's the results of RegSrch:

REGEDIT4
; RegSrch.vbs Bill James

; Registry search results for string "commad" 01/19/06 8:58:57 AM

; NOTE: This file will be deleted when you close WordPad.
; You must manually save this file to a new location if you want to refer to it again later.
; (If you save the file with a .reg extension, you can use it to restore any Registry changes you make to these values.)


"\"O4 - HKLM\\..\\Run: [ntdll.dll] \"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime\""=hex:fd,\
"commAd + remove"=hex:fd,94,ce,43

"\"O4 - HKLM\\..\\Run: [ntdll.dll] \"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime\""=hex:fd,\
"commAd + adware"=hex:0c,95,ce,43

There's that ntdll you were talking about - it appears that something "hooked" onto Quicktime. :thumbsup:

Finally, here's a fresh log but it didn't delete the services that show "file missing" in them. The batch file should have done that right??
Logfile of HijackThis v1.99.1
Scan saved at 9:06:32 AM, on 01/19/06
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\LEXBCES.EXE
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\cisvc.exe
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\SYSTEM32\THOTKEY.EXE
C:\Program Files\TOSHIBA\TME3\Tmesbs3.exe
C:\Program Files\TOSHIBA\TME3\Tmesrv3.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\MsgSys.EXE
C:\WINNT\system32\TPWRTRAY.EXE
C:\WINNT\system32\TFNF5.exe
C:\Program Files\TOSHIBA\Wireless Hotkey\TosHKCW.exe
C:\Program Files\NavNT\vptray.exe
C:\WINNT\system32\hpnra.exe
C:\WINNT\system32\kmw_run.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\TOSHIBA\Network Device Switch 3\NDSTray.exe
C:\WINNT\system32\KMW_SHOW.EXE
C:\Program Files\TOSHIBA\NetDevSw\NetDevSW.exe
C:\WINNT\System32\cidaemon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\timp\My Documents\HijackThis!\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://172.16.1.5/index.asp
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://home.microsoft.com/search/search.asp
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.google.com/keyword/%s
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe
O4 - HKLM\..\Run: [Tpwrtray] TPWRTRAY.EXE
O4 - HKLM\..\Run: [TMESRV.EXE] C:\Program Files\TOSHIBA\TME3\TMESRV3.EXE /Logon
O4 - HKLM\..\Run: [TMESBS.EXE] C:\Program Files\TOSHIBA\TME3\TMESBS3.EXE /logon
O4 - HKLM\..\Run: [TFNF5] TFNF5.exe
O4 - HKLM\..\Run: [TosHKCW.exe] C:\Program Files\TOSHIBA\Wireless Hotkey\TosHKCW.exe
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [HP Network Registry Agent] C:\WINNT\system32\hpnra.exe
O4 - HKLM\..\Run: [kmw_run.exe] kmw_run.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - Startup: Outlook Express.lnk = C:\Program Files\Outlook Express\msimn.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Network Device Switch.lnk = C:\Program Files\TOSHIBA\NetDevSw\NetDevSW.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/download/ipixx.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - https://www-secure.symantec.com/techsupp/asa/LSSupCtl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1121267163188
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1121267122680
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/asa/SymAData.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = msb.local
O17 - HKLM\System\CCS\Services\Tcpip\..\{650C4EDD-C0F8-4859-B611-35EBAD733980}: NameServer = 172.16.1.22,172.16.52.5,66.163.0.161
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = msb.local
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = msb.local
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = msb.local
O20 - Winlogon Notify: NavLogon - C:\WINNT\System32\NavLogon.dll
O23 - Service: ASP.NET State Service (aspnet_state) - Unknown owner - C:\WINNT\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe (file missing)
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINNT\system32\LEXBCES.EXE
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: ptssvc - Unknown owner - C:\Documents and Settings\timp\My Documents\Kodak EasyShare software\bin\ptssvc.exe (file missing)
O23 - Service: THotkey (THOTKEY) - TOSHIBA Corp. - C:\WINNT\SYSTEM32\THOTKEY.EXE
O23 - Service: Tmesbs3 (Tmesbs) - Unknown owner - C:\Program Files\TOSHIBA\TME3\Tmesbs3.exe" /Service (file missing)
O23 - Service: Tmesrv3 (Tmesrv) - Unknown owner - C:\Program Files\TOSHIBA\TME3\Tmesrv3.exe" /Service (file missing)

Thanks for all your help so far!


