Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

My Registry Has Been Attacked!help


  • This topic is locked This topic is locked
22 replies to this topic

#1 MongoJerry36

MongoJerry36

  • Members
  • 65 posts
  • OFFLINE
  •  
  • Location:NJ
  • Local time:01:00 AM

Posted 10 September 2006 - 12:29 PM

Hello,
In the last month I have scanned my system with Spy Sweeper about 4 times. And every time this adware comes back. It is called IST Surf Accuracy. It goes to quarinteen, and then when I reboot it restores itself to its original location. I have also tried to delete it manually, but I am unsucessfull.

I then decided to try a free trial of Spyware Doctor and it discovered 168 infections in the registy. I recently had a previous infection of Spyfalcon and Bleeping Computer also helped me.

Posted are my HiJack This Log and the Log from the Spyware Doctor::

Logfile of HijackThis v1.99.1
Scan saved at 1:22:15 PM, on 9/10/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\RUNDLL32.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\McAfee.com\Personal Firewall\MPFTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
C:\WINDOWS\System32\NMSSvc.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\Documents and Settings\Rick Kerr\Desktop\HIJACK THIS\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://channels.aimtoday.com/search/aimtoolbar.jsp
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redir.dll?p...&ar=msnhome
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://channels.aimtoday.com/search/aimtoolbar.jsp
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [WildTangent CDA] "RUNDLL32.exe" "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0400.dll",cdaEngineMain
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
O4 - HKLM\..\Run: [MPFEXE] "C:\Program Files\McAfee.com\Personal Firewall\MPFTray.exe"
O4 - HKLM\..\Run: [Tgcmd] C:\Program Files\Support.com\bin\tgcmd.exe /server /startmonitor /deaf
O4 - HKLM\..\Run: [SurfAccuracy] C:\Program Files\SurfAccuracy\SAcc.exe
O4 - HKLM\..\RunOnce: [WinSideBySideSetupCleanup 836017] rundll32 sxs.dll,SxspRunDllDeleteDirectory C:\WINDOWS\WinSxS\InstallTemp\836017
O4 - HKLM\..\RunOnce: [WinSideBySideSetupCleanup 836188] rundll32 sxs.dll,SxspRunDllDeleteDirectory C:\WINDOWS\WinSxS\InstallTemp\836188
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: hp psc 2000 Series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
O4 - Global Startup: hpoddt01.exe.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/d...can_unicode.cab
O16 - DPF: {9D190AE6-C81E-4039-8061-978EBAD10073} (F-Secure Online Scanner 3.0) - http://support.f-secure.com/ols3/fscax.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
O23 - Service: Intel® NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: PLSRemote Service (PLSRemoteSvc) - Unknown owner - C:\WINDOWS\SYSTEM32\PLSRemote.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe


SPYWARE DOCTOR
[u]
Scan Results:
scan start: 9/10/2006 1:24:03 PM
scan stop: 9/10/2006 1:24:37 PM
scanned items: 5648
found items: 0
found and ignored: 0
tools used: General Scanner, Process Scanner, LSP Scanner, Startup Scanner, Registry Scanner, Hosts Scanner, Browser Scanner, Browser Activity Scanner, Disk Scanner, ActiveX Scanner

Infection Name Location Risk

Scan Results:
scan start: 9/10/2006 1:24:46 PM
scan stop: 9/10/2006 1:26:18 PM
scanned items: 18406
found items: 168
found and ignored: 0
tools used: Registry Scanner, ActiveX Scanner

