Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Cmd Services; Backdoor.rbot.gen, Etc.


  • This topic is locked This topic is locked
13 replies to this topic

#1 pillow

pillow

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:05:14 PM

Posted 15 April 2006 - 03:24 PM

i've followed every step in 3 tutorials on how to remove spyware but there are still files that just cannot be deleted. :thumbsup:
I did scans both in safe mode and normal mode, downloaded and used ewido, spydoctor, spybot, ad-aware se, avg, cleanup, sting260, cwshredder, and an l2mremover.

everytime i scan using spybot, i get these cmd services (command services) registry entries which refuse to be deleted after spybot requests a reboot in order to fix those files. only 1 or 2 cmd keys get successfully deleted. there's always 1 or 2 left/uncleanable no matter how many times i reboot (safe or normal mode) :flowers:

a couple of days ago, i used spy doctor to scan my files. but since it doesn't really fix problems, i decided to uninstall it. after using every system scan known to man, spy doctor still tells me that my pc still has the following:

Backdoor.Rbot.Gen
Deskwizz
I-Search Desktop Search Toolbar
Winsys Hijacker (Trojan-Clicker.Win32.VB.kc
Trojan.Win32.StartPage.ahg)
Dollarrevenue
Network Monitor (Command [Webroot])
VX2.Look2Me (Adware/Look2Me [Panda]
Trojan-Downloader.Win32.Agent.jt [Kaspersky])


the other programs i downloaded don't show these results at all, though.


anyway, i went through each step again in this forum's tutorial. the cmd keys are still there and refuse to be deleted. (teatimer off, tried it with the teatimer on, same bleep.)


please please please help me fix this thing once and for all. :huh:


can somebody analyze my hijack this log for me?

Logfile of HijackThis v1.99.1
Scan saved at 4:01:44 AM, on 4/16/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 (6.00.2479.0001)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\NavNT\defwatch.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\Norton Personal Firewall\NISUM.EXE
C:\WINDOWS\system32\MSTask.exe
C:\WINDOWS\System32\WBEM\WinMgmt.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Norton Personal Firewall\NISSERV.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Norton Personal Firewall\IAMAPP.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\HJT\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
O2 - BHO: IeHelper Class - {A491D208-B353-490F-B81A-A8A3DC97042D} - C:\WINDOWS\system32\smiehlp.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - (no file)
O2 - BHO: (no name) - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [iamapp] "C:\Program Files\Norton Personal Firewall\IAMAPP.EXE"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O10 - Broken Internet access because of LSP provider 'smnsp.dll' missing
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1142744006981
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1142741560553
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} -
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINDOWS\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: Norton Personal Firewall Service (NISSERV) - Symantec Corporation - C:\Program Files\Norton Personal Firewall\NISSERV.EXE
O23 - Service: NISUM - Symantec Corporation - C:\Program Files\Norton Personal Firewall\NISUM.EXE
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe

BC AdBot (Login to Remove)

 


#2 Rawe

Rawe

  • Members
  • 2,363 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:12:14 PM

Posted 16 April 2006 - 06:28 AM

Welcome.. :thumbsup:

Please download delcmdservice (by Marckie), and save it to your Desktop.
  • Unzip the content to your Desktop (a folder named delcmdservice)
  • Double-click on the delcmdservice folder
  • Double-click on delreg.bat to launch the tool
  • When the tool has finished, please reboot your computer.
==

Now, run a scan with HijackThis and check these objects for removal if present:

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - (no file)
O2 - BHO: (no name) - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - (no file)
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} -


Now close ALL other open windows except for HijackThis and hit FIX CHECKED. Close HijackThis.

==

Post back with a fresh log and let me know if you're still having problems. :flowers:
Hi there, stranger!

#3 pillow

pillow
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:05:14 PM

Posted 17 April 2006 - 08:53 AM

Hi Rawe!

ran delcmdservice, rebooted.
Before running hijack this, i just had to make sure, so i scanned my drives using spybot. and it worked! :thumbsup:

the cmd services thingie doesn't show up in the spybot scan results anymore. :flowers:
yey!
==============================================
skeptic that i am, i did an online scan again using panda, bitdefender and trendmicro.

Panda active scan results show 2 infections/spywares:
Adware:adware/dollarrevenue Not disinfected C:\WINDOWS\keyboard91.dat
Adware:Adware/CommAd Not disinfected C:\WINDOWS\Q1VQ\kYpk.vbs

These are the Bitdefender results:
C:\Documents and Settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\1143474297jtun_ennfullb.x86=>archstored:TCSCAN9.DAT
Suspected of: JS.Trojan.Downloader.IstBar.A

C:\Documents and Settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\1143474297jtun_ennfullb.x86=>archstored:TCSCAN9.DAT
Disinfection failed

C:\Documents and Settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\1143474297jtun_ennfullb.x86=>archstored:TCSCAN9.DAT
Deleted

C:\Documents and Settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\1143474297jtun_ennfullb.x86
Update failed.
============================================

I couldn't save the trendmicro scan cuz my browser kept crashing right after the scan.

What bothers me is that those entries don't show up in ewindo, spybot, adaware and avg scan results.

Another thing... my firewall (norton) keeps notifying me that svchost.exe wants to establish a connection even if i don't have any open browser windows or other programs (other than my firewall, ewindo and avg) running.

