Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Spyware Or Adware Infection - (possible Zeno's Remnants)


  • This topic is locked This topic is locked
12 replies to this topic

#1 Mickey Sabbath

Mickey Sabbath

  • Members
  • 43 posts
  • OFFLINE
  •  
  • Local time:07:20 PM

Posted 14 February 2006 - 11:40 AM

Norton Personal Antivirus 2004 identifies the following ineradicable Adware files on my computer as Adware.Mirar: WinATS[1].cab, WinATS.dll, 876057[1].exe, 876057.exe.

The malicious program-- whatever its name-- also added a listing to my program menu titled "STARTUP". Although nothing exists in the subfolder, every time I try to delete it, I get a message that it's a Windows System Folder and cannot be deleted.

I also have a listing in my startup menu called mwinrsap that I cannot attribute to any particular program I have installed and cannot find any info about on Google. Its comannd is C:'\WINDOWS\System32\mwinrsap.exe FI002.

I enclose my HIJACK THis folder below.

Thanks for the attention.

Logfile of HijackThis v1.99.1
Scan saved at 5:03:02 PM, on 2/14/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\msiexec.exe
C:\Program Files\Norton SystemWorks\Norton Antivirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Sygate\SSA\Smc.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Norton SystemWorks\Norton Antivirus\SAVScan.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\WinAVI VideoConverter\WinAVI.exe
C:\Documents and Settings\Administrator\Desktop\HiJack this\HijackThis.exe
C:\Program Files\Symantec\LiveUpdate\AUpdate.exe

R3 - Default URLSearchHook is missing
O2 - BHO: Bucket Class - {00000001-C003-4A2F-9142-7CB1D78DE6C1} - C:\WINDOWS\tct101.dll (file missing)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton Antivirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton Antivirus\NavShExt.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [srmclean] C:\Cpqs\Scom\srmclean.exe
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SSA\Smc.exe -startgui
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [susse] "C:\WINDOWS\System32\hpsw.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O15 - Trusted Zone: http://print.westlaw.com
O15 - Trusted Zone: http://web2.westlaw.com
O15 - Trusted Zone: http://click.getmirar.com (HKLM)
O15 - Trusted Zone: http://click.mirarsearch.com (HKLM)
O15 - Trusted Zone: http://redirect.mirarsearch.com (HKLM)
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540013} - http://adserver.sharewareonline.com/adserver/Install.cab
O16 - DPF: {9AC54695-69A4-46F1-BE10-10C74F9520D5} - http://cabs.elitemediagroup.net/cabs/mediaview.cab
O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abacast.com/download/files/abasetup156.cab
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/aio/en/check/qdiagh.cab?326
O17 - HKLM\System\CCS\Services\Tcpip\..\{D5CC7F24-A549-46B3-B5EA-B0B8BC51235C}: NameServer = 24.29.103.10
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Antivirus\navapsvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Antivirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Sygate Security Agent (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SSA\Smc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe



About Buster also created the following log after an attempted cleaning:
AboutBuster 6.0
Scan started on [2/14/2006] at [4:36:15 PM]
-------------------------------------------------------------
Internet Explorer Instances Terminated!
HomeSearch Service stopped if present
-------------------------------------------------------------
Removed Stream! C:\WINDOWS\876057.exe:KAVICHS
Removed Stream! C:\WINDOWS\Blue Lace 16.bmp:KAVICHS
Removed Stream! C:\WINDOWS\bootstat.dat:KAVICHS
Removed Stream! C:\WINDOWS\BQSHYJ2R.ocx:KAVICHS
Removed Stream! C:\WINDOWS\clock.avi:KAVICHS
Removed Stream! C:\WINDOWS\Coffee Bean.bmp:KAVICHS
Removed Stream! C:\WINDOWS\COM+.log:KAVICHS
Removed Stream! C:\WINDOWS\comsetup.log:KAVICHS
Removed Stream! C:\WINDOWS\cpeins04.dat:KAVICHS
Removed Stream! C:\WINDOWS\CPEins05.dat:KAVICHS
Removed Stream! C:\WINDOWS\dahotfix.log:KAVICHS
Removed Stream! C:\WINDOWS\dasetup.log:KAVICHS
Removed Stream! C:\WINDOWS\DirectX.log:KAVICHS
Removed Stream! C:\WINDOWS\DtcInstall.log:KAVICHS
Removed Stream! C:\WINDOWS\elitemediagroup.ini:KAVICHS
Removed Stream! C:\WINDOWS\eliteunstall.exe:KAVICHS
Removed Stream! C:\WINDOWS\EventSystem.log:KAVICHS
Removed Stream! C:\WINDOWS\explorer.exe:KAVICHS
Removed Stream! C:\WINDOWS\explorer.scf:KAVICHS
Removed Stream! C:\WINDOWS\F9B5D4PH.ocx:KAVICHS
Removed Stream! C:\WINDOWS\FaxSetup.log:KAVICHS
Removed Stream! C:\WINDOWS\FeatherTexture.bmp:KAVICHS
Removed Stream! C:\WINDOWS\Gone Fishing.bmp:KAVICHS
Removed Stream! C:\WINDOWS\Greenstone.bmp:KAVICHS
Removed Stream! C:\WINDOWS\hh.exe:KAVICHS
Removed Stream! C:\WINDOWS\hpoins04.dat:KAVICHS
Removed Stream! C:\WINDOWS\hpomdl04.dat:KAVICHS
Removed Stream! C:\WINDOWS\hpomdl04.dat.temp:KAVICHS
Removed Stream! C:\WINDOWS\HPQ1024h.BMP:KAVICHS
Removed Stream! C:\WINDOWS\HPQ1280h.BMP:KAVICHS
Removed Stream! C:\WINDOWS\HPQ640h.BMP:KAVICHS
Removed Stream! C:\WINDOWS\HPQ800h.BMP:KAVICHS
Removed Stream! C:\WINDOWS\ibu.dll:KAVICHS
Removed Stream! C:\WINDOWS\ieuninst.exe:KAVICHS
Removed Stream! C:\WINDOWS\iis6.log:KAVICHS
Removed Stream! C:\WINDOWS\ikey.ini:KAVICHS
Removed Stream! C:\WINDOWS\imsins.BAK:KAVICHS
Removed Stream! C:\WINDOWS\imsins.log:KAVICHS
Removed Stream! C:\WINDOWS\IsUninst.exe:KAVICHS
Removed Stream! C:\WINDOWS\itnrr.dll:KAVICHS
Removed Stream! C:\WINDOWS\KB822603.log:KAVICHS
Removed Stream! C:\WINDOWS\KB823182.log:KAVICHS
Removed Stream! C:\WINDOWS\KB823559.log:KAVICHS
Removed Stream! C:\WINDOWS\KB824105.log:KAVICHS
Removed Stream! C:\WINDOWS\KB824146.log:KAVICHS
Removed Stream! C:\WINDOWS\KB825119.log:KAVICHS
Removed Stream! C:\WINDOWS\KB828028.log:KAVICHS
Removed Stream! C:\WINDOWS\KB828035.log:KAVICHS
Removed Stream! C:\WINDOWS\KB828741.log:KAVICHS
Removed Stream! C:\WINDOWS\KB833987.log:KAVICHS
Removed Stream! C:\WINDOWS\KB835409.log:KAVICHS
Removed Stream! C:\WINDOWS\KB835732.log:KAVICHS
Removed Stream! C:\WINDOWS\KB837001.log:KAVICHS
Removed Stream! C:\WINDOWS\KB839643-DirectX9.log:KAVICHS
Removed Stream! C:\WINDOWS\KB839645.log:KAVICHS
Removed Stream! C:\WINDOWS\KB840315.log:KAVICHS
Removed Stream! C:\WINDOWS\KB840374.log:KAVICHS
Removed Stream! C:\WINDOWS\KB840987.log:KAVICHS
Removed Stream! C:\WINDOWS\KB841356.log:KAVICHS
Removed Stream! C:\WINDOWS\KB841533.log:KAVICHS
Removed Stream! C:\WINDOWS\KB841873.log:KAVICHS
Removed Stream! C:\WINDOWS\KB842773.log:KAVICHS
Removed Stream! C:\WINDOWS\KB871250.log:KAVICHS
Removed Stream! C:\WINDOWS\KB873333.log:KAVICHS
Removed Stream! C:\WINDOWS\KB873339.log:KAVICHS
Removed Stream! C:\WINDOWS\KB873376.log:KAVICHS
Removed Stream! C:\WINDOWS\KB883939-IE6SP1-20050428.125228.log:KAVICHS
Removed Stream! C:\WINDOWS\KB885250.log:KAVICHS
Removed Stream! C:\WINDOWS\KB885835.log:KAVICHS
Removed Stream! C:\WINDOWS\KB885836.log:KAVICHS
Removed Stream! C:\WINDOWS\KB888113.log:KAVICHS
Removed Stream! C:\WINDOWS\KB888302.log:KAVICHS
Removed Stream! C:\WINDOWS\KB890046.log:KAVICHS
Removed Stream! C:\WINDOWS\KB890175.log:KAVICHS
Removed Stream! C:\WINDOWS\KB890859.log:KAVICHS
Removed Stream! C:\WINDOWS\KB890923-IE6SP1-20050225.103456.log:KAVICHS
Removed Stream! C:\WINDOWS\KB891781.log:KAVICHS
Removed Stream! C:\WINDOWS\KB892944.log:KAVICHS
Removed Stream! C:\WINDOWS\KB893066.log:KAVICHS
Removed Stream! C:\WINDOWS\KB893086.log:KAVICHS
Removed Stream! C:\WINDOWS\KB893756.log:KAVICHS
Removed Stream! C:\WINDOWS\KB893803v2.log:KAVICHS
Removed Stream! C:\WINDOWS\KB896358.log:KAVICHS
Removed Stream! C:\WINDOWS\KB896422.log:KAVICHS
Removed Stream! C:\WINDOWS\KB896423.log:KAVICHS
Removed Stream! C:\WINDOWS\KB896424.log:KAVICHS
Removed Stream! C:\WINDOWS\KB896426.log:KAVICHS
Removed Stream! C:\WINDOWS\KB896428.log:KAVICHS
Removed Stream! C:\WINDOWS\KB896688-IE6SP1-20051004.130236.log:KAVICHS
Removed Stream! C:\WINDOWS\KB896727-IE6SP1-20050719.165959.log:KAVICHS
Removed Stream! C:\WINDOWS\KB897715-OE6SP1-20050503.210336.log:KAVICHS
Removed Stream! C:\WINDOWS\KB898458.log:KAVICHS
Removed Stream! C:\WINDOWS\KB898461.log:KAVICHS
Removed Stream! C:\WINDOWS\KB899587.log:KAVICHS
Removed Stream! C:\WINDOWS\KB899588.log:KAVICHS
Removed Stream! C:\WINDOWS\KB899589.log:KAVICHS
Removed Stream! C:\WINDOWS\KB899591.log:KAVICHS
Removed Stream! C:\WINDOWS\KB900725.log:KAVICHS
Removed Stream! C:\WINDOWS\KB901017.log:KAVICHS
Removed Stream! C:\WINDOWS\KB901214.log:KAVICHS
Removed Stream! C:\WINDOWS\KB902400.log:KAVICHS
Removed Stream! C:\WINDOWS\KB904706.log:KAVICHS
Removed Stream! C:\WINDOWS\KB905414.log:KAVICHS
Removed Stream! C:\WINDOWS\KB905495.log:KAVICHS
Removed Stream! C:\WINDOWS\KB905749.log:KAVICHS
Removed Stream! C:\WINDOWS\KB905915-IE6SP1-20051122.175908.log:KAVICHS
Removed Stream! C:\WINDOWS\KB908519.log:KAVICHS
Removed Stream! C:\WINDOWS\KB910437.log:KAVICHS
Removed Stream! C:\WINDOWS\KB912919.log:KAVICHS
Removed Stream! C:\WINDOWS\logoffper2.reg:KAVICHS
Removed Stream! C:\WINDOWS\logonper2.reg:KAVICHS
Removed Stream! C:\WINDOWS\MedCtrOC.log:KAVICHS
Removed Stream! C:\WINDOWS\msdfmap.ini:KAVICHS
Removed Stream! C:\WINDOWS\msgsocm.log:KAVICHS
Removed Stream! C:\WINDOWS\msmqinst.log:KAVICHS
Removed Stream! C:\WINDOWS\muninst.exe:KAVICHS
Removed Stream! C:\WINDOWS\NeroDigital.ini:KAVICHS
Removed Stream! C:\WINDOWS\netfxocm.log:KAVICHS
Removed Stream! C:\WINDOWS\NOTEPAD.EXE:KAVICHS
Removed Stream! C:\WINDOWS\ntbtlog.txt:KAVICHS
Removed Stream! C:\WINDOWS\ntdtcsetup.log:KAVICHS
Removed Stream! C:\WINDOWS\NWQNADHB.ocx:KAVICHS
Removed Stream! C:\WINDOWS\O83PPKBG.ocx:KAVICHS
Removed Stream! C:\WINDOWS\ocgen.log:KAVICHS
Removed Stream! C:\WINDOWS\ocmsn.log:KAVICHS
Removed Stream! C:\WINDOWS\ODBC.INI:KAVICHS
Removed Stream! C:\WINDOWS\ODBCINST.INI:KAVICHS
Removed Stream! C:\WINDOWS\oeuninst.exe:KAVICHS
Removed Stream! C:\WINDOWS\OEWABLog.txt:KAVICHS
Removed Stream! C:\WINDOWS\orun32.ini:KAVICHS
Removed Stream! C:\WINDOWS\orun32.isu:KAVICHS
Removed Stream! C:\WINDOWS\Prairie Wind.bmp:KAVICHS
Removed Stream! C:\WINDOWS\Q322359.log:KAVICHS
Removed Stream! C:\WINDOWS\Q323255.log:KAVICHS
Removed Stream! C:\WINDOWS\Q329048.log:KAVICHS
Removed Stream! C:\WINDOWS\Q329115.log:KAVICHS
Removed Stream! C:\WINDOWS\Q329170.log:KAVICHS
Removed Stream! C:\WINDOWS\Q329390.log:KAVICHS
Removed Stream! C:\WINDOWS\Q329441.log:KAVICHS
Removed Stream! C:\WINDOWS\Q329834.log:KAVICHS
Removed Stream! C:\WINDOWS\Q810090.log:KAVICHS
Removed Stream! C:\WINDOWS\Q810565.log:KAVICHS
Removed Stream! C:\WINDOWS\Q810833.log:KAVICHS
Removed Stream! C:\WINDOWS\Q811630.log:KAVICHS
Removed Stream! C:\WINDOWS\q812415.log:KAVICHS
Removed Stream! C:\WINDOWS\Q814033.log:KAVICHS
Removed Stream! C:\WINDOWS\Q817287.log:KAVICHS
Removed Stream! C:\WINDOWS\Q817472.log:KAVICHS
Removed Stream! C:\WINDOWS\Q817606.log:KAVICHS
Removed Stream! C:\WINDOWS\Q828026.log:KAVICHS
Removed Stream! C:\WINDOWS\qpovvl.dat:KAVICHS
Removed Stream! C:\WINDOWS\Reboot.exe:KAVICHS
Removed Stream! C:\WINDOWS\regedit.exe:KAVICHS
Removed Stream! C:\WINDOWS\REGLOCS.OLD:KAVICHS
Removed Stream! C:\WINDOWS\regopt.log:KAVICHS
Removed Stream! C:\WINDOWS\Rhododendron.bmp:KAVICHS
Removed Stream! C:\WINDOWS\River Sumida.bmp:KAVICHS
Removed Stream! C:\WINDOWS\Santa Fe Stucco.bmp:KAVICHS
Removed Stream! C:\WINDOWS\SchedLgU.Txt:KAVICHS
Removed Stream! C:\WINDOWS\sessmgr.setup.log:KAVICHS
Removed Stream! C:\WINDOWS\SETUP.LST:KAVICHS
Removed Stream! C:\WINDOWS\setupact.log:KAVICHS
Removed Stream! C:\WINDOWS\setupapi.log:KAVICHS
Removed Stream! C:\WINDOWS\smscfg.ini:KAVICHS
Removed Stream! C:\WINDOWS\Soap Bubbles.bmp:KAVICHS
Removed Stream! C:\WINDOWS\ST6UNST.000:KAVICHS
Removed Stream! C:\WINDOWS\SynCor.exe:KAVICHS
Removed Stream! C:\WINDOWS\SynthCoreA.Dll:KAVICHS
Removed Stream! C:\WINDOWS\tabletoc.log:KAVICHS
Removed Stream! C:\WINDOWS\TASKMAN.EXE:KAVICHS
Removed Stream! C:\WINDOWS\tsoc.log:KAVICHS
Removed Stream! C:\WINDOWS\twain.dll:KAVICHS
Removed Stream! C:\WINDOWS\twain_32.dll:KAVICHS
Removed Stream! C:\WINDOWS\twunk_16.exe:KAVICHS
Removed Stream! C:\WINDOWS\twunk_32.exe:KAVICHS
Removed Stream! C:\WINDOWS\updspapi.log:KAVICHS
Removed Stream! C:\WINDOWS\vb.ini:KAVICHS
Removed Stream! C:\WINDOWS\vbaddin.ini:KAVICHS
Removed Stream! C:\WINDOWS\vmmreg32.dll:KAVICHS
Removed Stream! C:\WINDOWS\VO63QJ2E.ocx:KAVICHS
Removed Stream! C:\WINDOWS\wiaservc.log:KAVICHS
Removed Stream! C:\WINDOWS\Windows Update.log:KAVICHS
Removed Stream! C:\WINDOWS\WindowsUpdate.log:KAVICHS
Removed Stream! C:\WINDOWS\winhelp.exe:KAVICHS
Removed Stream! C:\WINDOWS\winhlp32.exe:KAVICHS
Removed Stream! C:\WINDOWS\winnt.bmp:KAVICHS
Removed Stream! C:\WINDOWS\winnt256.bmp:KAVICHS
Removed Stream! C:\WINDOWS\wmsetup.log:KAVICHS
Removed Stream! C:\WINDOWS\wmsetup10.log:KAVICHS
Removed Stream! C:\WINDOWS\WMSysPr9.prx:KAVICHS
Removed Stream! C:\WINDOWS\WMSysPrx.prx:KAVICHS
Removed Stream! C:\WINDOWS\xpsp1hfm.log:KAVICHS
Removed Stream! C:\WINDOWS\Zapotec.bmp:KAVICHS
Removed Stream! C:\WINDOWS\_default.pif:KAVICHS
-------------------------------------------------------------
No Files Found!
-------------------------------------------------------------
Removed Temp Files
Internet Explorer Settings Reset!
-------------------------------------------------------------
Scan was COMPLETED SUCCESSFULLY at 4:37:01 PM

