Jump to content


Photo

Spywareno


  • Please log in to reply
14 replies to this topic

#1 VOMAC

VOMAC

    Newbie

  • Members
  • Pip
  • 6 posts

Posted 22 April 2006 - 06:23 PM

I am unable to remove SPYWARENO from my PC.
I have scanned in safe mode, scan in normal mode still the problem still exist. The Scan located it but will not delete it. I did a "find" search in the registry and deleted all files found for Zeno, ballon.apllication,spywareno and still it keeps coming back. This is my third day with this problem. I am using SE plus build 1.06r1 with definition file SE1R104 21.04.2006. Which I understand should be the current version. I also found out that this spy has been around since 2005. Should not this version be able to repair it? I turned off sys restore, ran scan still no help. The scan locates but will not delete. Re scan, locates will not delete. At one time I had 14 files of spywareno in quarantine. I deleted all of them. Same problem exists.
Operating system: Win XP, SP2. Pentium 4 w/3.06 GigHz. 1 gig shared memory. Help please!! Thanks.
Partial Log follows. Entire log too large to post:


Ad-Aware SE Build 1.06r1
Logfile Created on:Saturday, April 22, 2006 12:51:11 PM
Using definitions file:SE1R104 21.04.2006
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

References detected during the scan:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
SpywareNo(TAC index:10):2 total references
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

#2 Andy_veal

Andy_veal

    Member

  • Members
  • PipPip
  • 23 posts

Posted 22 April 2006 - 06:44 PM

:( Your in good hands, Just follow Corrine's advise below!
IPB Image

#3 Corrine

Corrine

    Advanced Member

  • Members
  • PipPipPip
  • 238 posts

Posted 22 April 2006 - 06:59 PM

SpwareNo is another of the rogue applications in the smitRem collection that currently requires a special software to remove.

PRINT or SAVE these instructions to text where you can access them in safe mode.
Please follow the instructions in the order given.


INSTRUCTIONS:

A. Download and/or update the following programs. Install them but do NOT run them yet.
  • Download SmitfraudFix (© S!Ri) to your Desktop from http://siri.urz.free.fr/Fix/SmitfraudFix.zip . Extract all the files to your Desktop and a folder named SmitfraudFix will be created on your Desktop.
  • Download CCleaner from the link at the upper right of this page: http://www.filehippo.com/download_ccleaner.html .
  • Please launch Ad-Aware SE and check for updates. Next click on the gear to access the Configuration Menu. Click on Tweak > Cleaning Engine > UNcheck "Always try to unload modules before deletion".
B. Restart your computer in Safe Mode.
  • If the computer is running, shut down Windows, and then turn off the power.
  • Wait 30 seconds, and then turn the computer on.
  • Start tapping the F8 key. The Windows Advanced Options Menu will appear. If you begin tapping the F8 key too soon, some computers display a "keyboard error" message. To resolve this, restart the computer and try again.
  • Ensure that the Safe Mode option is selected.
  • Press Enter. The computer then begins to start in Safe Mode.
  • Login on your usual account.
    If you need further assistance with Safe Mode, see Symantec
C. Open the SmitfraudFix folder
  • Double-click smitfraudfix.cmd file to start the tool.
  • Select option #2 - Clean by typing 2 and press Enter.
    Warning : running option #2 on a uninfected computer will remove your Desktop background.
  • Wait for the tool to complete and disk cleanup to finish.
  • You will be prompted : "Registry cleaning - Do you want to clean the registry?"
    • Answer Yes by typing Y
    • Hit Enter.
  • The tool will also check if wininet.dll is infected. If a clean version is found, you will be prompted to replace wininet.dll.
    • Answer Yes to the question "Replace infected file?" by typing Y
    • Hit Enter.
  • A reboot may be needed to finish the cleaning process. If your computer does not restart automatically please do it yourself manually.
  • Restart in Safe Mode as instructed above.
  • The tool will create a log named rapport.txt in the root of your drive, eg: Local Disk C: or partition where your operating system is installed. Please post that log along with all others requested in your next reply.
D. Clean Temporary Internet files with CCleaner as follows:
  • Close/Quit Internet Explorer and quit any instances of Windows Explorer.
  • Launch CCleaner and under Options > Advanced > UNcheck "Only delete files in Windows Temp folder older than 48 hours".
  • A pop up box will appear advising this process will permanently delete files from your system.
  • To protect logon cookies that you wish to retain, under Options > Cookies. Select and using the arrow move those cookies to the "Cookies to keep" column.
  • Then select the items you wish to clean up.
    • In the Windows Tab:
      • Clean all entries in the "Internet Explorer" section.
      • Clean all the entries in the "Windows Explorer" section.
      • Clean all entries in the "System" section.
      • Clean all entries in the "Advanced" section.
      • Clean any others that you choose.
    • In the Applications Tab:
      • Clean all in the Firefox/Mozilla section if you use it.
      • Clean all in the Opera section if you use it.
      • Clean Sun Java in the Internet Section.
      • Clean any others that you choose.
  • Click the "Run Cleaner" button and it will scan and clean your system.
  • Click exit.
E. Recover Desktop
  • Click on the Programs tab then click the Reset Web Settings button.
  • Click Apply then OK. Click OK.
  • Click Start, click Control Panel and then double-click Display.
  • Click on the Desktop tab, then click the Customize Desktop button.
  • Click on the Web tab. Under Web Pages you should see a checked entry called Security info or something similar. If it is there, select that entry and click the Delete button. Click Ok then Apply and Ok.
  • Empty the Recycle Bin by right-clicking the Recycle Bin icon on your Desktop, and then clicking Empty Recycle Bin.
F. Scan with Ad-Aware SE
  • Launch Ad-Aware SE and run a Full Scan.
  • Uncheck "Search for negligible risk entries"
  • When the scan has completed, select Next.
  • In the Scanning Results window, select the "Scan Summary" tab.
  • Check the box next to each "target family" you wish to remove.
  • Click next, Click OK.
G. Restart in Normal Mode and open the SmitfraudFix folder
  • Double-click smitfraudfix.cmd
  • Select option #3 - Delete Trusted zone by typing 3 and press Enter
  • Answer Yes to the question "Restore Trusted Zone ?" by typing Y
  • Hit Enter.
Note: If you use SpywareBlaster and/or IE-SPYAD, it will be necessary to re-install the protection both afford. For SpywareBlaster, run the program and re-protect all items. For IE-SPYAD, run the batch file and reinstall the protection.
H. Post a fresh full scan Ad-Aware SE logfile as well as the C:\rapport.txt.

Please let us know if any problems persist.

Oops! Sorry, Andy. Looks like you replied while I as editing the fix to use Ad-Aware. It took too long to prepare so I'm just going to leave it for the user to choose. :(

#4 VOMAC

VOMAC

    Newbie

  • Members
  • Pip
  • 6 posts

Posted 27 April 2006 - 03:30 AM

I followed these instruction twice, Spywareno was not removed. Attached is the info requested


Ad-Aware SE Build 1.06r1
Logfile Created on:Wednesday, April 26, 2006 8:15:53 PM
Using definitions file:SE1R105 26.04.2006
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

References detected during the scan:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
SpywareNo(TAC index:10):2 total references
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Definition File:
=========================
Definitions File Loaded:
Reference Number : SE1R105 26.04.2006
Internal build : 125
File location : C:\PROGRA~1\Lavasoft\AD-AWA~1\defs.ref
File size : 623812 Bytes
Total size : 2049042 Bytes
Signature data size : 2011689 Bytes
Reference data size : 36841 Bytes
Signatures total : 56569
CSI Fingerprints total : 2406
CSI data size : 78138 Bytes
Target categories : 15
Target families : 880