:flowers:

#11 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,540 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:04:48 AM

Posted 19 January 2006 - 01:33 PM

Actually I did not see that you were running windows 2000, so the batch wouldnt work.

Download http://www.bleepingcomputer.com/files/steelwerx/swsc.exe and save it in the root of your c:\ drive. Then download the attached bat file and save it your c:\drive again. So when you open C: you should see both of those files there.

Then run scdelete.bat and it should remove the services.


Please follow the instructions provided, you may want to print out these instructions and use them as a reference.

First:
Please download ewido security suite it is a trial version of the program.
  • Install ewido security suite
  • When installing, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu".
  • Launch ewido, there should be an icon on your desktop double-click it.
  • The program will now go to the main screen
You will need to update ewido to the latest definition files.
  • On the left hand side of the main screen click update
  • Then click on Start Update
The update will start and a progress bar will show the updates being installed.
If you are having problems with the updater, you can use this link to manually update ewido.
http://www.ewido.net/en/download/updates/

Once the updates are installed close the Ewido program.

Reboot your computer into Safe Mode

Once in safe mode, start Ewido and do the following:
  • Click on scanner
  • Click on Complete System Scan and the scan will begin.
  • While the scan is in progress you will be prompted to clean files, click OK
  • When it asks if you want to clean the first file, put a check in the lower left corner of the box that says "Perform action on all infections" then choose clean and click OK.
  • Once the scan has completed, there will be a button located on the bottom of the screen named Save report
  • Click Save report.
  • Save the report.txt file to your desktop.
Now close ewido security suite.

Reboot back to normal mode, open report.txt and post it as a reply to this post along with a new hijackthis log.

Attached Files



#12 I_am_CanadianEh?

I_am_CanadianEh?
  • Topic Starter

  • Members
  • 489 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:48 AM

Posted 19 January 2006 - 04:25 PM

Downloaded the exe and the latest batch file. I think it worked this time.

I already have Ewido installed and when I installed it, I DID install the background gaurd. But it expired after 14 days so essentially I only have the trial version w/o real-time protection. But since I have SpywareBlaster, Spybot Teatimer and Microsoft Antispy, I guess I'm well protected.

I scanned earlier today (before your post) in SAFE MODE and it found nothing. Do you want me to scan again?

Anyways, here's the latest HJT log:


Logfile of HijackThis v1.99.1
Scan saved at 4:09:34 PM, on 01/19/06
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\LEXBCES.EXE
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\cisvc.exe
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\SYSTEM32\THOTKEY.EXE
C:\Program Files\TOSHIBA\TME3\Tmesbs3.exe
C:\Program Files\TOSHIBA\TME3\Tmesrv3.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\MsgSys.EXE
C:\WINNT\system32\TPWRTRAY.EXE
C:\WINNT\system32\TFNF5.exe
C:\Program Files\TOSHIBA\Wireless Hotkey\TosHKCW.exe
C:\Program Files\NavNT\vptray.exe
C:\WINNT\system32\hpnra.exe
C:\WINNT\system32\kmw_run.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\TOSHIBA\Network Device Switch 3\NDSTray.exe
C:\WINNT\system32\KMW_SHOW.EXE
C:\Program Files\TOSHIBA\NetDevSw\NetDevSW.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINNT\System32\cidaemon.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\timp\My Documents\HijackThis!\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://172.16.1.5/index.asp
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://home.microsoft.com/search/search.asp
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.google.com/keyword/%s
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe
O4 - HKLM\..\Run: [Tpwrtray] TPWRTRAY.EXE
O4 - HKLM\..\Run: [TMESRV.EXE] C:\Program Files\TOSHIBA\TME3\TMESRV3.EXE /Logon
O4 - HKLM\..\Run: [TMESBS.EXE] C:\Program Files\TOSHIBA\TME3\TMESBS3.EXE /logon
O4 - HKLM\..\Run: [TFNF5] TFNF5.exe
O4 - HKLM\..\Run: [TosHKCW.exe] C:\Program Files\TOSHIBA\Wireless Hotkey\TosHKCW.exe
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [HP Network Registry Agent] C:\WINNT\system32\hpnra.exe
O4 - HKLM\..\Run: [kmw_run.exe] kmw_run.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: Outlook Express.lnk = C:\Program Files\Outlook Express\msimn.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Network Device Switch.lnk = C:\Program Files\TOSHIBA\NetDevSw\NetDevSW.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/download/ipixx.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - https://www-secure.symantec.com/techsupp/asa/LSSupCtl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1121267163188
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1121267122680
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/asa/SymAData.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = msb.local
O17 - HKLM\System\CCS\Services\Tcpip\..\{650C4EDD-C0F8-4859-B611-35EBAD733980}: NameServer = 172.16.1.22,172.16.52.5,66.163.0.161
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = msb.local
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = msb.local
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = msb.local
O20 - Winlogon Notify: NavLogon - C:\WINNT\System32\NavLogon.dll
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINNT\system32\LEXBCES.EXE
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: THotkey (THOTKEY) - TOSHIBA Corp. - C:\WINNT\SYSTEM32\THOTKEY.EXE