Infection Name Location Risk
Yazzle Sudoku HKCR\.sdu High
Yazzle Sudoku HKCR\.sdu## High
WindowEnhancer HKCR\Interface\{095B3871-E94C-11D2-B88E-00104B21678D} Medium
WindowEnhancer HKCR\Interface\{095B3871-E94C-11D2-B88E-00104B21678D}## Medium
WindowEnhancer HKCR\Interface\{095B3871-E94C-11D2-B88E-00104B21678D}\ProxyStubClsid Medium
WindowEnhancer HKCR\Interface\{095B3871-E94C-11D2-B88E-00104B21678D}\ProxyStubClsid## Medium
WindowEnhancer HKCR\Interface\{095B3871-E94C-11D2-B88E-00104B21678D}\ProxyStubClsid32 Medium
WindowEnhancer HKCR\Interface\{095B3871-E94C-11D2-B88E-00104B21678D}\ProxyStubClsid32## Medium
WindowEnhancer HKCR\Interface\{095B3871-E94C-11D2-B88E-00104B21678D}\TypeLib Medium
WindowEnhancer HKCR\Interface\{095B3871-E94C-11D2-B88E-00104B21678D}\TypeLib## Medium
WindowEnhancer HKCR\Interface\{095B3871-E94C-11D2-B88E-00104B21678D}\TypeLib##Version Medium
WindowEnhancer HKCR\Interface\{1158DEF3-3923-11D3-B73E-00105A9D65D5} Medium
WindowEnhancer HKCR\Interface\{1158DEF3-3923-11D3-B73E-00105A9D65D5}## Medium
WindowEnhancer HKCR\Interface\{1158DEF3-3923-11D3-B73E-00105A9D65D5}\ProxyStubClsid Medium
WindowEnhancer HKCR\Interface\{1158DEF3-3923-11D3-B73E-00105A9D65D5}\ProxyStubClsid## Medium
WindowEnhancer HKCR\Interface\{1158DEF3-3923-11D3-B73E-00105A9D65D5}\ProxyStubClsid32 Medium
WindowEnhancer HKCR\Interface\{1158DEF3-3923-11D3-B73E-00105A9D65D5}\ProxyStubClsid32## Medium
WindowEnhancer HKCR\Interface\{1158DEF3-3923-11D3-B73E-00105A9D65D5}\TypeLib Medium
WindowEnhancer HKCR\Interface\{1158DEF3-3923-11D3-B73E-00105A9D65D5}\TypeLib## Medium
WindowEnhancer HKCR\Interface\{1158DEF3-3923-11D3-B73E-00105A9D65D5}\TypeLib##Version Medium
WindowEnhancer HKCR\Interface\{708A028B-F7E8-11D2-B71D-00105A9D65D5} Medium
WindowEnhancer HKCR\Interface\{708A028B-F7E8-11D2-B71D-00105A9D65D5}## Medium
WindowEnhancer HKCR\Interface\{708A028B-F7E8-11D2-B71D-00105A9D65D5}\ProxyStubClsid Medium
WindowEnhancer HKCR\Interface\{708A028B-F7E8-11D2-B71D-00105A9D65D5}\ProxyStubClsid## Medium
WindowEnhancer HKCR\Interface\{708A028B-F7E8-11D2-B71D-00105A9D65D5}\ProxyStubClsid32 Medium
WindowEnhancer HKCR\Interface\{708A028B-F7E8-11D2-B71D-00105A9D65D5}\ProxyStubClsid32## Medium
WindowEnhancer HKCR\Interface\{708A028B-F7E8-11D2-B71D-00105A9D65D5}\TypeLib Medium
WindowEnhancer HKCR\Interface\{708A028B-F7E8-11D2-B71D-00105A9D65D5}\TypeLib## Medium
WindowEnhancer HKCR\Interface\{708A028B-F7E8-11D2-B71D-00105A9D65D5}\TypeLib##Version Medium
WindowEnhancer HKCR\Interface\{A30D73C1-EB9E-11D2-B88E-00104B21678D} Medium
WindowEnhancer HKCR\Interface\{A30D73C1-EB9E-11D2-B88E-00104B21678D}## Medium
WindowEnhancer HKCR\Interface\{A30D73C1-EB9E-11D2-B88E-00104B21678D}\ProxyStubClsid Medium
WindowEnhancer HKCR\Interface\{A30D73C1-EB9E-11D2-B88E-00104B21678D}\ProxyStubClsid## Medium
WindowEnhancer HKCR\Interface\{A30D73C1-EB9E-11D2-B88E-00104B21678D}\ProxyStubClsid32 Medium
WindowEnhancer HKCR\Interface\{A30D73C1-EB9E-11D2-B88E-00104B21678D}\ProxyStubClsid32## Medium
WindowEnhancer HKCR\Interface\{A30D73C1-EB9E-11D2-B88E-00104B21678D}\TypeLib Medium
WindowEnhancer HKCR\Interface\{A30D73C1-EB9E-11D2-B88E-00104B21678D}\TypeLib## Medium
WindowEnhancer HKCR\Interface\{A30D73C1-EB9E-11D2-B88E-00104B21678D}\TypeLib##Version Medium
WindowEnhancer HKCR\Interface\{CF36A847-3614-11D3-B73D-00105A9D65D5} Medium
WindowEnhancer HKCR\Interface\{CF36A847-3614-11D3-B73D-00105A9D65D5}## Medium
WindowEnhancer HKCR\Interface\{CF36A847-3614-11D3-B73D-00105A9D65D5}\ProxyStubClsid Medium
WindowEnhancer HKCR\Interface\{CF36A847-3614-11D3-B73D-00105A9D65D5}\ProxyStubClsid## Medium
WindowEnhancer HKCR\Interface\{CF36A847-3614-11D3-B73D-00105A9D65D5}\ProxyStubClsid32 Medium
WindowEnhancer HKCR\Interface\{CF36A847-3614-11D3-B73D-00105A9D65D5}\ProxyStubClsid32## Medium
WindowEnhancer HKCR\Interface\{CF36A847-3614-11D3-B73D-00105A9D65D5}\TypeLib Medium
WindowEnhancer HKCR\Interface\{CF36A847-3614-11D3-B73D-00105A9D65D5}\TypeLib## Medium