Memory + processor status:
==========================
Number of processors : 2
Processor architecture : Intel Pentium IV
Memory available:64 %
Total physical memory:916460 kb
Available physical memory:584112 kb
Total page file size:2222872 kb
Available on page file:1956312 kb
Total virtual memory:2097024 kb
Available virtual memory:2042156 kb
OS:Microsoft Windows XP Home Edition Service Pack 2 (Build 2600)

Ad-Aware SE Settings
===========================
Set : Search for low-risk threats
Set : Safe mode (always request confirmation)
Set : Scan active processes
Set : Scan registry
Set : Deep-scan registry
Set : Scan my IE Favorites for banned URLs
Set : Scan within archives
Set : Scan my Hosts file

Extended Ad-Aware SE Settings
===========================
Set : Unload recognized processes & modules during scan
Set : Scan registry for all users instead of current user only
Set : Automatically check all objects in results lists
Set : Always try to unload modules before deletion
Set : During removal, unload Explorer and IE if necessary
Set : Let Windows remove files in use at next reboot
Set : Delete quarantined objects after restoring
Set : Suppress warning if objects cannot be removed
Set : Suppress progress bar during list operations
Set : Disable manual quarantine if auto-quarantine is selected
Set : Block pop-ups aggressively
Set : Load Ad-Watch minimized
Set : Automatically select problematic objects in results lists
Set : Include basic Ad-Aware settings in log file
Set : Include additional Ad-Aware settings in log file
Set : Include reference summary in log file
Set : Include alternate data stream details in log file
Set : Snap windows to desktop borders
Set : Limit drive selection to fixed drives
Set : Use gridlines in results lists
Set : Suppress WebUpdate confirmation dialogs
Set : Backup current definitions file before updating
Set : Play sound at scan completion if scan locates critical objects
4-26-2006 8:15:53 PM - Scan started. (Full System Scan)

Listing running processes
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

#:1 [smss.exe]
FilePath : \SystemRoot\System32\
ProcessID : 620
ThreadCreationTime : 4-26-2006 11:31:47 PM
BasePriority : Normal


#:2 [csrss.exe]
FilePath : \??\C:\WINDOWS\system32\
ProcessID : 672
ThreadCreationTime : 4-26-2006 11:31:53 PM
BasePriority : Normal


#:3 [winlogon.exe]
FilePath : \??\C:\WINDOWS\system32\
ProcessID : 696
ThreadCreationTime : 4-26-2006 11:31:54 PM
BasePriority : High


#:4 [services.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 744
ThreadCreationTime : 4-26-2006 11:31:55 PM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Services and Controller app
InternalName : services.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : services.exe

#:5 [lsass.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 756
ThreadCreationTime : 4-26-2006 11:31:55 PM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : LSA Shell (Export Version)
InternalName : lsass.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : lsass.exe

#:6 [ati2evxx.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 936
ThreadCreationTime : 4-26-2006 11:31:55 PM
BasePriority : Normal


#:7 [svchost.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 952
ThreadCreationTime : 4-26-2006 11:31:55 PM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:8 [svchost.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 1004
ThreadCreationTime : 4-26-2006 11:31:56 PM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:9 [svchost.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 1044
ThreadCreationTime : 4-26-2006 11:31:56 PM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:10 [acs.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 1144
ThreadCreationTime : 4-26-2006 11:31:56 PM
BasePriority : Normal

#:11 [svchost.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 1180
ThreadCreationTime : 4-26-2006 11:31:56 PM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:12 [svchost.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 1224
ThreadCreationTime : 4-26-2006 11:31:56 PM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:13 [spoolsv.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 1528
ThreadCreationTime : 4-26-2006 11:31:57 PM
BasePriority : Normal
FileVersion : 5.1.2600.2696 (xpsp_sp2_gdr.050610-1519)
ProductVersion : 5.1.2600.2696
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Spooler SubSystem App
InternalName : spoolsv.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : spoolsv.exe