Edited by Mickey Sabbath, 14 February 2006 - 05:04 PM.


BC AdBot (Login to Remove)

 


m

#2 pskelley

pskelley

  • Staff Emeritus
  • 1,487 posts
  • OFFLINE
  •  
  • Local time:07:20 PM

Posted 15 February 2006 - 08:12 AM

Hello and welcome to the forum. I see some bad stuff that should not be on your computer. Let's remove it and see if that clears up your problems. Please proceed in the posted order.

1) Please download Ewido Security Suite it is a trial version of the program.
  • Install ewido security suite
  • Launch ewido, there should be an icon on your desktop double-click it.
  • The program will now go to the main screen
You will need to update ewido to the latest definition files.
  • On the left hand side of the main screen click update
  • Then click on Start Update
The update will start and a progress bar will show the updates being installed.
If you are having problems with the updater, you can use this link to manually update Ewido.
Ewido manual updates

Once the updates are installed do the following:
  • Click on scanner
  • Click on Complete System Scan and the scan will begin.
  • NOTE: During some scans with ewido it is finding cases of false positives.**
    • You will need to step through the process of cleaning files one-by-one.
    • If ewido detects a file you KNOW to be legitimate, select none as the action.
    • DO NOT select "Perform action on all infections"
    • If you are unsure of any entry found select none for now.
  • Once the scan has completed, there will be a button located on the bottom of the screen named Save report
  • Click Save report.
  • Save the report .txt file to your desktop.
Now close ewido security suite.
**(Ewido for example has been flagging parts of AVG Anti-Virus, pcAnywhere and the game "Risk")

2) Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:

R3 - Default URLSearchHook is missing
O2 - BHO: Bucket Class - {00000001-C003-4A2F-9142-7CB1D78DE6C1} - C:\WINDOWS\tct101.dll (file missing)
O4 - HKLM\..\Run: [susse] "C:\WINDOWS\System32\hpsw.exe"
O15 - Trusted Zone: http://print.westlaw.com
O15 - Trusted Zone: http://web2.westlaw.com
O15 - Trusted Zone: http://click.getmirar.com (HKLM)
O15 - Trusted Zone: http://click.mirarsearch.com (HKLM)
O15 - Trusted Zone: http://redirect.mirarsearch.com (HKLM)
O16 - DPF: {9AC54695-69A4-46F1-BE10-10C74F9520D5} - http://cabs.elitemediagroup.net/cabs/mediaview

Close all programs but HJT and all browser windows, then click on "Fix Checked"

3) Enable hidden files&folders..reverse the process when finished.
http://www.xtra.co.nz/help/0,,4155-1916458,00.html

RIGHT Click on Start then click on Explore. Locate and delete these items:

C:\WINDOWS\System32\hpsw.exe >>> file

C:\Windows\Prefetch\ >>> delete everything in this folder (NOT THE FOLDER)
Prefetch info: http://www.windowsnetworking.com/articles_...refetch-XP.html

Empty the recycle bin and restart the computer. Post the ewido scan results, a new HJT log and your feedback, how are you running now.

Thanks...pskelley
BleepingComputer
MS-MVP Windows Security 2007-08
Proud Member ASAP
UNITE Member 2006

#3 Mickey Sabbath

Mickey Sabbath
  • Topic Starter

  • Members
  • 43 posts
  • OFFLINE
  •  
  • Local time:07:20 PM

Posted 15 February 2006 - 12:27 PM

First, let me begin by thanking you for your time, suggestions, and assistance.

I followed them to the letter in all but one case (westlaw is a trusted site I added and so omitted deleting it using hijack this). However, I still seem to have a few inexplicable problems.

1) I wasn't sure about 3 positive identification ewido made so, as you recommended, I did NOT delete them.


2) Despite disabling MSMessenger through Windows Services (through the device manager) AND unchecking it in the msconfig startup menu AND running Ad-Aware's Add-on "OE-WM Control Plug-in", MSMessenger still boots each time I start the computer. I also cannot exit from it because each time I try I get the message that I'm using some other application that employs MsMessenger. This wasn't the case before this damn adware commandeered my computer. I'm afraid the MSMessenger problem is a symptom of some other spyware/adware lodged in the recesses of my computer, or alternatively, could be exploited by them in the future.

3) The Spyware continues to show up in my startup menu--the sartup menu I get when I run msconfig, that is-- albeit it does remain unchecked. he names of the Startup Items are as follows: Zeno, Z_Start, mwinrsap, rqdsregq. They don't correspond to programs I am familiar with so I assume they're spyware/adware. I also don't know whether I should worry about them if they don't remain checked.

I enclose the two logs of HiJackTHis and Ewido below. Let me know what you think. Again, I can't tell you how grateful I am for your help.


ogfile of HijackThis v1.99.1
Scan saved at 10:51:38 AM, on 2/15/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\msiexec.exe
C:\Program Files\Norton SystemWorks\Norton Antivirus\navapsvc.exe
C:\PROGRA~1\NORTON~1\NORTON~1\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Sygate\SSA\Smc.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\PROGRA~1\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.EXE
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Norton SystemWorks\Norton Antivirus\SAVScan.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\Administrator\Desktop\HiJack this\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton Antivirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton Antivirus\NavShExt.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [srmclean] C:\Cpqs\Scom\srmclean.exe
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SSA\Smc.exe -startgui
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O15 - Trusted Zone: http://print.westlaw.com
O15 - Trusted Zone: http://web2.westlaw.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540013} - http://adserver.sharewareonline.com/adserver/Install.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {9AC54695-69A4-46F1-BE10-10C74F9520D5} - http://cabs.elitemediagroup.net/cabs/mediaview.cab
O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abacast.com/download/files/abasetup156.cab
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/aio/en/check/qdiagh.cab?326
O17 - HKLM\System\CCS\Services\Tcpip\..\{D5CC7F24-A549-46B3-B5EA-B0B8BC51235C}: NameServer = 24.29.103.10
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Antivirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~1\NPROTECT.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Antivirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Sygate Security Agent (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SSA\Smc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.EXE
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 10:34:23 AM, 2/15/2006
+ Report-Checksum: D993C410

+ Scan result:

HKLM\SOFTWARE\Classes\CLSID\{00000001-C003-4A2F-9142-7CB1D78DE6C1} -> Adware.InternetOptimizer : Ignored
HKLM\SOFTWARE\Classes\Interface\{39C78B50-7E98-4AA0-B007-D83114EA6E0F} -> Adware.Generic : Ignored
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{00000001-C003-4A2F-9142-7CB1D78DE6C1} -> Adware.InternetOptimizer : Ignored
C:\Documents and Settings\Administrator\Cookies\administrator@ad.yieldmanager[1].txt -> TrackingCookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\administrator@adopt.euroclick[2].txt -> TrackingCookie.Euroclick : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\administrator@adopt.specificclick[1].txt -> TrackingCookie.Specificclick : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\administrator@ads.pointroll[2].txt -> TrackingCookie.Pointroll : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\administrator@ads.realcastmedia[1].txt -> TrackingCookie.Realcastmedia : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\administrator@anat.tacoda[1].txt -> TrackingCookie.Tacoda : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\administrator@banners.searchingbooth[1].txt -> TrackingCookie.Searchingbooth : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\administrator@burstnet[1].txt -> TrackingCookie.Burstnet : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\administrator@c.enhance[1].txt -> TrackingCookie.Enhance : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\administrator@chicagosuntimes.122.2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\administrator@com[1].txt -> TrackingCookie.Com : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\administrator@data1.perf.overture[1].txt -> TrackingCookie.Overture : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\administrator@data3.perf.overture[2].txt -> TrackingCookie.Overture : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\administrator@e-2dj6wfkouodpcep.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\administrator@e-2dj6wgkokpcpobp.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\administrator@e-2dj6wgkyamdpggq.stats.esomniture[1].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\administrator@greatschools.122.2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\administrator@heritagegalleries.122.2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\administrator@hypertracker[1].txt -> TrackingCookie.Hypertracker : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\administrator@microsofteup.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\administrator@microsoftwga.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\administrator@msnportal.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\administrator@news.com[1].txt -> TrackingCookie.Com : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\administrator@partygaming.122.2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\administrator@paypopup[2].txt -> TrackingCookie.Paypopup : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\administrator@sales.liveperson[1].txt -> TrackingCookie.Liveperson : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\administrator@tacoda[2].txt -> TrackingCookie.Tacoda : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\administrator@tribalfusion[1].txt -> TrackingCookie.Tribalfusion : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\administrator@tribuneinteractive.122.2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\administrator@www.burstbeacon[2].txt -> TrackingCookie.Burstbeacon : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\administrator@www.myaffiliateprogram[1].txt -> TrackingCookie.Myaffiliateprogram : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\administrator@yadro[1].txt -> TrackingCookie.Yadro : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\administrator@yieldmanager[1].txt -> TrackingCookie.Yieldmanager : Cleaned with backup
C:\WINDOWS\876057.exe -> Adware.Mirar : Cleaned with backup


::Report End

Edited by Mickey Sabbath, 15 February 2006 - 06:23 PM.