#13 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,540 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:04:48 AM

Posted 19 January 2006 - 05:26 PM

Download RegSearch.zip and extract the contents of the zip file to it's own folder.

Open and double-click the icon for RegSearch.exe to launch the program.

Enter commAd in the top window and click OK. After completion Notepad will be opened with all the found instances. Please post that log.

#14 I_am_CanadianEh?

I_am_CanadianEh?
  • Topic Starter

  • Members
  • 489 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:48 AM

Posted 19 January 2006 - 10:11 PM

OK, did that. However, I think a problem occured. After notepad opened, RegSearch appeared to hang. The hourglass remained on the RegSearch window and stayed there for several minutes. I ended up ending the task on the task manager.

Also, RegSearch found nothing with commAd (see log below):

REGEDIT4

; Registry Search by Bobbi Flekman 2005
; Version: 1.0.2.4

; Results at 01/19/06 9:43:06 PM for strings:
; 'commad'
; Strings excluded from search:
; (None)
; Search in:
; Registry Keys Registry Values Registry Data
; HKEY_LOCAL_MACHINE HKEY_USERS


; End Of The Log...


Finally, I ran RegSrch.vbs again (from what you told me to do a few threads back) and NOTHING WAS FOUND. It appears that CommAd is gone, but I'll run Panda again tommorrow to see for sure.

The only thing I did notice was that I ran Ad-Aware in Safe mode today and it found W32.trojandownloader.vb in an uninstall file from a program I had. IT WAS NOT THERE a few days ago and was also not present when I first discovered commAd. S-T-R-A-N-G-E. Anyways, I hence uninstalled the "infected" program since cleaning it Ad-Aware would have deleted the uninstall file and I would not have been able to remove the program from my computer.

I do believe I'm clean. I'll run all my scans tommorrow to be sure.

Thanks for all your help. You guys rock!!! :thumbsup:

#15 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,540 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:04:48 AM

Posted 19 January 2006 - 11:37 PM

Do this for now:

Now that your clean:

Disable and Enable System Restore. - If you are using Windows ME or XP then you should disable and reenable system restore to make sure there are no infected files found in a restore point.

You can find instructions on how to enable and reenable system restore here:

Managing Windows Millenium System Restore

or

Windows XP System Restore Guide

Renable system restore with instructions from tutorial above


Next,

This process will clean out your Temp files and your Temporary Internet Files. Please do both steps:

Step 1:Delete Temp Files
To clean out your temp files, click on Start and then run, and type %temp% and press the ok button.

This should open up the temp directory that your machine uses. Please delete all files that are found there. If you get an error when deleting a file, skip that file and delete all the others. If you had trouble deleting a file, reboot into Safe Mode and follow this step again. You should now be able to delete all the files.

Step 2: Delete Temporary Internet Files
Now I want you to open up Internet Explorer, and click on the Tools menu and then Internet Options. At the General tab, which should be the first tab you are currently on, click on the Delete Files button and put a checkmark in Delete offline content. Then press the OK button. This may take quite a while, so do not be alarmed with how long it takes. When it is done, your Temporary Internet Files will now be deleted.

Finally, and definitely the MOST IMPORTANT step, click on the following tutorial and follow each step listed there:

Simple and easy ways to keep your computer safe and secure on the Internet


Glad I was able to help and if there any other problems related to your computer please feel free to post them in the appropriate forum. Though we help people with spyware and viruses here at BC, we also help people with other computer problems! Do not forget to tell your friends about us!




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users