#:14 [aluschedulersvc.exe]
FilePath : C:\Program Files\Symantec\LiveUpdate\
ProcessID : 1676
ThreadCreationTime : 4-26-2006 11:31:57 PM
BasePriority : Normal
FileVersion : 3.0.0.160
ProductVersion : 3.0.0.160
ProductName : LiveUpdate
CompanyName : Symantec Corporation
FileDescription : Automatic LiveUpdate Scheduler Service
InternalName : Automatic LiveUpdate Scheduler Service
LegalCopyright : Copyright © 1996-2005 Symantec Corporation
OriginalFilename : ALUSchedulerSvc.exe

#:15 [ccproxy.exe]
FilePath : C:\Program Files\Common Files\Symantec Shared\
ProcessID : 1844
ThreadCreationTime : 4-26-2006 11:31:58 PM
BasePriority : Normal
FileVersion : 103.0.7.2
ProductVersion : 103.0.7.2
ProductName : Client and Host Security Platform
CompanyName : Symantec Corporation
FileDescription : Symantec Network Proxy Service
InternalName : ccProxy
LegalCopyright : Copyright © 2000-2004 Symantec Corporation. All rights reserved.
OriginalFilename : ccProxy.exe

#:16 [explorer.exe]
FilePath : C:\WINDOWS\
ProcessID : 1856
ThreadCreationTime : 4-26-2006 11:31:58 PM
BasePriority : Normal
FileVersion : 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 6.00.2900.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Windows Explorer
InternalName : explorer
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : EXPLORER.EXE

#:17 [ccsetmgr.exe]
FilePath : C:\Program Files\Common Files\Symantec Shared\
ProcessID : 1872
ThreadCreationTime : 4-26-2006 11:31:58 PM
BasePriority : Normal
FileVersion : 103.0.7.2
ProductVersion : 103.0.7.2
ProductName : Client and Host Security Platform
CompanyName : Symantec Corporation
FileDescription : Symantec Settings Manager Service
InternalName : ccSetMgr
LegalCopyright : Copyright © 2000-2004 Symantec Corporation. All rights reserved.
OriginalFilename : ccSetMgr.exe

#:18 [ceepwrsvc.exe]
FilePath : C:\Program Files\Toshiba\Power Management\
ProcessID : 1884
ThreadCreationTime : 4-26-2006 11:31:58 PM
BasePriority : Normal
FileVersion : 1, 1, 0, 0
ProductVersion : 1, 1, 0, 0
ProductName : CeEPwrSvc Module
CompanyName : COMPAL ELECTRONIC INC.
FileDescription : CeEPwrSvc Module
InternalName : CeEPwrSvc
LegalCopyright : Copyright 2002-2004 Compal Electronic Inc.
OriginalFilename : CeEPwrSvc.EXE
Comments : James Kang

#:19 [cfsvcs.exe]
FilePath : C:\Program Files\TOSHIBA\ConfigFree\
ProcessID : 1896
ThreadCreationTime : 4-26-2006 11:31:58 PM
BasePriority : Normal
FileVersion : 4, 60, 0, 2
ProductVersion : 4, 60, 0, 0
ProductName : ConfigFree™
CompanyName : TOSHIBA CORPORATION
FileDescription : Service of ConfigFree.
InternalName : CFSvcs.exe
LegalCopyright : Copyright © 2003 TOSHIBA CORPORATION. All rights reserved.
LegalTrademarks : ConfigFree™
OriginalFilename : CFSvcs.exe
Comments : Service of ConfigFree.

#:20 [ctsvccda.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 1920
ThreadCreationTime : 4-26-2006 11:31:58 PM
BasePriority : Normal
FileVersion : 1.0.1.0
ProductVersion : 1.0.0.0
ProductName : Creative Service for CDROM Access
CompanyName : Creative Technology Ltd
FileDescription : Creative Service for CDROM Access
InternalName : CTsvcCDAEXE
LegalCopyright : Copyright © Creative Technology Ltd., 1999. All rights reserved.
OriginalFilename : CTsvcCDA.EXE