#4 pskelley

pskelley

  • Staff Emeritus
  • 1,487 posts
  • OFFLINE
  •  
  • Local time:07:20 PM

Posted 15 February 2006 - 08:37 PM

Hi Mickey, Let's see if I can help with your questions first, then I will look at the logs.

westlaw: that is fine, you may leave whatever you wish in your "Trusted Zone", me...I would not allow my own mother that much access to my computer.

1)Adware.InternetOptimizer : Ignored are bad and need to go. Unless you wish to edit the registry (make sure you backup) then run ewido again and this time delete the junk. Here is information:
http://articles.networktechs.com/386-p1.php
http://www3.ca.com/securityadvisor/pest/pe...px?id=453076206
Looks like everything else located by ewido was deleted. If you don't know how to control those nasty cookies, let me know and I will provide information.

I would like to look at your uninstall list since InternetOptimizer item is there:
Open Hijackthis.
Click the "Open the Misc Tools" section Button.
Click the "Open Uninstall Manager" Button.
Click the "Save list..." Button.
Save it to your desktop. Copy and paste the contents into your reply.

2) If you are talking about the Windows Messenger that is part of Windows XP, it must be turned off from with the program, probably under the options tab. I have it onboad as a spare, it never starts unless I start it. I use MSNIM and only boot Windows Messenger if MSNIM is down. If you can't figure this out, let me know, I will open mine and give you instructions from stopping it from running.

3) Turn on Normal Mode in Selective Start up and let me see everything that is there, Post a HJT log everything running. I apologize, I should have asked for that earlier, working too many of these logs I guess. This is the indication you are running Selective Startup:
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto but I do not see it in the last log:
Logfile of HijackThis v1.99.1 Scan saved at 10:51:38 AM, on 2/15/2006.

4) This item was posted for removal and it is still in your log?
O16 - DPF: {9AC54695-69A4-46F1-BE10-10C74F9520D5} - http://cabs.elitemediagroup.net/cabs/mediaview
See this: http://castlecops.com/ActiveX.html
Elite Media Group X {9AC54695-69A4-46F1-BE10-10C74F9520D5} mediaview.cab Adware - more here
http://castlecops.com/atxlist-1509.html

That wraps it, post the uninstall list and a new HJT log making sure MSConfig is in Normal Mode when you scan for the log. Let me have any feedback you have also.

Thanks...Phil
MS-MVP Windows Security 2007-08
Proud Member ASAP
UNITE Member 2006

#5 Mickey Sabbath

Mickey Sabbath
  • Topic Starter

  • Members
  • 43 posts
  • OFFLINE
  •  
  • Local time:07:20 PM

Posted 16 February 2006 - 11:30 AM

Phil,

I post the Uninstall programs and HiJack this logs you requested below, (including a new EWIDO log.)

I also followed your instructions:


1) I ran EWIDO again and deleted all the identifications EWIDO made.

2) I ran the HIjack's system scan to delete the file I missed the first time: O16 - DPF: {9AC54695-69A4-46F1-BE10-10C74F9520D5} -http://cabs.elitemediagroup.net/cabs/mediaview

3) I ran XP's MSMessenger and followed your steps to the Options menu to de-activate it.

4) I selected the normal mode for selective startup before creating a HiJackThis File Log.

Please let me know if you see any more malicious programs operating or would recommend any additional tweaks. And thanks again.

-Mick

P.S. I agree you with about the Trusted Sites, but then again I trust westlaw more than my mother.


Abacast Client
Ad-Aware SE Professional
Adobe Download Manager 2.0 (Remove Only)
Adobe Photoshop Album 2.0 Starter Edition
Adobe Reader 7.0
Boomer Radio Tuner
Broadcom Management Programs
DirectShow .SHN FIlter
DirectX 9 Hotfix - KB839643
DVD Shrink 3.1.7
DVD X Rescue
DVDXCopy Platinum 3.2.1
Easy Access Button Support
Easy CD & DVD Creator 6
ewido anti-malware
HijackThis 1.99.1
HP Image Zone 4.2
HP PSC & OfficeJet 4.2
HP SetRefresh
HP Software Update
Internet Explorer Q903235
InterVideo WinDVD
j2 Messenger 4.0
J2SE Runtime Environment 5.0 Update 2
J2SE Runtime Environment 5.0 Update 4
J2SE Runtime Environment 5.0 Update 6
Java 2 Runtime Environment, SE v1.4.2_01
K-Lite Codec Pack 2.66 Full
Lavasoft Reghance 2.1 -licensed-
LiveUpdate 3.0 (Symantec Corporation)
Macromedia Flash Player 8
Messenger-Control plug-in for Ad-Aware SE
Microsoft .NET Framework 1.1
Microsoft Data Access Components KB870669
Microsoft Office XP Professional
mIRC
mkw Runtime Libraries
MSN Music Assistant
Nero 6 Ultra Edition
Norton AntiVirus Corporate Edition
NVIDIA Drivers
OE/W Messengerctrl plug-in for Ad-Aware SE
overland
Quicklinks
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896422)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896426)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899588)
Security Update for Windows XP (KB899589)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901190)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905495)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913446)
Software Setup
SoundMAX
Spybot - Search & Destroy 1.4
Sygate Security Agent 2.2 For Laptop
TMPGEnc DVD Author 1.6
Update for Windows XP (KB835409)
Update for Windows XP (KB898461)
Update for Windows XP (KB910437)
VideoLAN VLC media player 0.8.1
WinAVI VideoConverter
Windows Genuine Advantage v1.3.0254.0
Windows Installer 3.1 (KB893803)
Windows Media Format Runtime
Windows Media Player 10
Windows Media Player Hotfix [See Q828026 for more information]
Windows XP Hotfix - KB822603
Windows XP Hotfix - KB823182
Windows XP Hotfix - KB823559
Windows XP Hotfix - KB824105
Windows XP Hotfix - KB825119
Windows XP Hotfix - KB833987
Windows XP Hotfix - KB837001
Windows XP Hotfix - KB839645
Windows XP Hotfix - KB840315
Windows XP Hotfix - KB840374
Windows XP Hotfix - KB840987
Windows XP Hotfix - KB841356
Windows XP Hotfix - KB841533
Windows XP Hotfix - KB841873
Windows XP Hotfix - KB842773
Windows XP Hotfix - KB871250
Windows XP Hotfix - KB873333
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB873376
Windows XP Hotfix - KB883939
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890175
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB890923
Windows XP Hotfix - KB891781
Windows XP Hotfix - KB892944
Windows XP Hotfix - KB893066
Windows XP Hotfix - KB893086
Windows XP Hotfix - KB896688
Windows XP Hotfix - KB896727
Windows XP Hotfix - KB897715
Windows XP Hotfix - KB905915
Windows XP Hotfix (SP2) [See Q329048 for more information]
Windows XP Hotfix (SP2) [See Q329115 for more information]
Windows XP Hotfix (SP2) [See Q329834 for more information]
Windows XP Hotfix (SP2) Q329170
Windows XP Hotfix (SP2) Q329441
Windows XP Hotfix (SP2) Q810565
Windows XP Hotfix (SP2) Q810833
Windows XP Hotfix (SP2) Q814033
Windows XP Hotfix (SP2) Q817287
Windows XP Hotfix (SP2) Q817606
WinRAR archiver
WinZip
Logfile of HijackThis v1.99.1
Scan saved at 11:25:11 AM, on 2/16/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
C:\Progra~1\NavNT\vptray.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe
C:\Program Files\COMPAQ\Easy Access Button Support\StartEAK.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\j2 Messenger 4.0\J2GDllCmd.exe
C:\Program Files\j2 Messenger 4.0\J2GTray.exe
C:\Program Files\Compaq\Easy Access Button Support\CPQEAKSYSTEMTRAY.EXE
C:\Program Files\Compaq\Easy Access Button Support\CPQEADM.EXE
C:\Compaq\EAKDRV\EAUSBKBD.EXE
C:\PROGRA~1\Compaq\EASYAC~1\BttnServ.exe
C:\Progra~1\NavNT\defwatch.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\msiexec.exe
C:\Progra~1\NavNT\rtvscan.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Sygate\SSA\Smc.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Administrator\Desktop\HiJack this\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [srmclean] C:\Cpqs\Scom\srmclean.exe
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SSA\Smc.exe -startgui
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [vptray] C:\Progra~1\NavNT\vptray.exe
O4 - HKLM\..\Run: [{8D-D2-21-18-ZN}] c:\windows\system32\rqdsregq.exe FI002
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
O4 - HKLM\..\Run: [SetRefresh] C:\Program Files\COMPAQ\SetRefresh\\SetRefresh.exe
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [KAVPersonal50] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kav.exe" /minimize
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [DrvLsnr] C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe
O4 - HKLM\..\Run: [CPQEASYACC] C:\Program Files\COMPAQ\Easy Access Button Support\StartEAK.exe
O4 - HKLM\..\Run: [BrowserUpdateSched] C:\WINDOWS\System32\mwinrsap.exe FI002
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Startup: Zeno.lnk = C:\WINDOWS\system32\mwinrsap.exe
O4 - Startup: Z_Start.lnk = C:\WINDOWS\system32\dwdsregt.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP

#6 pskelley

pskelley

  • Staff Emeritus
  • 1,487 posts
  • OFFLINE
  •  
  • Local time:07:20 PM

Posted 16 February 2006 - 11:57 AM

Hi, No surprises in the unistall list. It's a good time for you to look it over and dispose of anything you do not know or no longer use.

I only received a partial HJT log :thumbsup: ewido was able to get rid of this: Adware.InternetOptimizer junk for you?

Post a complete HJT log, I'll look it over for any last thoughts for you. the Messenger issue is a thing of the past also?

Thanks...Phil
MS-MVP Windows Security 2007-08
Proud Member ASAP
UNITE Member 2006

#7 Mickey Sabbath

Mickey Sabbath
  • Topic Starter

  • Members
  • 43 posts
  • OFFLINE
  •  
  • Local time:07:20 PM

Posted 16 February 2006 - 01:27 PM

1) The Messenger problem is indeed a thing of the past.

2) How do I delete items from my Uninstall? Are there any listings in there, in particular, that you recommend I eliminate?

3) You ask whether EWIDO eradicated Adware.internetoptimizer. I assume so. I ran it again and pressed OK to remove to every positive identification. Incidentally, should I retain EWIDO's automatic blocking active for the forseeable future?



Logfile of HijackThis v1.99.1
Scan saved at 1:12:27 PM, on 2/16/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe
C:\Program Files\COMPAQ\Easy Access Button Support\StartEAK.exe
C:\Progra~1\NavNT\vptray.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\j2 Messenger 4.0\J2GDllCmd.exe
C:\Program Files\j2 Messenger 4.0\J2GTray.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\Program Files\Compaq\Easy Access Button Support\CPQEAKSYSTEMTRAY.EXE
C:\Program Files\Compaq\Easy Access Button Support\CPQEADM.EXE
C:\Compaq\EAKDRV\EAUSBKBD.EXE
C:\PROGRA~1\Compaq\EASYAC~1\BttnServ.exe
C:\Progra~1\NavNT\defwatch.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Progra~1\NavNT\rtvscan.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Sygate\SSA\Smc.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Administrator\Desktop\HiJack this\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [srmclean] C:\Cpqs\Scom\srmclean.exe
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SSA\Smc.exe -startgui
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [{8D-D2-21-18-ZN}] c:\windows\system32\rqdsregq.exe FI002
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
O4 - HKLM\..\Run: [SetRefresh] C:\Program Files\COMPAQ\SetRefresh\\SetRefresh.exe
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [KAVPersonal50] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kav.exe" /minimize
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [DrvLsnr] C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe
O4 - HKLM\..\Run: [CPQEASYACC] C:\Program Files\COMPAQ\Easy Access Button Support\StartEAK.exe
O4 - HKLM\..\Run: [BrowserUpdateSched] C:\WINDOWS\System32\mwinrsap.exe FI002
O4 - HKLM\..\Run: [vptray] C:\Progra~1\NavNT\vptray.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Startup: Zeno.lnk = C:\WINDOWS\system32\mwinrsap.exe
O4 - Startup: Z_Start.lnk = C:\WINDOWS\system32\dwdsregt.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: j2 DllCmd 4.0.lnk = C:\Program Files\j2 Messenger 4.0\J2GDllCmd.exe
O4 - Global Startup: j2 Tray Menu 4.0.lnk = C:\Program Files\j2 Messenger 4.0\J2GTray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O15 - Trusted Zone: http://print.westlaw.com
O15 - Trusted Zone: http://web2.westlaw.com
O16 - DPF: {01010E00-5E80-11D8-9E86-0007E96C65AE} (SupportSoft SmartIssue) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsi.cab
O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Script Runner Class) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsr.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} - https://www-secure.symantec.com/techsupp/as...rl/LSSupCtl.cab
O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540013} - http://adserver.sharewareonline.com/adserver/Install.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/as...rl/SymAData.cab
O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abacast.com/download/files/abasetup156.cab
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/aio/en/check/qdiagh.cab?326
O17 - HKLM\System\CCS\Services\Tcpip\..\{D5CC7F24-A549-46B3-B5EA-B0B8BC51235C}: NameServer = 24.29.103.10
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: DefWatch - Symantec Corporation - C:\Progra~1\NavNT\defwatch.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Progra~1\NavNT\rtvscan.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Sygate Security Agent (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SSA\Smc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe

#8 pskelley

pskelley

  • Staff Emeritus
  • 1,487 posts
  • OFFLINE
  •  
  • Local time:07:20 PM

Posted 16 February 2006 - 02:55 PM

How do I delete items from my Uninstall? Are there any listings in there, in particular, that you recommend I eliminate?