WindowEnhancer HKCR\Interface\{CF36A847-3614-11D3-B73D-00105A9D65D5}\TypeLib##Version Medium
WindowEnhancer HKCR\Interface\{CF36A849-3614-11D3-B73D-00105A9D65D5} Medium
WindowEnhancer HKCR\Interface\{CF36A849-3614-11D3-B73D-00105A9D65D5}## Medium
WindowEnhancer HKCR\Interface\{CF36A849-3614-11D3-B73D-00105A9D65D5}\ProxyStubClsid Medium
WindowEnhancer HKCR\Interface\{CF36A849-3614-11D3-B73D-00105A9D65D5}\ProxyStubClsid## Medium
WindowEnhancer HKCR\Interface\{CF36A849-3614-11D3-B73D-00105A9D65D5}\ProxyStubClsid32 Medium
WindowEnhancer HKCR\Interface\{CF36A849-3614-11D3-B73D-00105A9D65D5}\ProxyStubClsid32## Medium
WindowEnhancer HKCR\Interface\{CF36A849-3614-11D3-B73D-00105A9D65D5}\TypeLib Medium
WindowEnhancer HKCR\Interface\{CF36A849-3614-11D3-B73D-00105A9D65D5}\TypeLib## Medium
WindowEnhancer HKCR\Interface\{CF36A849-3614-11D3-B73D-00105A9D65D5}\TypeLib##Version Medium
WindowEnhancer HKCR\Interface\{E4E62871-3614-11D3-B73D-00105A9D65D5} Medium
WindowEnhancer HKCR\Interface\{E4E62871-3614-11D3-B73D-00105A9D65D5}## Medium
WindowEnhancer HKCR\Interface\{E4E62871-3614-11D3-B73D-00105A9D65D5}\ProxyStubClsid Medium
WindowEnhancer HKCR\Interface\{E4E62871-3614-11D3-B73D-00105A9D65D5}\ProxyStubClsid## Medium
WindowEnhancer HKCR\Interface\{E4E62871-3614-11D3-B73D-00105A9D65D5}\ProxyStubClsid32 Medium
WindowEnhancer HKCR\Interface\{E4E62871-3614-11D3-B73D-00105A9D65D5}\ProxyStubClsid32## Medium
WindowEnhancer HKCR\Interface\{E4E62871-3614-11D3-B73D-00105A9D65D5}\TypeLib Medium
WindowEnhancer HKCR\Interface\{E4E62871-3614-11D3-B73D-00105A9D65D5}\TypeLib## Medium
WindowEnhancer HKCR\Interface\{E4E62871-3614-11D3-B73D-00105A9D65D5}\TypeLib##Version Medium
WindowEnhancer HKCR\Interface\{E4E62873-3614-11D3-B73D-00105A9D65D5} Medium
WindowEnhancer HKCR\Interface\{E4E62873-3614-11D3-B73D-00105A9D65D5}## Medium
WindowEnhancer HKCR\Interface\{E4E62873-3614-11D3-B73D-00105A9D65D5}\ProxyStubClsid Medium
WindowEnhancer HKCR\Interface\{E4E62873-3614-11D3-B73D-00105A9D65D5}\ProxyStubClsid## Medium
WindowEnhancer HKCR\Interface\{E4E62873-3614-11D3-B73D-00105A9D65D5}\ProxyStubClsid32 Medium
WindowEnhancer HKCR\Interface\{E4E62873-3614-11D3-B73D-00105A9D65D5}\ProxyStubClsid32## Medium
WindowEnhancer HKCR\Interface\{E4E62873-3614-11D3-B73D-00105A9D65D5}\TypeLib Medium
WindowEnhancer HKCR\Interface\{E4E62873-3614-11D3-B73D-00105A9D65D5}\TypeLib## Medium
WindowEnhancer HKCR\Interface\{E4E62873-3614-11D3-B73D-00105A9D65D5}\TypeLib##Version Medium
BearShare HKCR\RunMSC.Loader.1\CLSID## Info & PUAs
BearShare HKCR\RunMSC.Loader\CLSID## Info & PUAs
WindowEnhancer HKCR\SBWebCtl.Full Medium
WindowEnhancer HKCR\SBWebCtl.Full## Medium
WindowEnhancer HKCR\SBWebCtl.Full.1 Medium
WindowEnhancer HKCR\SBWebCtl.Full.1## Medium
WindowEnhancer HKCR\SBWebCtl.Full.1\CLSID Medium
WindowEnhancer HKCR\SBWebCtl.Full.1\CLSID## Medium
WindowEnhancer HKCR\SBWebCtl.Full\CLSID Medium
WindowEnhancer HKCR\SBWebCtl.Full\CLSID## Medium
WindowEnhancer HKCR\SBWebCtl.Full\CurVer Medium
WindowEnhancer HKCR\SBWebCtl.Full\CurVer## Medium
WindowEnhancer HKCR\SBWebCtl.ICWPayOption Medium
WindowEnhancer HKCR\SBWebCtl.ICWPayOption## Medium
WindowEnhancer HKCR\SBWebCtl.ICWPayOption.1 Medium
WindowEnhancer HKCR\SBWebCtl.ICWPayOption.1## Medium
WindowEnhancer HKCR\SBWebCtl.ICWPayOption.1\CLSID Medium
WindowEnhancer HKCR\SBWebCtl.ICWPayOption.1\CLSID## Medium
WindowEnhancer HKCR\SBWebCtl.ICWPayOption\CLSID Medium
WindowEnhancer HKCR\SBWebCtl.ICWPayOption\CLSID## Medium
WindowEnhancer HKCR\SBWebCtl.ICWPayOption\CurVer Medium
WindowEnhancer HKCR\SBWebCtl.ICWPayOption\CurVer## Medium
WindowEnhancer HKCR\SBWebCtl.ICWProxy Medium
WindowEnhancer HKCR\SBWebCtl.ICWProxy## Medium
WindowEnhancer HKCR\SBWebCtl.ICWProxy.1 Medium
WindowEnhancer HKCR\SBWebCtl.ICWProxy.1## Medium
WindowEnhancer HKCR\SBWebCtl.ICWProxy.1\CLSID Medium
WindowEnhancer HKCR\SBWebCtl.ICWProxy.1\CLSID## Medium
WindowEnhancer HKCR\SBWebCtl.ICWProxy\CLSID Medium