#:21 [dvdramsv.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 1960
ThreadCreationTime : 4-26-2006 11:31:58 PM
BasePriority : Normal
FileVersion : 2, 0, 7, 0
ProductVersion : 2, 0, 7, 0
CompanyName : Matsushita Electric Industrial Co., Ltd.
FileDescription : Service of RAMAsst for Windows XP
LegalCopyright : Copyright © Matsushita Electric Industrial Co., Ltd. 2002 - 2003
OriginalFilename : DVDRAMSV.EXE
#:22 [issvc.exe]
FilePath : C:\Program Files\Norton Internet Security\
ProcessID : 2000
ThreadCreationTime : 4-26-2006 11:31:58 PM
BasePriority : Normal
FileVersion : 8.0.5.14
ProductVersion : 8.0
ProductName : Norton Internet Security
CompanyName : Symantec Corporation
FileDescription : IS Service
InternalName : ISSVC.exe
LegalCopyright : Copyright © 2004 Symantec Corporation
OriginalFilename : ISSVC.exe

#:23 [sndsrvc.exe]
FilePath : C:\Program Files\Common Files\Symantec Shared\
ProcessID : 212
ThreadCreationTime : 4-26-2006 11:31:58 PM
BasePriority : Normal
FileVersion : 5.5.1.6
ProductVersion : 5.5
ProductName : Symantec Security Drivers
CompanyName : Symantec Corporation
FileDescription : Network Driver Service
InternalName : SndSrvc
LegalCopyright : Copyright 2002, 2003, 2004 Symantec Corporation
OriginalFilename : SndSrvc.exe

#5 VOMAC

VOMAC

    Newbie

  • Members
  • Pip
  • 6 posts

Posted 27 April 2006 - 03:53 AM

#:24 [spbbcsvc.exe]
FilePath : C:\Program Files\Common Files\Symantec Shared\SPBBC\
ProcessID : 272
ThreadCreationTime : 4-26-2006 11:31:59 PM
BasePriority : Normal
FileVersion : 1,0,1,47
ProductVersion : 1,0,1,47
ProductName : SPBBC
CompanyName : Symantec Corporation
FileDescription : SPBBC Service
InternalName : SPBBCSvc
LegalCopyright : Copyright © 2004 Symantec Corporation. All rights reserved.
OriginalFilename : SPBBCSvc.exe

#:25 [starwindservice.exe]
FilePath : C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\
ProcessID : 328
ThreadCreationTime : 4-26-2006 11:31:59 PM
BasePriority : Normal
FileVersion : 2.6.1 Build 0x20050401
ProductVersion : 2.6.1 Build 0x20050401
ProductName : StarWind
CompanyName : Rocket Division Software
FileDescription : StarWind iSCSI Target (Alcohol Edition)
InternalName : StarWind
LegalCopyright : Copyright © Rocket Division Software 2003-2005. All rights reserved.
OriginalFilename : StarWind

#:26 [svchost.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 340
ThreadCreationTime : 4-26-2006 11:31:59 PM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:27 [swupdtmr.exe]
FilePath : c:\TOSHIBA\Ivp\Swupdate\
ProcessID : 440
ThreadCreationTime : 4-26-2006 11:31:59 PM
BasePriority : Normal


#:28 [symlcsvc.exe]
FilePath : C:\Program Files\Common Files\Symantec Shared\CCPD-LC\
ProcessID : 508
ThreadCreationTime : 4-26-2006 11:32:03 PM
BasePriority : Normal
FileVersion : 1.8.54.841
ProductVersion : 1.8.54.841
ProductName : Symantec Core Component
CompanyName : Symantec Corporation
FileDescription : Symantec Core Component
InternalName : symlcsvc
LegalCopyright : Copyright © 2003
OriginalFilename : symlcsvc.exe

#:29 [wdfmgr.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 572
ThreadCreationTime : 4-26-2006 11:32:05 PM
BasePriority : Normal
FileVersion : 5.2.3790.1230 built by: dnsrv(bld4act)
ProductVersion : 5.2.3790.1230
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Windows User Mode Driver Manager
InternalName : WdfMgr
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : WdfMgr.exe