Thank you for helping me get rid of the cmdservices thing, though! i really appreciate it. :huh:

============================================
I still have a couple of questions:

1. Is my pc clean?
2. Why does svchost.exe keep trying to connect to the internet? Will it do any harm if i configure my firewall to permanently block that access attempt?
3. I have SysTray.Exe in my system start up. The blurb at the side (in spybot) says that it's either a normal system process, a malware/virus/adware added by the bigfoot trojan or aladinz.p trojan. Should I remove it (uncheck) from my start up list?
4. Why can't avg, ewindo, spybot, adaware, etc detect the malware detected by the online scanners? (I update them everyday)

===============================================
Before I forget, here's my latest hijack this log:
Logfile of HijackThis v1.99.1
Scan saved at 9:27:55 PM, on 4/17/2006
Platform: Windows 2000 SP4 (W[b]inNT 5.00.2195)
MSIE: Internet Explorer v6.00 (6.00.2479.0001)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\NavNT\defwatch.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\Program Files\Norton Personal Firewall\NISUM.EXE
C:\WINDOWS\system32\MSTask.exe
C:\WINDOWS\System32\WBEM\WinMgmt.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Norton Personal Firewall\NISSERV.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Norton Personal Firewall\IAMAPP.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\HJT\HijackThis.exe

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: IeHelper Class - {A491D208-B353-490F-B81A-A8A3DC97042D} - C:\WINDOWS\system32\smiehlp.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [iamapp] "C:\Program Files\Norton Personal Firewall\IAMAPP.EXE"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [ntdll.dll] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O10 - Broken Internet access because of LSP provider 'smnsp.dll' missing
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1142744006981
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1142741560553
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://eu-housecall.trendmicro-europe.com/...ivex/hcImpl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINDOWS\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: Norton Personal Firewall Service (NISSERV) - Symantec Corporation - C:\Program Files\Norton Personal Firewall\NISSERV.EXE
O23 - Service: NISUM - Symantec Corporation - C:\Program Files\Norton Personal Firewall\NISUM.EXE
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe

#4 Rawe

Rawe

  • Members
  • 2,363 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:12:14 PM

Posted 17 April 2006 - 09:53 AM

Firstly, you have two anti-virus clients. Only use AVG or Norton, two anti-viruses at te same time WILL cause problems.

The stuff BitDefender scan found, seem to be on your Norton update archive? If you decide to use AVG, then those should be gone within a folder deletion and program uninstallation. Or if you do decide to keep Norton, then simply delete those files listed on BitDefender log.

As for Panda findings, lets delete them :thumbsup:

==

Please download the Killbox by Option^Explicit.

Note: In the event you already have Killbox, this is a new version that I need you to download.
  • Save it to your desktop.
  • Please double-click Killbox.exe to run it.
  • Select:
    • Delete on Reboot
    • then Click on the All Files button.
  • Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

    C:\WINDOWS\Q1VQ\kYpk.vbs
    C:\WINDOWS\keyboard91.dat


  • Return to Killbox, go to the File menu, and choose Paste from Clipboard.
  • Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt. Click OK at any PendingFileRenameOperations prompt (and please let me know if you receive this message!).
If your computer does not restart automatically, please restart it manually.

If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run Killbox, click here to download and run missingfilesetup.exe. Then try Killbox again.

==

Now, fix these entries within HijackThis by checking them, closing all other open windows, and hitting FIX CHECKED:

O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)


==

Now, please try to find out this files path (by doing a Windows Search on C:\ drive):

SysTray.Exe

Let me know that.

==

Post back with a fresh HijackThis log.. And let me know how's the system running now. :flowers:
Hi there, stranger!

#5 pillow

pillow
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:05:14 PM

Posted 18 April 2006 - 03:19 PM

Hi again! :huh:

These are the things i've done so far, per your instructions:

1. Manually deleted TCSCAN9.DAT and uninstalled norton antivirus.
2. Ran killbox and killed/deleted upon reboot C:\WINDOWS\Q1VQ\kYpk.vbs C:\WINDOWS\keyboard91.dat
3. Fixed the following entries in hijack this:

O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)

4. I have two systray.exe files; one in C:\Windows\System32 and another in C:\Windows\System32\dllcache.

5. Here's my latest hijack this log:

===============================

Logfile of HijackThis v1.99.1
Scan saved at 3:48:57 AM, on 4/19/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 (6.00.2479.0001)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Norton Personal Firewall\NISUM.EXE
C:\WINDOWS\system32\MSTask.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\WINDOWS\System32\WBEM\WinMgmt.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Norton Personal Firewall\NISSERV.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\HJT\HijackThis.exe

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: IeHelper Class - {A491D208-B353-490F-B81A-A8A3DC97042D} - C:\WINDOWS\system32\smiehlp.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O10 - Broken Internet access because of LSP provider 'smnsp.dll' missing
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1142744006981
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1142741560553
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://eu-housecall.trendmicro-europe.com/...ivex/hcImpl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{3D096696-DC24-4590-8F16-36ABF6CEFD0C}: NameServer = xxx.xxx.xxx,xxx.xxx.xxx
O17 - HKLM\System\CS1\Services\Tcpip\..\{3D096696-DC24-4590-8F16-36ABF6CEFD0C}: NameServer = xxx.xxx.xxx,xxx.xxx.xxx
O17 - HKLM\System\CS2\Services\Tcpip\..\{3D096696-DC24-4590-8F16-36ABF6CEFD0C}: NameServer = xxx.xxx.xxx,xxx.xxx.xxx
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINDOWS\System32\dmadmin.exe
O23 - Service: Norton Personal Firewall Service (NISSERV) - Symantec Corporation - C:\Program Files\Norton Personal Firewall\NISSERV.EXE
O23 - Service: NISUM - Symantec Corporation - C:\Program Files\Norton Personal Firewall\NISUM.EXE
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe

Note:

I crossed out the name servers cuz i'm paranoid like that. Tell me if you need the addresses. :thumbsup:
I also have two firewalls listed there. I disabled norton personal firewall because it drove me crazy.

===============================


Will this be a problem? ----> O10 - Broken Internet access because of LSP provider 'smnsp.dll' missing

Scanned using Spyware Doctor and I got the following results:
Backdoor.Rbot.Gen HKCU\Software\Microsoft\OLE##winlog
plus 161 MSN SmartTags.
How do i remove that Backdoor.Rbot.Gen thing? Should I do anything about the SmartTags?

Ad-Aware Se and SpyBot scans turn out clean. :flowers:
Bit Defender Scan only yielded vulnerability results.
Haven't had the chance to scan using Panda and Trend Micro because they take too darn long.
Do you need the scan results from those sites?

Thanks so much, Rawe for all your help so far.

:huh:

#6 Rawe

Rawe

  • Members
  • 2,363 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:12:14 PM

Posted 19 April 2006 - 07:18 AM

Nope, the O10 entry shouldn't be a problem, since it is a valid LSP.