Not really, a few I just don't know but I was looking for bad programs hiding there. Start > Control Panel > Add Remove Programs. Hilite anything you don't want and click remove.

Ewido results: That's a good thing, that program does create popups, you might search for it by name and delete any reference to it you find. Also take a look in C:\Program Files\ If you see it listed in a folder, right click it and delete it. Make sure to clean out the Recycle Bin.

You may enjoy the additional realtime protection ewido provides until the trial is over if you wish. Here is the message I give everyone I ask to install the program:
Ewido is a great program but it does use some resources. Once the trial is over you can update and use the scanner for as long as you wish, but unless you purchase it you should turn it off completely so it does not run unless you start it manually.

Logfile of HijackThis v1.99.1 Scan saved at 1:12:27 PM, on 2/16/2006

Oops :thumbsup: we have problems in the log, seems a new item has found it's way into the log: We will have more work to do to:
O4 - HKLM\..\Run: [{8D-D2-21-18-ZN}] c:\windows\system32\rqdsregq.exe FI002
see this >> http://castlecops.com/t134515-O4_Startup_Zeno_lnk.html

Since you mentioned this as showing in a Spybot run earlier I have no idea why it has waited until now to show in the HJT log.

If you wish to make sure this stuff is bad before you delete it, use these free online tools and share the information with me.
http://virusscan.jotti.org/
http://www.kaspersky.com/scanforvirus
http://www.virustotal.com/flash/index_en.html

Here is what I wish to remove:
c:\windows\system32\rqdsregq.exe
C:\WINDOWS\system32\mwinrsap.exe
C:\WINDOWS\system32\dwdsregt.exe

It also appears this one may be the AIM virus:
O4 - HKLM\..\Run: [{8D-D2-21-18-ZN}] c:\windows\system32\rqdsregq.exe FI002

Instructions start here:

1) Please download the Aimfix from here (don't run it yet):
http://www.jayloden.com/aimfix.htm

2) Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:

O4 - HKLM\..\Run: [{8D-D2-21-18-ZN}] c:\windows\system32\rqdsregq.exe FI002
O4 - HKLM\..\Run: [BrowserUpdateSched] C:\WINDOWS\System32\mwinrsap.exe FI002
O4 - Startup: Zeno.lnk = C:\WINDOWS\system32\mwinrsap.exe
O4 - Startup: Z_Start.lnk = C:\WINDOWS\system32\dwdsregt.exe
O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540013} - http://adserver.sharewareonline.com/adserver/Install.cab
(the above has been bothering me, may not be a problem. Please remove it and you can put it back when you are clean if you need it)

Close all programs but HJT and all browser windows, then click on "Fix Checked"

3) Enable hidden files&folders..reverse the process when finished.
http://www.xtra.co.nz/help/0,,4155-1916458,00.html

RIGHT Click on Start then click on Explore. Locate and delete these items:

C:\WINDOWS\system32\dwdsregt.exe >>> file

C:\WINDOWS\System32\mwinrsap.exe >>> file

c:\windows\system32\rqdsregq.exe >>> file

You can look over the Prefetch files to make sure none of the bad ones are in Prefetch if you wish. If you find them in the C:\Windows\System32\ folders, chances are the will not be in Prefetch.

C:\Windows\Prefetch\ >>> delete everything in this folder (NOT THE FOLDER)
Prefetch info: http://www.windowsnetworking.com/articles_...refetch-XP.html

4) Double click on the Aimfix that you downloaded earlier and run it. (Make sure no other programs are running)

Reboot once again...

5) If you don't have a good cleaner, use this one with these instuctions:
Download CCleaner from this link: http://www.ccleaner.com/ Review the instructions http://www.ccleaner.com/help/tour1.asp
Run CCleaner, Windows & Applications when you run the registry cleaner (Issues) you will be prompted to backup before you can remove stuff, make sure you do.

6) Post a new HJT log, let me know how the computer is running.

Thanks...Phil

Edited by pskelley, 16 February 2006 - 04:21 PM.

MS-MVP Windows Security 2007-08
Proud Member ASAP
UNITE Member 2006

#9 pskelley

pskelley

  • Staff Emeritus
  • 1,487 posts
  • OFFLINE
  •  
  • Local time:07:20 PM

Posted 16 February 2006 - 04:19 PM

I found information to conclude an AIM virus was also on the computer. I edited in to the last instructions the AIMFix. If you had moved past that part of the fix, complete it all, then run the AimFix with no other programs running. Where did you get all of this junk?
MS-MVP Windows Security 2007-08
Proud Member ASAP
UNITE Member 2006

#10 Mickey Sabbath

Mickey Sabbath
  • Topic Starter

  • Members
  • 43 posts
  • OFFLINE
  •  
  • Local time:07:20 PM

Posted 16 February 2006 - 04:32 PM

I followed your advice on cleaning from the install/uninstall menu and "Also take a look in C:\Program Files\ If you see it listed in a folder, right click it and delete it. Make sure to clean out the Recycle Bin."

I found the following empty file folder I could not delete because windows claims they're being used by some other program:

1) Xerox with a subfolder, nwwia

I also found a suspicious file folder I don't recognize but wanted to check with you before I delete.

2) Jalmp (Inside is a file called arpf.cfg and an uninstall.exe icon)


Here's my new HiJack this log, following the additional steps you recommended below.

Incidentally, I didn't find any of these files in Windows\System32-- dwdsregt.exe; mwinrsap.exe; rqdsregq.exe (Maybe, we got them the first time around.)