#:30 [mspmspsv.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 676
ThreadCreationTime : 4-26-2006 11:32:05 PM
BasePriority : Normal
FileVersion : 7.00.00.1954
ProductVersion : 7.00.00.1954
ProductName : Microsoft ® DRM
CompanyName : Microsoft Corporation
FileDescription : WMDM PMSP Service
InternalName : MSPMSPSV.EXE
LegalCopyright : Copyright © Microsoft Corp. 1981-2000
OriginalFilename : MSPMSPSV.EXE

#:31 [ccevtmgr.exe]
FilePath : C:\Program Files\Common Files\Symantec Shared\
ProcessID : 988
ThreadCreationTime : 4-26-2006 11:32:06 PM
BasePriority : Normal
FileVersion : 103.0.7.2
ProductVersion : 103.0.7.2
ProductName : Client and Host Security Platform
CompanyName : Symantec Corporation
FileDescription : Symantec Event Manager Service
InternalName : ccEvtMgr
LegalCopyright : Copyright © 2000-2004 Symantec Corporation. All rights reserved.
OriginalFilename : ccEvtMgr.exe

#:32 [tptray.exe]
FilePath : C:\Program Files\TOSHIBA\TouchPad\
ProcessID : 1792
ThreadCreationTime : 4-26-2006 11:32:20 PM
BasePriority : Normal
FileVersion : 1, 1, 0, 2
ProductVersion : 1, 1, 0, 2
ProductName : TPTray Application
CompanyName : COMPAL ELECTRONIC INC.
FileDescription : TPTray Application
InternalName : TPTray
LegalCopyright : Copyright 2002-2004 Compal Electronic Inc.
OriginalFilename : TPTray.EXE
Comments : Mei Hsu

#:33 [sm1bg.exe]
FilePath : C:\WINDOWS\
ProcessID : 2056
ThreadCreationTime : 4-26-2006 11:32:22 PM
BasePriority : Normal
FileVersion : 6.01.1000.0
ProductVersion : 6.01.1000.0
ProductName : Cypress USB Mass Storage Adapter
CompanyName : Cypress Semiconductor
FileDescription : Cypress USB Mass Storage Driver Background Application
InternalName : SM1BG.EXE
LegalCopyright : Copyright © 1998-2003 Cypress Semiconductor
OriginalFilename : SM1BG.EXE

#:34 [pinger.exe]
FilePath : C:\toshiba\ivp\ism\
ProcessID : 2064
ThreadCreationTime : 4-26-2006 11:32:22 PM
BasePriority : Normal
FileVersion : 3.3
ProductVersion : 3.3
ProductName : Software Upgrades
CompanyName : TOSHIBA Corporation
FileDescription : TOSHIBA Pinger
InternalName : PINGER
LegalCopyright : © 1997-2002 TOSHIBA Corporation
OriginalFilename : PINGER.EXE
Comments : With TSysSMon support.

#:35 [padexe.exe]
FilePath : C:\Program Files\TOSHIBA\Touch and Launch\
ProcessID : 2124
ThreadCreationTime : 4-26-2006 11:32:23 PM
BasePriority : Normal
FileVersion : 1, 2, 4, 0
ProductVersion : 1, 2, 4, 0
ProductName : PadTouch
CompanyName : TOSHIBA
FileDescription : PadTouch Main
InternalName : PadExe
LegalCopyright : Copyright © 2003-2004 TOSHIBA Corporation
OriginalFilename : PadExe.exe

#:36 [ndstray.exe]
FilePath : C:\Program Files\TOSHIBA\ConfigFree\
ProcessID : 2136
ThreadCreationTime : 4-26-2006 11:32:23 PM
BasePriority : Normal
FileVersion : 4, 50, 0, 105
ProductVersion : 4, 5, 0, 0
ProductName : ConfigFree™ Tray
CompanyName : TOSHIBA CORPORATION
FileDescription : ConfigFree™ Tray
InternalName : ndstray
LegalCopyright : Copyright 2002-2003 © TOSHIBA CORPORATION. All rights reserved.
OriginalFilename : NDSTray.exe
#:37 [tfswctrl.exe]
FilePath : C:\WINDOWS\system32\dla\
ProcessID : 2152
ThreadCreationTime : 4-26-2006 11:32:24 PM
BasePriority : Normal
FileVersion : 1.04.08a
CompanyName : Sonic Solutions
FileDescription : Drive Letter Access Component
LegalCopyright : Copyright © 2004 Sonic Solutions