What about posting a screenshot or a log out of Spyware Doctor results? :thumbsup:
Hi there, stranger!

#7 pillow

pillow
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:05:14 PM

Posted 19 April 2006 - 02:15 PM

I did say 161 smart tags, right? hehe.
by the way, should i do anything about my two systray.exe files?

Can't thank you enough rawe. you're a lifesaver. :thumbsup:

:flowers:


=====================================================
Spyware Doctor Scan Results:
Scan Results:scan start: 4/19/2006 12:36:03 AM
scan stop: 4/19/2006 12:41:44 AM
scanned items: 61686
found items: 162
found and ignored: 0
tools used: General Scanner, Process Scanner, LSP Scanner, Startup Scanner, Registry Scanner, Hosts Scanner, Browser Scanner, Browser Activity Scanner, Disk Scanner, ActiveX Scanner


Backdoor.Rbot.Gen HKCU\Software\Microsoft\OLE##winlog
MSN SmartTags C:\Program Files\MSN\smarttag\MSNBHO.dll High
MSN SmartTags HKCR\CLSID\{9DD4258A-7138-49C4-8D34-587879A5C7A4} High
MSN SmartTags HKCR\CLSID\{9DD4258A-7138-49C4-8D34-587879A5C7A4}## High
MSN SmartTags HKCR\CLSID\{9DD4258A-7138-49C4-8D34-587879A5C7A4}\InprocServer32 High
MSN SmartTags HKCR\CLSID\{9DD4258A-7138-49C4-8D34-587879A5C7A4}\InprocServer32## High
MSN SmartTags HKCR\CLSID\{9DD4258A-7138-49C4-8D34-587879A5C7A4}\InprocServer32##ThreadingModel High
MSN SmartTags HKCR\CLSID\{9DD4258A-7138-49C4-8D34-587879A5C7A4}\ProgID High
MSN SmartTags HKCR\CLSID\{9DD4258A-7138-49C4-8D34-587879A5C7A4}\ProgID## High
MSN SmartTags HKCR\CLSID\{9DD4258A-7138-49C4-8D34-587879A5C7A4}\Programmable High
MSN SmartTags HKCR\CLSID\{9DD4258A-7138-49C4-8D34-587879A5C7A4}\Programmable## High
MSN SmartTags HKCR\CLSID\{9DD4258A-7138-49C4-8D34-587879A5C7A4}\TypeLib High
MSN SmartTags HKCR\CLSID\{9DD4258A-7138-49C4-8D34-587879A5C7A4}\TypeLib## High
MSN SmartTags HKCR\CLSID\{9DD4258A-7138-49C4-8D34-587879A5C7A4}\VersionIndependentProgID High
MSN SmartTags HKCR\CLSID\{9DD4258A-7138-49C4-8D34-587879A5C7A4}\VersionIndependentProgID## High
MSN SmartTags HKLM\Software\Classes\CLSID\{9DD4258A-7138-49C4-8D34-587879A5C7A4} High
MSN SmartTags HKLM\Software\Classes\CLSID\{9DD4258A-7138-49C4-8D34-587879A5C7A4}## High
MSN SmartTags HKLM\Software\Classes\CLSID\{9DD4258A-7138-49C4-8D34-587879A5C7A4}\InprocServer32 High
MSN SmartTags HKLM\Software\Classes\CLSID\{9DD4258A-7138-49C4-8D34-587879A5C7A4}\InprocServer32## High
MSN SmartTags HKLM\Software\Classes\CLSID\{9DD4258A-7138-49C4-8D34-587879A5C7A4}\InprocServer32##ThreadingModel High
MSN SmartTags HKLM\Software\Classes\CLSID\{9DD4258A-7138-49C4-8D34-587879A5C7A4}\ProgID High
MSN SmartTags HKLM\Software\Classes\CLSID\{9DD4258A-7138-49C4-8D34-587879A5C7A4}\ProgID## High
MSN SmartTags HKLM\Software\Classes\CLSID\{9DD4258A-7138-49C4-8D34-587879A5C7A4}\Programmable High
MSN SmartTags HKLM\Software\Classes\CLSID\{9DD4258A-7138-49C4-8D34-587879A5C7A4}\Programmable## High
MSN SmartTags HKLM\Software\Classes\CLSID\{9DD4258A-7138-49C4-8D34-587879A5C7A4}\TypeLib High
MSN SmartTags HKLM\Software\Classes\CLSID\{9DD4258A-7138-49C4-8D34-587879A5C7A4}\TypeLib## High
MSN SmartTags HKLM\Software\Classes\CLSID\{9DD4258A-7138-49C4-8D34-587879A5C7A4}\VersionIndependentProgID High
MSN SmartTags HKLM\Software\Classes\CLSID\{9DD4258A-7138-49C4-8D34-587879A5C7A4}\VersionIndependentProgID## High
MSN SmartTags HKCR\CLSID\{2321F6BA-0DF5-42FF-9020-F200AF7A41E7} High
MSN SmartTags HKCR\CLSID\{2321F6BA-0DF5-42FF-9020-F200AF7A41E7}## High
MSN SmartTags HKCR\CLSID\{2321F6BA-0DF5-42FF-9020-F200AF7A41E7}\Control High
MSN SmartTags HKCR\CLSID\{2321F6BA-0DF5-42FF-9020-F200AF7A41E7}\Control## High
MSN SmartTags HKCR\CLSID\{2321F6BA-0DF5-42FF-9020-F200AF7A41E7}\InprocServer32 High
MSN SmartTags HKCR\CLSID\{2321F6BA-0DF5-42FF-9020-F200AF7A41E7}\InprocServer32## High
MSN SmartTags HKCR\CLSID\{2321F6BA-0DF5-42FF-9020-F200AF7A41E7}\InprocServer32##ThreadingModel High