WindowEnhancer HKCR\SBWebCtl.ICWProxy\CLSID## Medium
WindowEnhancer HKCR\SBWebCtl.ICWProxy\CurVer Medium
WindowEnhancer HKCR\SBWebCtl.ICWProxy\CurVer## Medium
WindowEnhancer HKCR\SBWebCtl.INSFilter Medium
WindowEnhancer HKCR\SBWebCtl.INSFilter## Medium
WindowEnhancer HKCR\SBWebCtl.INSFilter.1 Medium
WindowEnhancer HKCR\SBWebCtl.INSFilter.1## Medium
WindowEnhancer HKCR\SBWebCtl.INSFilter.1\CLSID Medium
WindowEnhancer HKCR\SBWebCtl.INSFilter.1\CLSID## Medium
WindowEnhancer HKCR\SBWebCtl.INSFilter\CLSID Medium
WindowEnhancer HKCR\SBWebCtl.INSFilter\CLSID## Medium
WindowEnhancer HKCR\SBWebCtl.INSFilter\CurVer Medium
WindowEnhancer HKCR\SBWebCtl.INSFilter\CurVer## Medium
WindowEnhancer HKCR\SBWebCtl.Lite Medium
WindowEnhancer HKCR\SBWebCtl.Lite## Medium
WindowEnhancer HKCR\SBWebCtl.Lite.1 Medium
WindowEnhancer HKCR\SBWebCtl.Lite.1## Medium
WindowEnhancer HKCR\SBWebCtl.Lite.1\CLSID Medium
WindowEnhancer HKCR\SBWebCtl.Lite.1\CLSID## Medium
WindowEnhancer HKCR\SBWebCtl.Lite\CLSID Medium
WindowEnhancer HKCR\SBWebCtl.Lite\CLSID## Medium
WindowEnhancer HKCR\SBWebCtl.Lite\CurVer Medium
WindowEnhancer HKCR\SBWebCtl.Lite\CurVer## Medium
WindowEnhancer HKCR\SBWebCtl.ObjDict Medium
WindowEnhancer HKCR\SBWebCtl.ObjDict## Medium
WindowEnhancer HKCR\SBWebCtl.ObjDict.1 Medium
WindowEnhancer HKCR\SBWebCtl.ObjDict.1## Medium
WindowEnhancer HKCR\SBWebCtl.ObjDict.1\CLSID Medium
WindowEnhancer HKCR\SBWebCtl.ObjDict.1\CLSID## Medium
WindowEnhancer HKCR\SBWebCtl.ObjDict\CLSID Medium
WindowEnhancer HKCR\SBWebCtl.ObjDict\CLSID## Medium
WindowEnhancer HKCR\SBWebCtl.ObjDict\CurVer Medium
WindowEnhancer HKCR\SBWebCtl.ObjDict\CurVer## Medium
WindowEnhancer HKCR\TypeLib\{095B3861-E94C-11D2-B88E-00104B21678D} Medium
WindowEnhancer HKCR\TypeLib\{095B3861-E94C-11D2-B88E-00104B21678D}## Medium
WindowEnhancer HKCR\TypeLib\{095B3861-E94C-11D2-B88E-00104B21678D}\1.0 Medium
WindowEnhancer HKCR\TypeLib\{095B3861-E94C-11D2-B88E-00104B21678D}\1.0## Medium
WindowEnhancer HKCR\TypeLib\{095B3861-E94C-11D2-B88E-00104B21678D}\1.0\0 Medium
WindowEnhancer HKCR\TypeLib\{095B3861-E94C-11D2-B88E-00104B21678D}\1.0\0## Medium
WindowEnhancer HKCR\TypeLib\{095B3861-E94C-11D2-B88E-00104B21678D}\1.0\0\win32 Medium
WindowEnhancer HKCR\TypeLib\{095B3861-E94C-11D2-B88E-00104B21678D}\1.0\0\win32## Medium
WindowEnhancer HKCR\TypeLib\{095B3861-E94C-11D2-B88E-00104B21678D}\1.0\FLAGS Medium
WindowEnhancer HKCR\TypeLib\{095B3861-E94C-11D2-B88E-00104B21678D}\1.0\FLAGS## Medium
WindowEnhancer HKCR\TypeLib\{095B3861-E94C-11D2-B88E-00104B21678D}\1.0\HELPDIR Medium
WindowEnhancer HKCR\TypeLib\{095B3861-E94C-11D2-B88E-00104B21678D}\1.0\HELPDIR## Medium
Yazzle Sudoku HKCR\YazzleSudokuGame High
Yazzle Sudoku HKCR\YazzleSudokuGame## High
Yazzle Sudoku HKCR\YazzleSudokuGame\DefaultIcon High
Yazzle Sudoku HKCR\YazzleSudokuGame\DefaultIcon## High
Yazzle Sudoku HKCR\YazzleSudokuGame\shell High
Yazzle Sudoku HKCR\YazzleSudokuGame\shell## High
ISTbar HKCU\Software\Microsoft\Internet Explorer\Main##BandRest High
WhenU.SaveNow HKLM\software\classes\runmsc.loader Info & PUAs
WhenU.SaveNow HKLM\software\classes\runmsc.loader## Info & PUAs
WhenU.SaveNow HKLM\software\classes\runmsc.loader.1 Info & PUAs
WhenU.SaveNow HKLM\software\classes\runmsc.loader.1## Info & PUAs
WhenU.SaveNow HKLM\software\classes\runmsc.loader.1\CLSID Info & PUAs
WhenU.SaveNow HKLM\software\classes\runmsc.loader.1\CLSID## Info & PUAs
WhenU.SaveNow HKLM\software\classes\runmsc.loader\CLSID Info & PUAs
WhenU.SaveNow HKLM\software\classes\runmsc.loader\CLSID## Info & PUAs
WhenU.SaveNow HKLM\software\classes\runmsc.loader\CurVer Info & PUAs
WhenU.SaveNow HKLM\software\classes\runmsc.loader\CurVer## Info & PUAs
ISTbar HKLM\SOFTWARE\Microsoft\Internet Explorer\Main##BandRest High
Surf Accuracy HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run##SurfAccuracy Elevated
ISTbar HKU\S-1-5-21-1312982611-488625423-1922732087-1005\Software\Microsoft\Internet Explorer\Main##BandRest High