Logfile of HijackThis v1.99.1
Scan saved at 4:13:49 PM, on 2/16/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe
C:\Program Files\COMPAQ\Easy Access Button Support\StartEAK.exe
C:\WINDOWS\System32\rundll32.exe
C:\Progra~1\NavNT\vptray.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Progra~1\NavNT\defwatch.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\Compaq\Easy Access Button Support\CPQEAKSYSTEMTRAY.EXE
C:\Program Files\Compaq\Easy Access Button Support\CPQEADM.EXE
C:\Compaq\EAKDRV\EAUSBKBD.EXE
C:\PROGRA~1\Compaq\EASYAC~1\BttnServ.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\j2 Messenger 4.0\J2GDllCmd.exe
C:\Program Files\j2 Messenger 4.0\J2GTray.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Progra~1\NavNT\rtvscan.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Sygate\SSA\Smc.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Administrator\Desktop\HiJack this\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [srmclean] C:\Cpqs\Scom\srmclean.exe
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SSA\Smc.exe -startgui
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
O4 - HKLM\..\Run: [SetRefresh] C:\Program Files\COMPAQ\SetRefresh\\SetRefresh.exe
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [DrvLsnr] C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe
O4 - HKLM\..\Run: [CPQEASYACC] C:\Program Files\COMPAQ\Easy Access Button Support\StartEAK.exe
O4 - HKLM\..\Run: [vptray] C:\Progra~1\NavNT\vptray.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: j2 DllCmd 4.0.lnk = C:\Program Files\j2 Messenger 4.0\J2GDllCmd.exe
O4 - Global Startup: j2 Tray Menu 4.0.lnk = C:\Program Files\j2 Messenger 4.0\J2GTray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O15 - Trusted Zone: http://print.westlaw.com
O15 - Trusted Zone: http://web2.westlaw.com
O16 - DPF: {01010E00-5E80-11D8-9E86-0007E96C65AE} (SupportSoft SmartIssue) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsi.cab
O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Script Runner Class) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsr.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} - https://www-secure.symantec.com/techsupp/as...rl/LSSupCtl.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/as...rl/SymAData.cab
O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abacast.com/download/files/abasetup156.cab
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/aio/en/check/qdiagh.cab?326
O17 - HKLM\System\CCS\Services\Tcpip\..\{D5CC7F24-A549-46B3-B5EA-B0B8BC51235C}: NameServer = 24.29.103.10
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: DefWatch - Symantec Corporation - C:\Progra~1\NavNT\defwatch.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Progra~1\NavNT\rtvscan.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Sygate Security Agent (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SSA\Smc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe

Thanks,
Mick

Edited by Mickey Sabbath, 16 February 2006 - 04:33 PM.


#11 pskelley

pskelley

  • Staff Emeritus
  • 1,487 posts
  • OFFLINE
  •  
  • Local time:07:20 PM

Posted 16 February 2006 - 04:44 PM

OK Mick, I do not see that stuff in this log. I am still concerned, why don't you slowly go through the last set of instructions, run the AimFix if you have not done so yet. Make sure nothing is running when you run it and reboot right away after the fix.

Here is some information from some of the best in internet security, I'll give it to you know so you can read how to tighten up so this will not happen to you again. Here is some great information from Tony Klein, Texruss, ChrisRLG and Grinler to help you stay clean and safe online:
http://boards.cexx.org/viewtopic.php?t=957
http://russelltexas.com/malware/allclear.htm
http://forum.malwareremoval.com/viewtopic.php?t=14
http://www.bleepingcomputer.com/forums/t/2520/how-did-i-get-infected/
http://cybercoyote.org/security/not-admin.shtml

System Restore does not know good from bad, it backs up everything. In case some of the infection got into your System Restore files, follow the instructions in this link to get clean System Restore files. Turn it off, restart your computer and turn it back on.
http://service1.symantec.com/SUPPORT/tsgen...src=sec_doc_nam

Then if you seem to be running well, give it 24 hours and then give me some feedback and a new HJT log. Perhaps that will be the final look.

Thanks...Phil
MS-MVP Windows Security 2007-08
Proud Member ASAP
UNITE Member 2006

#12 Mickey Sabbath

Mickey Sabbath
  • Topic Starter

  • Members
  • 43 posts
  • OFFLINE
  •  
  • Local time:07:20 PM

Posted 18 February 2006 - 10:38 AM

I cleared out the system restore files and download and ran Aimfix.exe. The latter didn't detect any viruses.

My computer seems to be running okay despite my continuing inability to delete those two program files I mentioned in my last post:

1) Xerox with a subfolder, nwwia
2) Jalmp (Inside is a file called arpf.cfg and an uninstall.exe icon

Let me know what you think. Here's my HiJack This Log:

Logfile of HijackThis v1.99.1
Scan saved at 10:33:59 AM, on 2/18/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
C:\Progra~1\NavNT\vptray.exe
C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe
C:\Program Files\COMPAQ\Easy Access Button Support\StartEAK.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\j2 Messenger 4.0\J2GDllCmd.exe
C:\Program Files\j2 Messenger 4.0\J2GTray.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\Program Files\Compaq\Easy Access Button Support\CPQEAKSYSTEMTRAY.EXE
C:\Program Files\Compaq\Easy Access Button Support\CPQEADM.EXE
C:\Compaq\EAKDRV\EAUSBKBD.EXE
C:\PROGRA~1\Compaq\EASYAC~1\BttnServ.exe
C:\Progra~1\NavNT\defwatch.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\msiexec.exe
C:\Progra~1\NavNT\rtvscan.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Sygate\SSA\Smc.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\Administrator\Desktop\HiJack this\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [srmclean] C:\Cpqs\Scom\srmclean.exe
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SSA\Smc.exe -startgui
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [vptray] C:\Progra~1\NavNT\vptray.exe
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
O4 - HKLM\..\Run: [SetRefresh] C:\Program Files\COMPAQ\SetRefresh\\SetRefresh.exe
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [DrvLsnr] C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe
O4 - HKLM\..\Run: [CPQEASYACC] C:\Program Files\COMPAQ\Easy Access Button Support\StartEAK.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: j2 DllCmd 4.0.lnk = C:\Program Files\j2 Messenger 4.0\J2GDllCmd.exe
O4 - Global Startup: j2 Tray Menu 4.0.lnk = C:\Program Files\j2 Messenger 4.0\J2GTray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O15 - Trusted Zone: http://print.westlaw.com
O15 - Trusted Zone: http://web2.westlaw.com
O16 - DPF: {01010E00-5E80-11D8-9E86-0007E96C65AE} (SupportSoft SmartIssue) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsi.cab
O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Script Runner Class) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsr.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} - https://www-secure.symantec.com/techsupp/as...rl/LSSupCtl.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/as...rl/SymAData.cab
O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abacast.com/download/files/abasetup156.cab
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/aio/en/check/qdiagh.cab?326
O17 - HKLM\System\CCS\Services\Tcpip\..\{D5CC7F24-A549-46B3-B5EA-B0B8BC51235C}: NameServer = 24.29.103.10
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: DefWatch - Symantec Corporation - C:\Progra~1\NavNT\defwatch.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Progra~1\NavNT\rtvscan.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Sygate Security Agent (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SSA\Smc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe

#13 pskelley

pskelley

  • Staff Emeritus
  • 1,487 posts
  • OFFLINE
  •  
  • Local time:07:20 PM

Posted 18 February 2006 - 10:58 AM

Thanks for checking back with me :thumbsup:

1) Xerox with a subfolder, nwwia
2) Jalmp (Inside is a file called arpf.cfg and an uninstall.exe icon
Delete the whole folder, if it won't let you delete it in normal mode, boot to safe mode and do it. If you have to read the instuctions and use Killbox: http://forum.malwareremoval.com/viewtopic.php?t=320
Neither of those folders or files is needed by you. Do what ever you must to get them off your computer.

Your HJT log looks great :flowers: and I would say you are good to go. Be careful, it's a cyber jungle out there.

Safe surfing...Phil

Thanks...pskelley
BleepingComputer
MS-MVP Windows Security 2007-08
Proud Member ASAP
UNITE Member 2006




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users