MSN SmartTags HKCR\CLSID\{2321F6BA-0DF5-42FF-9020-F200AF7A41E7}\MiscStatus High
MSN SmartTags HKCR\CLSID\{2321F6BA-0DF5-42FF-9020-F200AF7A41E7}\MiscStatus## High
MSN SmartTags HKCR\CLSID\{2321F6BA-0DF5-42FF-9020-F200AF7A41E7}\MiscStatus\1 High
MSN SmartTags HKCR\CLSID\{2321F6BA-0DF5-42FF-9020-F200AF7A41E7}\MiscStatus\1## High
MSN SmartTags HKCR\CLSID\{2321F6BA-0DF5-42FF-9020-F200AF7A41E7}\ProgID High
MSN SmartTags HKCR\CLSID\{2321F6BA-0DF5-42FF-9020-F200AF7A41E7}\ProgID## High
MSN SmartTags HKCR\CLSID\{2321F6BA-0DF5-42FF-9020-F200AF7A41E7}\Programmable High
MSN SmartTags HKCR\CLSID\{2321F6BA-0DF5-42FF-9020-F200AF7A41E7}\Programmable## High
MSN SmartTags HKCR\CLSID\{2321F6BA-0DF5-42FF-9020-F200AF7A41E7}\ToolboxBitmap32 High
MSN SmartTags HKCR\CLSID\{2321F6BA-0DF5-42FF-9020-F200AF7A41E7}\ToolboxBitmap32## High
MSN SmartTags HKCR\CLSID\{2321F6BA-0DF5-42FF-9020-F200AF7A41E7}\TypeLib High
MSN SmartTags HKCR\CLSID\{2321F6BA-0DF5-42FF-9020-F200AF7A41E7}\TypeLib## High
MSN SmartTags HKCR\CLSID\{2321F6BA-0DF5-42FF-9020-F200AF7A41E7}\Version High
MSN SmartTags HKCR\CLSID\{2321F6BA-0DF5-42FF-9020-F200AF7A41E7}\Version## High
MSN SmartTags HKCR\CLSID\{2321F6BA-0DF5-42FF-9020-F200AF7A41E7}\VersionIndependentProgID High
MSN SmartTags HKCR\CLSID\{2321F6BA-0DF5-42FF-9020-F200AF7A41E7}\VersionIndependentProgID## High
MSN SmartTags HKLM\Software\Classes\CLSID\{2321F6BA-0DF5-42FF-9020-F200AF7A41E7} High
MSN SmartTags HKLM\Software\Classes\CLSID\{2321F6BA-0DF5-42FF-9020-F200AF7A41E7}## High
MSN SmartTags HKLM\Software\Classes\CLSID\{2321F6BA-0DF5-42FF-9020-F200AF7A41E7}\Control High
MSN SmartTags HKLM\Software\Classes\CLSID\{2321F6BA-0DF5-42FF-9020-F200AF7A41E7}\Control## High
MSN SmartTags HKLM\Software\Classes\CLSID\{2321F6BA-0DF5-42FF-9020-F200AF7A41E7}\InprocServer32 High
MSN SmartTags HKLM\Software\Classes\CLSID\{2321F6BA-0DF5-42FF-9020-F200AF7A41E7}\InprocServer32## High
MSN SmartTags HKLM\Software\Classes\CLSID\{2321F6BA-0DF5-42FF-9020-F200AF7A41E7}\InprocServer32##ThreadingModel High
MSN SmartTags HKLM\Software\Classes\CLSID\{2321F6BA-0DF5-42FF-9020-F200AF7A41E7}\MiscStatus High
MSN SmartTags HKLM\Software\Classes\CLSID\{2321F6BA-0DF5-42FF-9020-F200AF7A41E7}\MiscStatus## High
MSN SmartTags HKLM\Software\Classes\CLSID\{2321F6BA-0DF5-42FF-9020-F200AF7A41E7}\MiscStatus\1 High
MSN SmartTags HKLM\Software\Classes\CLSID\{2321F6BA-0DF5-42FF-9020-F200AF7A41E7}\MiscStatus\1## High
MSN SmartTags HKLM\Software\Classes\CLSID\{2321F6BA-0DF5-42FF-9020-F200AF7A41E7}\ProgID High
MSN SmartTags HKLM\Software\Classes\CLSID\{2321F6BA-0DF5-42FF-9020-F200AF7A41E7}\ProgID## High
MSN SmartTags HKLM\Software\Classes\CLSID\{2321F6BA-0DF5-42FF-9020-F200AF7A41E7}\Programmable High
MSN SmartTags HKLM\Software\Classes\CLSID\{2321F6BA-0DF5-42FF-9020-F200AF7A41E7}\Programmable## High
MSN SmartTags HKLM\Software\Classes\CLSID\{2321F6BA-0DF5-42FF-9020-F200AF7A41E7}\ToolboxBitmap32 High
MSN SmartTags HKLM\Software\Classes\CLSID\{2321F6BA-0DF5-42FF-9020-F200AF7A41E7}\ToolboxBitmap32## High
MSN SmartTags HKLM\Software\Classes\CLSID\{2321F6BA-0DF5-42FF-9020-F200AF7A41E7}\TypeLib High
MSN SmartTags HKLM\Software\Classes\CLSID\{2321F6BA-0DF5-42FF-9020-F200AF7A41E7}\TypeLib## High
MSN SmartTags HKLM\Software\Classes\CLSID\{2321F6BA-0DF5-42FF-9020-F200AF7A41E7}\Version High
MSN SmartTags HKLM\Software\Classes\CLSID\{2321F6BA-0DF5-42FF-9020-F200AF7A41E7}\Version## High
MSN SmartTags HKLM\Software\Classes\CLSID\{2321F6BA-0DF5-42FF-9020-F200AF7A41E7}\VersionIndependentProgID High
MSN SmartTags HKLM\Software\Classes\CLSID\{2321F6BA-0DF5-42FF-9020-F200AF7A41E7}\VersionIndependentProgID## High
MSN SmartTags HKCR\CLSID\{5EA4C594-A7A5-4588-807A-9D6079CCD7AD} High
MSN SmartTags HKCR\CLSID\{5EA4C594-A7A5-4588-807A-9D6079CCD7AD}## High
MSN SmartTags HKCR\CLSID\{5EA4C594-A7A5-4588-807A-9D6079CCD7AD}\InprocServer32 High
MSN SmartTags HKCR\CLSID\{5EA4C594-A7A5-4588-807A-9D6079CCD7AD}\InprocServer32## High