BC AdBot (Login to Remove)

 


#2 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:01:00 AM

Posted 16 September 2006 - 11:22 AM

Hello MongoJerry36 and welcome to the BC HijackThis forum. SurfAccuracy has been identified as an adware program. It can be removed by going into the Control Panel and uninstalling it. This should remove the program and any support files and registry keys it created.

Cheers.

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#3 MongoJerry36

MongoJerry36
  • Topic Starter

  • Members
  • 65 posts
  • OFFLINE
  •  
  • Location:NJ
  • Local time:01:00 AM

Posted 16 September 2006 - 04:58 PM

Hello Old Timer,
The file is not located in the add or remove files. It does show up in Hijack this and I fixed it, and it still comes back. Spysweeper and Spybot do nothing. I also tried to delete the registry entry manually, but it comes back.
Thanks

#4 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:01:00 AM

Posted 17 September 2006 - 12:12 PM

Hi MongoJerry36. Ok, let's try an ewido scan.

First download ewido anti-spyware from HERE and save that file to your desktop.
  • Once you have downloaded ewido anti-spyware, locate the icon on the desktop and double-click it to launch the set up program.
  • Once the setup is complete you will need run ewido and update the definition files.
  • On the main screen select the icon "Update" then select the "Update now" link.
    • Next select the "Start Update" button, the update will start and a progress bar will show the updates being installed.
  • Once the update has completed select the "Scanner" icon at the top of the screen, then select the "Settings" tab.
  • Once in the Settings screen click on "Recommended actions" and then select "Quarantine".
  • Under "Reports"
    • Select "Automatically generate report after every scan"
    • Un-Select "Only if threats were found"
Close ewido anti-spyware, Do Not run a scan just yet, we will shortly.
  • Reboot your computer into SafeMode. You can do this by restarting your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight SafeMode then hit enter.
    IMPORTANT: Do not open any other windows or programs while ewido is scanning, it may interfere with the scanning proccess:
  • Launch ewido-anti-spyware by double-clicking the icon on your desktop.
  • Select the "Scanner" icon at the top and then the "Scan" tab then click on "Complete System Scan".
  • ewido will now begin the scanning process, be patient this may take a little time.
    Once the scan is complete do the following:
    • IMake sure that Set all elements to: shows Quarantine, if not click on the link and choose Quarantine from the popup menu.
    • At the bottom of the window click on the "Apply all actions" button
    Note: Don't save the report before you hit the Apply action button.
  • Next select the "Reports" icon at the top.
  • Select the "Save report as" button in the lower left hand of the screen and save it to a text file on your system (make sure to remember where you saved that file, this is important).
  • Close ewido and reboot your system back into Normal Mode.
Post the Ewido log back here along with a new HijackThis log.

Cheers.

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#5 MongoJerry36

MongoJerry36
  • Topic Starter

  • Members
  • 65 posts
  • OFFLINE
  •  
  • Location:NJ
  • Local time:01:00 AM

Posted 17 September 2006 - 01:51 PM

Hey OT,
Ewido scaned successfully, but when I restarted the computer, Spysweeper did a scan and found the surf accuracy thing.

---------------------------------------------------------
ewido anti-spyware - Scan Report
---------------------------------------------------------

+ Created at: 2:33:47 PM 9/17/2006

+ Scan result:



C:\System Volume Information\_restore{ED3BE9FF-4CC6-4147-8470-65D902FC3376}\RP64\A0008735.dll -> Adware.Aws : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{ED3BE9FF-4CC6-4147-8470-65D902FC3376}\RP59\A0007211.exe -> Not-A-Virus.RemoteAdmin.Win32.PLSRemot : Cleaned with backup (quarantined).
C:\WINDOWS\system32\PLSRemote.exe -> Not-A-Virus.RemoteAdmin.Win32.PLSRemot : Cleaned with backup (quarantined).
:mozilla.10:C:\Documents and Settings\Mom\Application Data\Mozilla\Firefox\Profiles\s6g7ostp.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
:mozilla.11:C:\Documents and Settings\Mom\Application Data\Mozilla\Firefox\Profiles\s6g7ostp.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
:mozilla.12:C:\Documents and Settings\Mom\Application Data\Mozilla\Firefox\Profiles\s6g7ostp.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
:mozilla.13:C:\Documents and Settings\Mom\Application Data\Mozilla\Firefox\Profiles\s6g7ostp.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
:mozilla.14:C:\Documents and Settings\Mom\Application Data\Mozilla\Firefox\Profiles\s6g7ostp.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
:mozilla.15:C:\Documents and Settings\Mom\Application Data\Mozilla\Firefox\Profiles\s6g7ostp.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
:mozilla.6:C:\Documents and Settings\Mom\Application Data\Mozilla\Firefox\Profiles\s6g7ostp.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
:mozilla.7:C:\Documents and Settings\Mom\Application Data\Mozilla\Firefox\Profiles\s6g7ostp.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
:mozilla.8:C:\Documents and Settings\Mom\Application Data\Mozilla\Firefox\Profiles\s6g7ostp.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
:mozilla.9:C:\Documents and Settings\Mom\Application Data\Mozilla\Firefox\Profiles\s6g7ostp.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
:mozilla.40:C:\Documents and Settings\Mom\Application Data\Mozilla\Firefox\Profiles\s6g7ostp.default\cookies.txt -> TrackingCookie.Advertising : Cleaned with backup (quarantined).
:mozilla.16:C:\Documents and Settings\Mom\Application Data\Mozilla\Firefox\Profiles\s6g7ostp.default\cookies.txt -> TrackingCookie.Atdmt : Cleaned with backup (quarantined).
:mozilla.70:C:\Documents and Settings\Mom\Application Data\Mozilla\Firefox\Profiles\s6g7ostp.default\cookies.txt -> TrackingCookie.Bridgetrack : Cleaned with backup (quarantined).
:mozilla.168:C:\Documents and Settings\Mom\Application Data\Mozilla\Firefox\Profiles\s6g7ostp.default\cookies.txt -> TrackingCookie.Burstnet : Cleaned with backup (quarantined).
:mozilla.169:C:\Documents and Settings\Mom\Application Data\Mozilla\Firefox\Profiles\s6g7ostp.default\cookies.txt -> TrackingCookie.Burstnet : Cleaned with backup (quarantined).
:mozilla.115:C:\Documents and Settings\Mom\Application Data\Mozilla\Firefox\Profiles\s6g7ostp.default\cookies.txt -> TrackingCookie.Com : Cleaned with backup (quarantined).
:mozilla.21:C:\Documents and Settings\Rick\Application Data\Mozilla\Firefox\Profiles\7hi4tju2.default\cookies.txt -> TrackingCookie.Com : Cleaned with backup (quarantined).
:mozilla.112:C:\Documents and Settings\Mom\Application Data\Mozilla\Firefox\Profiles\s6g7ostp.default\cookies.txt -> TrackingCookie.Coremetrics : Cleaned with backup (quarantined).
:mozilla.10:C:\Documents and Settings\Rick\Application Data\Mozilla\Firefox\Profiles\7hi4tju2.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned with backup (quarantined).
:mozilla.11:C:\Documents and Settings\Rick\Application Data\Mozilla\Firefox\Profiles\7hi4tju2.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned with backup (quarantined).
:mozilla.12:C:\Documents and Settings\Rick\Application Data\Mozilla\Firefox\Profiles\7hi4tju2.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned with backup (quarantined).
:mozilla.44:C:\Documents and Settings\Mom\Application Data\Mozilla\Firefox\Profiles\s6g7ostp.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned with backup (quarantined).
:mozilla.45:C:\Documents and Settings\Mom\Application Data\Mozilla\Firefox\Profiles\s6g7ostp.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned with backup (quarantined).
:mozilla.46:C:\Documents and Settings\Mom\Application Data\Mozilla\Firefox\Profiles\s6g7ostp.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned with backup (quarantined).
:mozilla.87:C:\Documents and Settings\Mom\Application Data\Mozilla\Firefox\Profiles\s6g7ostp.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned with backup (quarantined).
:mozilla.72:C:\Documents and Settings\Mom\Application Data\Mozilla\Firefox\Profiles\s6g7ostp.default\cookies.txt -> TrackingCookie.Liveperson : Cleaned with backup (quarantined).
:mozilla.73:C:\Documents and Settings\Mom\Application Data\Mozilla\Firefox\Profiles\s6g7ostp.default\cookies.txt -> TrackingCookie.Liveperson : Cleaned with backup (quarantined).
:mozilla.74:C:\Documents and Settings\Mom\Application Data\Mozilla\Firefox\Profiles\s6g7ostp.default\cookies.txt -> TrackingCookie.Liveperson : Cleaned with backup (quarantined).
:mozilla.33:C:\Documents and Settings\Mom\Application Data\Mozilla\Firefox\Profiles\s6g7ostp.default\cookies.txt -> TrackingCookie.Overture : Cleaned with backup (quarantined).
:mozilla.34:C:\Documents and Settings\Mom\Application Data\Mozilla\Firefox\Profiles\s6g7ostp.default\cookies.txt -> TrackingCookie.Overture : Cleaned with backup (quarantined).
:mozilla.36:C:\Documents and Settings\Mom\Application Data\Mozilla\Firefox\Profiles\s6g7ostp.default\cookies.txt -> TrackingCookie.Pro-market : Cleaned with backup (quarantined).
:mozilla.37:C:\Documents and Settings\Mom\Application Data\Mozilla\Firefox\Profiles\s6g7ostp.default\cookies.txt -> TrackingCookie.Pro-market : Cleaned with backup (quarantined).
:mozilla.38:C:\Documents and Settings\Mom\Application Data\Mozilla\Firefox\Profiles\s6g7ostp.default\cookies.txt -> TrackingCookie.Pro-market : Cleaned with backup (quarantined).
:mozilla.136:C:\Documents and Settings\Mom\Application Data\Mozilla\Firefox\Profiles\s6g7ostp.default\cookies.txt -> TrackingCookie.Ru4 : Cleaned with backup (quarantined).
:mozilla.137:C:\Documents and Settings\Mom\Application Data\Mozilla\Firefox\Profiles\s6g7ostp.default\cookies.txt -> TrackingCookie.Ru4 : Cleaned with backup (quarantined).
:mozilla.163:C:\Documents and Settings\Mom\Application Data\Mozilla\Firefox\Profiles\s6g7ostp.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned with backup (quarantined).
:mozilla.164:C:\Documents and Settings\Mom\Application Data\Mozilla\Firefox\Profiles\s6g7ostp.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned with backup (quarantined).
:mozilla.101:C:\Documents and Settings\Mom\Application Data\Mozilla\Firefox\Profiles\s6g7ostp.default\cookies.txt -> TrackingCookie.Webtrendslive : Cleaned with backup (quarantined).
:mozilla.35:C:\Documents and Settings\Mom\Application Data\Mozilla\Firefox\Profiles\s6g7ostp.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup (quarantined).