MSN SmartTags HKCR\CLSID\{5EA4C594-A7A5-4588-807A-9D6079CCD7AD}\InprocServer32##ThreadingModel High
MSN SmartTags HKCR\CLSID\{5EA4C594-A7A5-4588-807A-9D6079CCD7AD}\ProgID High
MSN SmartTags HKCR\CLSID\{5EA4C594-A7A5-4588-807A-9D6079CCD7AD}\ProgID## High
MSN SmartTags HKCR\CLSID\{5EA4C594-A7A5-4588-807A-9D6079CCD7AD}\Programmable High
MSN SmartTags HKCR\CLSID\{5EA4C594-A7A5-4588-807A-9D6079CCD7AD}\Programmable## High
MSN SmartTags HKCR\CLSID\{5EA4C594-A7A5-4588-807A-9D6079CCD7AD}\TypeLib High
MSN SmartTags HKCR\CLSID\{5EA4C594-A7A5-4588-807A-9D6079CCD7AD}\TypeLib## High
MSN SmartTags HKCR\CLSID\{5EA4C594-A7A5-4588-807A-9D6079CCD7AD}\VersionIndependentProgID High
MSN SmartTags HKCR\CLSID\{5EA4C594-A7A5-4588-807A-9D6079CCD7AD}\VersionIndependentProgID## High
MSN SmartTags HKLM\Software\Classes\CLSID\{5EA4C594-A7A5-4588-807A-9D6079CCD7AD} High
MSN SmartTags HKLM\Software\Classes\CLSID\{5EA4C594-A7A5-4588-807A-9D6079CCD7AD}## High
MSN SmartTags HKLM\Software\Classes\CLSID\{5EA4C594-A7A5-4588-807A-9D6079CCD7AD}\InprocServer32 High
MSN SmartTags HKLM\Software\Classes\CLSID\{5EA4C594-A7A5-4588-807A-9D6079CCD7AD}\InprocServer32## High
MSN SmartTags HKLM\Software\Classes\CLSID\{5EA4C594-A7A5-4588-807A-9D6079CCD7AD}\InprocServer32##ThreadingModel High
MSN SmartTags HKLM\Software\Classes\CLSID\{5EA4C594-A7A5-4588-807A-9D6079CCD7AD}\ProgID High
MSN SmartTags HKLM\Software\Classes\CLSID\{5EA4C594-A7A5-4588-807A-9D6079CCD7AD}\ProgID## High
MSN SmartTags HKLM\Software\Classes\CLSID\{5EA4C594-A7A5-4588-807A-9D6079CCD7AD}\Programmable High
MSN SmartTags HKLM\Software\Classes\CLSID\{5EA4C594-A7A5-4588-807A-9D6079CCD7AD}\Programmable## High
MSN SmartTags HKLM\Software\Classes\CLSID\{5EA4C594-A7A5-4588-807A-9D6079CCD7AD}\TypeLib High
MSN SmartTags HKLM\Software\Classes\CLSID\{5EA4C594-A7A5-4588-807A-9D6079CCD7AD}\TypeLib## High
MSN SmartTags HKLM\Software\Classes\CLSID\{5EA4C594-A7A5-4588-807A-9D6079CCD7AD}\VersionIndependentProgID High
MSN SmartTags HKLM\Software\Classes\CLSID\{5EA4C594-A7A5-4588-807A-9D6079CCD7AD}\VersionIndependentProgID## High
MSN SmartTags HKCR\CLSID\{7802C010-19E4-42AE-BFE5-B244B488B32F} High
MSN SmartTags HKCR\CLSID\{7802C010-19E4-42AE-BFE5-B244B488B32F}## High
MSN SmartTags HKCR\CLSID\{7802C010-19E4-42AE-BFE5-B244B488B32F}\InprocServer32 High
MSN SmartTags HKCR\CLSID\{7802C010-19E4-42AE-BFE5-B244B488B32F}\InprocServer32## High
MSN SmartTags HKCR\CLSID\{7802C010-19E4-42AE-BFE5-B244B488B32F}\InprocServer32##ThreadingModel High
MSN SmartTags HKCR\CLSID\{7802C010-19E4-42AE-BFE5-B244B488B32F}\ProgID High
MSN SmartTags HKCR\CLSID\{7802C010-19E4-42AE-BFE5-B244B488B32F}\ProgID## High
MSN SmartTags HKCR\CLSID\{7802C010-19E4-42AE-BFE5-B244B488B32F}\VersionIndependentProgID High
MSN SmartTags HKCR\CLSID\{7802C010-19E4-42AE-BFE5-B244B488B32F}\VersionIndependentProgID## High
MSN SmartTags HKLM\Software\Classes\CLSID\{7802C010-19E4-42AE-BFE5-B244B488B32F} High
MSN SmartTags HKLM\Software\Classes\CLSID\{7802C010-19E4-42AE-BFE5-B244B488B32F}## High
MSN SmartTags HKLM\Software\Classes\CLSID\{7802C010-19E4-42AE-BFE5-B244B488B32F}\InprocServer32 High
MSN SmartTags HKLM\Software\Classes\CLSID\{7802C010-19E4-42AE-BFE5-B244B488B32F}\InprocServer32## High
MSN SmartTags HKLM\Software\Classes\CLSID\{7802C010-19E4-42AE-BFE5-B244B488B32F}\InprocServer32##ThreadingModel High
MSN SmartTags HKLM\Software\Classes\CLSID\{7802C010-19E4-42AE-BFE5-B244B488B32F}\ProgID High
MSN SmartTags HKLM\Software\Classes\CLSID\{7802C010-19E4-42AE-BFE5-B244B488B32F}\ProgID## High
MSN SmartTags HKLM\Software\Classes\CLSID\{7802C010-19E4-42AE-BFE5-B244B488B32F}\VersionIndependentProgID High
MSN SmartTags HKLM\Software\Classes\CLSID\{7802C010-19E4-42AE-BFE5-B244B488B32F}\VersionIndependentProgID## High
MSN SmartTags HKCR\CLSID\{BC9C6F62-CEA5-4f74-B1D0-6658CD30D104} High
MSN SmartTags HKCR\CLSID\{BC9C6F62-CEA5-4f74-B1D0-6658CD30D104}## High
MSN SmartTags HKCR\CLSID\{BC9C6F62-CEA5-4f74-B1D0-6658CD30D104}\InprocServer32 High
MSN SmartTags HKCR\CLSID\{BC9C6F62-CEA5-4f74-B1D0-6658CD30D104}\InprocServer32## High
MSN SmartTags HKCR\CLSID\{BC9C6F62-CEA5-4f74-B1D0-6658CD30D104}\InprocServer32##ThreadingModel High
MSN SmartTags HKCR\CLSID\{BC9C6F62-CEA5-4f74-B1D0-6658CD30D104}\ProgID High
MSN SmartTags HKCR\CLSID\{BC9C6F62-CEA5-4f74-B1D0-6658CD30D104}\ProgID## High
MSN SmartTags HKCR\CLSID\{BC9C6F62-CEA5-4f74-B1D0-6658CD30D104}\Programmable High
MSN SmartTags HKCR\CLSID\{BC9C6F62-CEA5-4f74-B1D0-6658CD30D104}\Programmable## High
MSN SmartTags HKCR\CLSID\{BC9C6F62-CEA5-4f74-B1D0-6658CD30D104}\TypeLib High
MSN SmartTags HKCR\CLSID\{BC9C6F62-CEA5-4f74-B1D0-6658CD30D104}\TypeLib## High
MSN SmartTags HKCR\CLSID\{BC9C6F62-CEA5-4f74-B1D0-6658CD30D104}\VersionIndependentProgID High
MSN SmartTags HKCR\CLSID\{BC9C6F62-CEA5-4f74-B1D0-6658CD30D104}\VersionIndependentProgID## High
MSN SmartTags HKLM\Software\Classes\CLSID\{BC9C6F62-CEA5-4f74-B1D0-6658CD30D104} High
MSN SmartTags HKLM\Software\Classes\CLSID\{BC9C6F62-CEA5-4f74-B1D0-6658CD30D104}## High
MSN SmartTags HKLM\Software\Classes\CLSID\{BC9C6F62-CEA5-4f74-B1D0-6658CD30D104}\InprocServer32 High
MSN SmartTags HKLM\Software\Classes\CLSID\{BC9C6F62-CEA5-4f74-B1D0-6658CD30D104}\InprocServer32## High
MSN SmartTags HKLM\Software\Classes\CLSID\{BC9C6F62-CEA5-4f74-B1D0-6658CD30D104}\InprocServer32##ThreadingModel High
MSN SmartTags HKLM\Software\Classes\CLSID\{BC9C6F62-CEA5-4f74-B1D0-6658CD30D104}\ProgID High
MSN SmartTags HKLM\Software\Classes\CLSID\{BC9C6F62-CEA5-4f74-B1D0-6658CD30D104}\ProgID## High
MSN SmartTags HKLM\Software\Classes\CLSID\{BC9C6F62-CEA5-4f74-B1D0-6658CD30D104}\Programmable High
MSN SmartTags HKLM\Software\Classes\CLSID\{BC9C6F62-CEA5-4f74-B1D0-6658CD30D104}\Programmable## High
MSN SmartTags HKLM\Software\Classes\CLSID\{BC9C6F62-CEA5-4f74-B1D0-6658CD30D104}\TypeLib High
MSN SmartTags HKLM\Software\Classes\CLSID\{BC9C6F62-CEA5-4f74-B1D0-6658CD30D104}\TypeLib## High
MSN SmartTags HKLM\Software\Classes\CLSID\{BC9C6F62-CEA5-4f74-B1D0-6658CD30D104}\VersionIndependentProgID High
MSN SmartTags HKLM\Software\Classes\CLSID\{BC9C6F62-CEA5-4f74-B1D0-6658CD30D104}\VersionIndependentProgID## High
MSN SmartTags HKCR\CLSID\{F092C9DD-B8C9-4D42-88AF-3CCE8572E6DE} High
MSN SmartTags HKCR\CLSID\{F092C9DD-B8C9-4D42-88AF-3CCE8572E6DE}## High
MSN SmartTags HKCR\CLSID\{F092C9DD-B8C9-4D42-88AF-3CCE8572E6DE}\InprocServer32 High
MSN SmartTags HKCR\CLSID\{F092C9DD-B8C9-4D42-88AF-3CCE8572E6DE}\InprocServer32## High
MSN SmartTags HKCR\CLSID\{F092C9DD-B8C9-4D42-88AF-3CCE8572E6DE}\InprocServer32##ThreadingModel High
MSN SmartTags HKCR\CLSID\{F092C9DD-B8C9-4D42-88AF-3CCE8572E6DE}\ProgID High
MSN SmartTags HKCR\CLSID\{F092C9DD-B8C9-4D42-88AF-3CCE8572E6DE}\ProgID## High
MSN SmartTags HKCR\CLSID\{F092C9DD-B8C9-4D42-88AF-3CCE8572E6DE}\VersionIndependentProgID High
MSN SmartTags HKCR\CLSID\{F092C9DD-B8C9-4D42-88AF-3CCE8572E6DE}\VersionIndependentProgID## High
MSN SmartTags HKLM\Software\Classes\CLSID\{F092C9DD-B8C9-4D42-88AF-3CCE8572E6DE} High
MSN SmartTags HKLM\Software\Classes\CLSID\{F092C9DD-B8C9-4D42-88AF-3CCE8572E6DE}## High
MSN SmartTags HKLM\Software\Classes\CLSID\{F092C9DD-B8C9-4D42-88AF-3CCE8572E6DE}\InprocServer32 High
MSN SmartTags HKLM\Software\Classes\CLSID\{F092C9DD-B8C9-4D42-88AF-3CCE8572E6DE}\InprocServer32## High
MSN SmartTags HKLM\Software\Classes\CLSID\{F092C9DD-B8C9-4D42-88AF-3CCE8572E6DE}\InprocServer32##ThreadingModel High
MSN SmartTags HKLM\Software\Classes\CLSID\{F092C9DD-B8C9-4D42-88AF-3CCE8572E6DE}\ProgID High
MSN SmartTags HKLM\Software\Classes\CLSID\{F092C9DD-B8C9-4D42-88AF-3CCE8572E6DE}\ProgID## High
MSN SmartTags HKLM\Software\Classes\CLSID\{F092C9DD-B8C9-4D42-88AF-3CCE8572E6DE}\VersionIndependentProgID High
MSN SmartTags HKLM\Software\Classes\CLSID\{F092C9DD-B8C9-4D42-88AF-3CCE8572E6DE}\VersionIndependentProgID## High