::Report end




Logfile of HijackThis v1.99.1
Scan saved at 2:48:32 PM, on 9/17/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
C:\WINDOWS\System32\NMSSvc.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\VERITAS Software\Update Manager\sgtray.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\Program Files\McAfee.com\Personal Firewall\MPFTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Eraser\eraser.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Rick Kerr\Desktop\HIJACK THIS\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://channels.aimtoday.com/search/aimtoolbar.jsp
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redir.dll?p...&ar=msnhome
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://channels.aimtoday.com/search/aimtoolbar.jsp
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
O4 - HKLM\..\Run: [MPFEXE] "C:\Program Files\McAfee.com\Personal Firewall\MPFTray.exe"
O4 - HKLM\..\Run: [Tgcmd] C:\Program Files\Support.com\bin\tgcmd.exe /server /startmonitor /deaf
O4 - HKLM\..\Run: [SurfAccuracy] C:\Program Files\SurfAccuracy\SAcc.exe
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKLM\..\RunOnce: [WinSideBySideSetupCleanup 836017] rundll32 sxs.dll,SxspRunDllDeleteDirectory C:\WINDOWS\WinSxS\InstallTemp\836017
O4 - HKLM\..\RunOnce: [WinSideBySideSetupCleanup 836188] rundll32 sxs.dll,SxspRunDllDeleteDirectory C:\WINDOWS\WinSxS\InstallTemp\836188
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Eraser] "C:\Program Files\Eraser\eraser.exe" -hide
O4 - Global Startup: hp psc 2000 Series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
O4 - Global Startup: hpoddt01.exe.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {9D190AE6-C81E-4039-8061-978EBAD10073} (F-Secure Online Scanner 3.0) - http://support.f-secure.com/ols3/fscax.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
O23 - Service: Intel® NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: PLSRemote Service (PLSRemoteSvc) - Unknown owner - C:\WINDOWS\SYSTEM32\PLSRemote.exe (file missing)
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

#6 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:01:00 AM

Posted 18 September 2006 - 06:01 PM

Hi MongoJerry36. Can you do a quick check and see if this folder actually exists: C:\Program Files\SurfAccuracy\ (and if there is anything in it). If not, then we will just remove the registry key. The SA program itself does not show as running so it might just be a left-over registry entry.

Cheers.

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#7 MongoJerry36

MongoJerry36
  • Topic Starter

  • Members
  • 65 posts
  • OFFLINE
  •  
  • Location:NJ
  • Local time:01:00 AM

Posted 18 September 2006 - 07:15 PM

Hey Ot,
Yes it is just a left over registry key and the folder does not exist. I tried to delete it manually, but it keeps coming back.