Other Sections:

#8 Rawe

Rawe

  • Members
  • 2,363 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:12:14 PM

Posted 20 April 2006 - 08:02 AM

The systray.exe files are both legit.

==

To your SpywareDoctor results.. Please delete this folder:

C:\Program Files\MSN\smarttag\

Empty recycle bin.

==

Download RegSeeker here: http://www.hoverdesk.net/freeware.htm

Once downloaded, unzip the folder, and run RegSeeker.exe inside it.

Click to 'Search in Registry'.

Check all the boxes under a section named Keys.
Check all the boxes under a section named Search Options.

On the lower left-hand corner, check the box for Backup Before Deletion.

On the Search for bar, type in: OLE##winlog

If you don't get any results, let me know. You should get this key out of the search: HKCU\Software\Microsoft\OLE##winlog

Right-click on it, and hit Delete selected items.

==

Then do an search for: MSN SmartTags

Most of what it finds, should be matching to the results from Spyware Doctor. Delete these items aswell.

==

Reboot, post back with a fresh HijackThis log and let me know if Spyware Doctor still detects these threats :thumbsup:
Hi there, stranger!

#9 pillow

pillow
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:05:14 PM

Posted 22 April 2006 - 02:56 PM

1. Deleted the smarttag folder then emptied recycle bin.


2. Scanned using Spyware Doctor
- Found the OLE winlog infection as well as 27 smart tags left


3. Ran RegSeeker (checked boxes) and did a search using the following keywords:
OLE##winlog
MSN SmartTags
- No search results for OLE
- Only one result for MSN smart tags, deleted. Rebooted pc.


4. Ran Spyware Doctor, still came up with 27 infected entries. Here's the scan log:

===================================

Spyware Doctor Activity Report Generated on 4/23/2006 3:18:10 AM


Scans (basic information only):

Scan Results:scan start: 4/23/2006 3:19:24 AM
scan stop: 4/23/2006 3:19:29 AM
scanned items: 2337
found items: 0
found and ignored: 0
tools used: General Scanner, Process Scanner, LSP Scanner, Startup Scanner, Registry Scanner, Hosts Scanner, Browser Scanner, Browser Activity Scanner, Disk Scanner, ActiveX Scanner



Infection Name Location Risk

Scan Results:scan start: 4/23/2006 3:19:49 AM
scan stop: 4/23/2006 3:26:36 AM
scanned items: 63641
found items: 27
found and ignored: 0
tools used: General Scanner, Process Scanner, LSP Scanner, Startup Scanner, Registry Scanner, Hosts Scanner, Browser Scanner, Browser Activity Scanner, Disk Scanner, ActiveX Scanner



Infection Name Location Risk
Backdoor.Rbot.Gen HKCU\Software\Microsoft\OLE##winlog High
MSN SmartTags HKCR\CLSID\{9DD4258A-7138-49C4-8D34-587879A5C7A4} High
MSN SmartTags HKCR\CLSID\{9DD4258A-7138-49C4-8D34-587879A5C7A4}## High
MSN SmartTags HKCR\CLSID\{9DD4258A-7138-49C4-8D34-587879A5C7A4}\InprocServer32 High
MSN SmartTags HKCR\CLSID\{9DD4258A-7138-49C4-8D34-587879A5C7A4}\InprocServer32## High
MSN SmartTags HKCR\CLSID\{9DD4258A-7138-49C4-8D34-587879A5C7A4}\InprocServer32##ThreadingModel High
MSN SmartTags HKCR\CLSID\{9DD4258A-7138-49C4-8D34-587879A5C7A4}\ProgID High
MSN SmartTags HKCR\CLSID\{9DD4258A-7138-49C4-8D34-587879A5C7A4}\ProgID## High
MSN SmartTags HKCR\CLSID\{9DD4258A-7138-49C4-8D34-587879A5C7A4}\Programmable High
MSN SmartTags HKCR\CLSID\{9DD4258A-7138-49C4-8D34-587879A5C7A4}\Programmable## High
MSN SmartTags HKCR\CLSID\{9DD4258A-7138-49C4-8D34-587879A5C7A4}\TypeLib High
MSN SmartTags HKCR\CLSID\{9DD4258A-7138-49C4-8D34-587879A5C7A4}\TypeLib## High
MSN SmartTags HKCR\CLSID\{9DD4258A-7138-49C4-8D34-587879A5C7A4}\VersionIndependentProgID High
MSN SmartTags HKCR\CLSID\{9DD4258A-7138-49C4-8D34-587879A5C7A4}\VersionIndependentProgID## High
MSN SmartTags HKLM\Software\Classes\CLSID\{9DD4258A-7138-49C4-8D34-587879A5C7A4} High
MSN SmartTags HKLM\Software\Classes\CLSID\{9DD4258A-7138-49C4-8D34-587879A5C7A4}## High
MSN SmartTags HKLM\Software\Classes\CLSID\{9DD4258A-7138-49C4-8D34-587879A5C7A4}\InprocServer32 High
MSN SmartTags HKLM\Software\Classes\CLSID\{9DD4258A-7138-49C4-8D34-587879A5C7A4}\InprocServer32## High
MSN SmartTags HKLM\Software\Classes\CLSID\{9DD4258A-7138-49C4-8D34-587879A5C7A4}\InprocServer32##ThreadingModel High
MSN SmartTags HKLM\Software\Classes\CLSID\{9DD4258A-7138-49C4-8D34-587879A5C7A4}\ProgID High
MSN SmartTags HKLM\Software\Classes\CLSID\{9DD4258A-7138-49C4-8D34-587879A5C7A4}\ProgID## High
MSN SmartTags HKLM\Software\Classes\CLSID\{9DD4258A-7138-49C4-8D34-587879A5C7A4}\Programmable High
MSN SmartTags HKLM\Software\Classes\CLSID\{9DD4258A-7138-49C4-8D34-587879A5C7A4}\Programmable## High
MSN SmartTags HKLM\Software\Classes\CLSID\{9DD4258A-7138-49C4-8D34-587879A5C7A4}\TypeLib High
MSN SmartTags HKLM\Software\Classes\CLSID\{9DD4258A-7138-49C4-8D34-587879A5C7A4}\TypeLib## High
MSN SmartTags HKLM\Software\Classes\CLSID\{9DD4258A-7138-49C4-8D34-587879A5C7A4}\VersionIndependentProgID High
MSN SmartTags HKLM\Software\Classes\CLSID\{9DD4258A-7138-49C4-8D34-587879A5C7A4}\VersionIndependentProgID## High


Other Sections:

===================================



5. Hijack This log:

===================================

Logfile of HijackThis v1.99.1
Scan saved at 3:35:18 AM, on 4/23/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 (6.00.2479.0001)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Norton Personal Firewall\NISUM.EXE
C:\WINDOWS\system32\MSTask.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\WINDOWS\System32\WBEM\WinMgmt.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Norton Personal Firewall\NISSERV.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\HJT\HijackThis.exe

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: IeHelper Class - {A491D208-B353-490F-B81A-A8A3DC97042D} - C:\WINDOWS\system32\smiehlp.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O10 - Broken Internet access because of LSP provider 'smnsp.dll' missing
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1142744006981
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1142741560553
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://eu-housecall.trendmicro-europe.com/...ivex/hcImpl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{3D096696-DC24-4590-8F16-36ABF6CEFD0C}: NameServer = xxx.xxx.xxx, xxx.xxx.xxx
O17 - HKLM\System\CS1\Services\Tcpip\..\{3D096696-DC24-4590-8F16-36ABF6CEFD0C}: NameServer = xxx.xxx.xxx, xxx.xxx.xxx
O17 - HKLM\System\CS2\Services\Tcpip\..\{3D096696-DC24-4590-8F16-36ABF6CEFD0C}: NameServer = xxx.xxx.xxx, xxx.xxx.xxx
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINDOWS\System32\dmadmin.exe
O23 - Service: Norton Personal Firewall Service (NISSERV) - Symantec Corporation - C:\Program Files\Norton Personal Firewall\NISSERV.EXE
O23 - Service: NISUM - Symantec Corporation - C:\Program Files\Norton Personal Firewall\NISUM.EXE
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe

===================================


6. By the way, when i tried to post this reply, i got transported to http://www.bleepingcomputer.com/forums/t/22118/you-are-using-an-older-version-of-hijackthis/
which has a post that says i'm using an old version of hijack this.
I have version v1.99.1, same one as in the link provided in that forum page.

#10 pillow

pillow
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:05:14 PM

Posted 22 April 2006 - 02:57 PM

oh... i fixed the html code... previously, the bold and color codes ended before the version number. after i included the version number inside the codes, i was able to post a reply. so please disregard number 6. :thumbsup:

#11 Rawe

Rawe

  • Members
  • 2,363 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:12:14 PM

Posted 22 April 2006 - 03:36 PM

Please copy the following text in the quotebox below to a blank Notepad file. Make sure the filetype is set to "All Files" and save it as Fix.reg to your desktop.

REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\OLE]
"winlog"=-

[-HKEY_CLASSES_ROOT\CLSID\{9DD4258A-7138-49C4-8D34-587879A5C7A4}]

[-HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{9DD4258A-7138-49C4-8D34-587879A5C7A4}]


Now double-click on the Fix.reg on your desktop and allow it to merge with registry by clicking YES on the prompt. Please reboot.

==

Any problems now? :thumbsup:
Hi there, stranger!

#12 pillow

pillow
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:05:14 PM

Posted 26 April 2006 - 11:05 AM

Everything seems to be working fine now, Rawe.

Except for that TCSCAN9.DAT thing which resurrects (BitDefender). But i'm guessing that's not such a big problem cuz antivirus and antispyware programs don't really detect it.


Thank you so much! :thumbsup:

:flowers:

#13 Rawe

Rawe

  • Members
  • 2,363 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:12:14 PM

Posted 26 April 2006 - 11:10 AM

You're welcome.. :thumbsup:

Stand Up and Be Counted ---> Malware Complaints <--- where you can make difference!

The site offers people who have been (or are) victims of malware the opportunity to document their story and, in that way, launch a complaint against the malware and the makers of the malware.

Here's some tips for future to prevent spyware;

Detect and Remove Programs:
  • How to use Ad-Aware to remove Spyware <= If you suspect that you have spyware installed on your computer, here are instructions on how to download, install and then use Ad-Aware.
  • How to use Spybot to remove Spyware <= If you suspect that you have spyware installed on your computer, here are instructions on how to download, install and then use Spybot. Similar to Ad-Aware, I strongly recommend both to catch most spyware.
Prevention Programs:
  • Spywareblaster <= SpywareBlaster will prevent spyware from being installed. (My favourite)
  • MVPS Hosts file <= The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer
Other necessary Programs:
  • AntiVirus Program <= An AntiVirus program is a must! Whether it is a free version like AVG or Anti-Vir, or a shareware version like Norton or Kaspersky, this is a must have.
  • Firewall <= A firewall is definatley a must have. Two good free versions are Sygate and ZoneLabs.
  • More Secure Browser <= Internet Explorer is not the most secure and best browser. There are safer and better alternatives available. I recommend Firefox.
And also see TonyKlein's good advice;
So how did I get infected in the first place? (My favourite)
Hi there, stranger!

#14 Rawe

Rawe

  • Members
  • 2,363 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:12:14 PM

Posted 27 April 2006 - 08:38 AM

Since this issue appears to be resolved, this Topic has been closed. Should you need this Topic reopened, please PM a Staff member with the address of this thread. :thumbsup:
Hi there, stranger!




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users