Also is it safe to run Spysweeper and Spybot at the same time.

Thanks
Rick AKA MongoJerry36 :thumbsup:

#8 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:01:00 AM

Posted 20 September 2006 - 05:51 PM

Hi MongoJerry36. It might just be that SpySweeper is preventing you from removing the registry entry (sometimes it can be too protective). Let's disable it and then try and remove it.
  • Open SpySweeper and click the Options menu and then click Program Options.
  • Uncheck Load at Windows Startup.
  • Click Shields and uncheck all items there.
  • Uncheck Home page shield.
  • Uncheck Automaticly restore default without notifiction.
Now start HijackThis and click the Scan button to perform a scan. Look for the following items and click in the checkbox in front of each item to select it:O4 - HKLM\..\Run: [SurfAccuracy] C:\Program Files\SurfAccuracy\SAcc.exe
Now close ALL open windows except HijackThis and click the Fix Checked button to finish the repair.

Ok, reboot the machine and then reset SpySweeper to the way it was before and then post a new HijackThis log.

Cheers.

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#9 MongoJerry36

MongoJerry36
  • Topic Starter

  • Members
  • 65 posts
  • OFFLINE
  •  
  • Location:NJ
  • Local time:01:00 AM

Posted 20 September 2006 - 07:03 PM

Hi Old Timer,
I hope Im not making a big deal of this, but I am just afraid that one day this surf accuracy thing could leak out and lead to someone put a backdoor trojan. Should I be Concerned?
Thanks
Rick


Logfile of HijackThis v1.99.1
Scan saved at 7:59:45 PM, on 9/20/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\NMSSvc.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\VERITAS Software\Update Manager\sgtray.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Eraser\eraser.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Rick Kerr\Desktop\HIJACK THIS\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://channels.aimtoday.com/search/aimtoolbar.jsp
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redir.dll?p...&ar=msnhome
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://channels.aimtoday.com/search/aimtoolbar.jsp
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [Tgcmd] C:\Program Files\Support.com\bin\tgcmd.exe /server /startmonitor /deaf
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [SurfAccuracy] C:\Program Files\SurfAccuracy\SAcc.exe
O4 - HKLM\..\RunOnce: [WinSideBySideSetupCleanup 836017] rundll32 sxs.dll,SxspRunDllDeleteDirectory C:\WINDOWS\WinSxS\InstallTemp\836017
O4 - HKLM\..\RunOnce: [WinSideBySideSetupCleanup 836188] rundll32 sxs.dll,SxspRunDllDeleteDirectory C:\WINDOWS\WinSxS\InstallTemp\836188
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Eraser] "C:\Program Files\Eraser\eraser.exe" -hide
O4 - Global Startup: hp psc 2000 Series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
O4 - Global Startup: hpoddt01.exe.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {9D190AE6-C81E-4039-8061-978EBAD10073} (F-Secure Online Scanner 3.0) - http://support.f-secure.com/ols3/fscax.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - Unknown owner - C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe (file missing)
O23 - Service: Intel® NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: PLSRemote Service (PLSRemoteSvc) - Unknown owner - C:\WINDOWS\SYSTEM32\PLSRemote.exe (file missing)
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

#10 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:01:00 AM

Posted 21 September 2006 - 04:12 AM

Hey MongoJerry36. Let's try this.

Launch Notepad, and copy/paste the text in the quotebox below into the new document. Save it to your desktop as regfix.reg :

REGEDIT4
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\]
"SurfAccuracy"=-


Locate regfix.reg on your Desktop and double-click on it. You will receive a prompt similar to: "Do you wish to merge the information into the registry?". Answer Yes and wait for a message to appear similar to Merged Successfully.

Restart your computer. Run HijackThis and see if the entry is still there. If so, reboot into Safe Mode following the steps below and run the regfix.bat file again and then reboot and check with HijackThis again.

Start in Safe Mode Using the F8 method:
  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until the boot menu appears.
  • Use the arrow keys to select the Safe Mode menu item.
  • Press the Enter key.
Cheers.

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#11 MongoJerry36

MongoJerry36
  • Topic Starter

  • Members
  • 65 posts
  • OFFLINE
  •  
  • Location:NJ
  • Local time:01:00 AM

Posted 22 September 2006 - 05:07 PM

Hey OT,
Thanks for all your help. I hope it clean
Thanks :thumbsup:
Rick

Logfile of HijackThis v1.99.1
Scan saved at 6:02:14 PM, on 9/22/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\VERITAS Software\Update Manager\sgtray.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Eraser\eraser.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\WINDOWS\System32\NMSSvc.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Rick Kerr\Desktop\HIJACK THIS\HijackThis.exe
C:\WINDOWS\system32\wuauclt.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://channels.aimtoday.com/search/aimtoolbar.jsp
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redir.dll?p...&ar=msnhome
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://channels.aimtoday.com/search/aimtoolbar.jsp
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [Tgcmd] C:\Program Files\Support.com\bin\tgcmd.exe /server /startmonitor /deaf
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Eraser] C:\Program Files\Eraser\eraser.exe -hide
O4 - Global Startup: hp psc 2000 Series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
O4 - Global Startup: hpoddt01.exe.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {9D190AE6-C81E-4039-8061-978EBAD10073} (F-Secure Online Scanner 3.0) - http://support.f-secure.com/ols3/fscax.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - Unknown owner - C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe (file missing)
O23 - Service: Intel® NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: PLSRemote Service (PLSRemoteSvc) - Unknown owner - C:\WINDOWS\SYSTEM32\PLSRemote.exe (file missing)
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

#12 MongoJerry36

MongoJerry36
  • Topic Starter

  • Members
  • 65 posts
  • OFFLINE
  •  
  • Location:NJ
  • Local time:01:00 AM

Posted 22 September 2006 - 05:36 PM

Hello,
Sorry about the above comment. I spoke too soon. It went away for a little then came back 15 minutes later. It came back when I scanned spysweeper. Could Spysweeper make it come back?? :thumbsup:
Thanks
Rick

Hello,
Sorry about the above comment. I spoke too soon. It went away for a little then came back 15 minutes later. It came back when I scanned spysweeper. Could Spysweeper make it come back?? :flowers:
Thanks
Rick

Logfile of HijackThis v1.99.1
Scan saved at 6:33:27 PM, on 9/22/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Eraser\eraser.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\WINDOWS\System32\NMSSvc.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Rick Kerr\Desktop\HIJACK THIS\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://channels.aimtoday.com/search/aimtoolbar.jsp
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redir.dll?p...&ar=msnhome
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://channels.aimtoday.com/search/aimtoolbar.jsp
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [Tgcmd] C:\Program Files\Support.com\bin\tgcmd.exe /server /startmonitor /deaf
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [SurfAccuracy] C:\Program Files\SurfAccuracy\SAcc.exe
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
O4 - HKLM\..\RunOnce: [WinSideBySideSetupCleanup 836017] rundll32 sxs.dll,SxspRunDllDeleteDirectory C:\WINDOWS\WinSxS\InstallTemp\836017
O4 - HKLM\..\RunOnce: [WinSideBySideSetupCleanup 836188] rundll32 sxs.dll,SxspRunDllDeleteDirectory C:\WINDOWS\WinSxS\InstallTemp\836188
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Eraser] "C:\Program Files\Eraser\eraser.exe" -hide
O4 - Global Startup: hp psc 2000 Series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
O4 - Global Startup: hpoddt01.exe.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {9D190AE6-C81E-4039-8061-978EBAD10073} (F-Secure Online Scanner 3.0) - http://support.f-secure.com/ols3/fscax.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - Unknown owner - C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe (file missing)
O23 - Service: Intel® NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: PLSRemote Service (PLSRemoteSvc) - Unknown owner - C:\WINDOWS\SYSTEM32\PLSRemote.exe (file missing)
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

#13 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:01:00 AM

Posted 23 September 2006 - 08:18 AM

Hi MongoJerry36. Yes, SS can be problematic with not allow legitimate changes to be made. Let's try this.

Start SpySweeperOn the Program tab uncheck "Start Spy Sweeper at Windows startup"
Click the Shields item on the left
On the Startup Programs tab uncheck "Startup Items Shield"
Save the settings and close SpySweeper.

Now start HijackThis and fix the item for O4 - HKLM\..\Run: [SurfAccuracy] C:\Program Files\SurfAccuracy\SAcc.exe.

Reboot the machine and start SpySweeper. Do a scan and if it gives an alert for the startup change for SurfAccuracy choose ALLOW.

After that you can go in and re-enable the SpySweeper settings we changed above.

Cheers.

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#14 MongoJerry36

MongoJerry36
  • Topic Starter

  • Members
  • 65 posts
  • OFFLINE
  •  
  • Location:NJ
  • Local time:01:00 AM

Posted 23 September 2006 - 06:47 PM

HEy OldTiimer,
Looks like that worked great. Thanks For all your help.
MongoJerry36 aka Rick

Logfile of HijackThis v1.99.1
Scan saved at 7:44:11 PM, on 9/23/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\NMSSvc.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\VERITAS Software\Update Manager\sgtray.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Eraser\eraser.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
C:\Documents and Settings\Rick Kerr\Desktop\HIJACK THIS\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redir.dll?p...&ar=msnhome
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://channels.aimtoday.com/search/aimtoolbar.jsp
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [Tgcmd] C:\Program Files\Support.com\bin\tgcmd.exe /server /startmonitor /deaf
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Eraser] "C:\Program Files\Eraser\eraser.exe" -hide
O4 - Global Startup: hp psc 2000 Series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
O4 - Global Startup: hpoddt01.exe.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {9D190AE6-C81E-4039-8061-978EBAD10073} (F-Secure Online Scanner 3.0) - http://support.f-secure.com/ols3/fscax.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - Unknown owner - C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe (file missing)
O23 - Service: Intel® NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: PLSRemote Service (PLSRemoteSvc) - Unknown owner - C:\WINDOWS\SYSTEM32\PLSRemote.exe (file missing)
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

:thumbsup: :flowers: :huh:

#15 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:01:00 AM

Posted 24 September 2006 - 07:28 AM

Hi MongoJerry36. Yup, that looks good. here's a few tips to help keep the machine clean in the future.

Let's clean your restore points and set a new one:

Reset and Re-enable your System Restore to remove infected files that have been backed up by Windows. The files in System Restore are protected to prevent any programs from changing those files. This is the only way to clean these files: (You will lose all previous restore points which are likely to be infected)
  • Turn off System Restore.
    • On the Desktop, right-click My Computer.
    • Click Properties.
    • Click the System Restore tab.
    • CHECK Turn off System Restore.
    • Click Apply, and then click OK.
  • Restart your computer.
  • Turn ON System Restore.
    • On the Desktop, right-click My Computer.
    • Click Properties.
    • Click the System Restore tab.
    • UN-Check Turn off System Restore.
    • Click Apply, and then click OK.
System Restore will now be active again.

Now that you are clean, to help protect your computer in the future I recommend the following free programs:
  • SpywareBlaster to help prevent spyware from installing in the first place.
  • SpywareGuard to catch and block spyware before it can execute.
  • IESpy-Ad to block access to malicious websites so you cannot be redirected to them from an infected site or email.
You already have a good firewall and a good antivirus application intalled and running. It is important to have both to protect your system, and to keep them updated.

To keep your operating system up to date visit Microsoft Windows Update monthly. Microsoft puts out new updates on the 2nd Tuesday of every month so be sure to check regularly.

And to keep your system clean be aware of what emails you open, what websites you visit, and update and run these free malware scanners once a week:To learn more about how to protect yourself while on the internet read this article by Tony Klien: So how did I get infected in the first place?

Have a safe and happy computing day!

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users