#:38 [cepmtray.exe]
FilePath : C:\Program Files\TOSHIBA\Power Management\
ProcessID : 2172
ThreadCreationTime : 4-26-2006 11:32:25 PM
BasePriority : Normal
FileVersion : 1, 1, 0, 11
ProductVersion : 1, 1, 0, 11
ProductName : CeTray Application
CompanyName : COMPAL ELECTRONIC INC.
FileDescription : CeTray MFC Application
InternalName : CeTray
LegalCopyright : Copyright 2002-2004 Compal Electronic Inc.
OriginalFilename : CeTray.EXE
Comments : James Kang

#:39 [ceekey.exe]
FilePath : C:\Program Files\TOSHIBA\E-KEY\
ProcessID : 2204
ThreadCreationTime : 4-26-2006 11:32:25 PM
BasePriority : Normal
FileVersion : 2, 1, 0, 7
ProductVersion : 2, 1, 0, 7
ProductName : EKey Application
CompanyName : COMPAL ELECTRONIC INC.
FileDescription : TOSHIBA HotKey Utility
InternalName : EKey
LegalCopyright : Copyright 2003-2004 Compal Electronic Inc.
OriginalFilename : CeEKey.EXE

#:40 [ccapp.exe]
FilePath : C:\Program Files\Common Files\Symantec Shared\
ProcessID : 2240
ThreadCreationTime : 4-26-2006 11:32:26 PM
BasePriority : Normal
FileVersion : 103.0.7.2
ProductVersion : 103.0.7.2
ProductName : Client and Host Security Platform
CompanyName : Symantec Corporation
FileDescription : Symantec User Session
InternalName : ccApp
LegalCopyright : Copyright © 2000-2004 Symantec Corporation. All rights reserved.
OriginalFilename : ccApp.exe

#:41 [ad-watch.exe]
FilePath : C:\PROGRA~1\Lavasoft\AD-AWA~1\
ProcessID : 2308
ThreadCreationTime : 4-26-2006 11:32:27 PM
BasePriority : Normal
FileVersion : 3.1.2.17
ProductVersion : 3.2
ProductName : Ad-Aware SE
CompanyName : Lavasoft Sweden
FileDescription : Ad-Watch System Protector
InternalName : Ad-Watch.exe
LegalCopyright : 1999-2004 Team Lavasoft
OriginalFilename : Ad-Watch.exe

#:42 [atiptaxx.exe]
FilePath : C:\Program Files\ATI Technologies\ATI Control Panel\
ProcessID : 2360
ThreadCreationTime : 4-26-2006 11:32:28 PM
BasePriority : Normal
FileVersion : 6.14.10.5103
ProductVersion : 6.14.10.5103
ProductName : ATI Desktop Component
CompanyName : ATI Technologies, Inc.
FileDescription : ATI Desktop Control Panel
InternalName : Atiptaxx.exe
LegalCopyright : Copyright © 1998-2004 ATI Technologies Inc.
OriginalFilename : Atiptaxx.exe
#:43 [apoint.exe]
FilePath : C:\Program Files\Apoint2K\
ProcessID : 2444
ThreadCreationTime : 4-26-2006 11:32:29 PM
BasePriority : Normal
FileVersion : 6.0.2.180
ProductVersion : 6.0.2.180
ProductName : Alps Pointing-device Driver
CompanyName : Alps Electric Co., Ltd.
FileDescription : Alps Pointing-device Driver
InternalName : Alps Pointing-device Driver
LegalCopyright : Copyright © 1999-2003 Alps Electric Co., Ltd.
OriginalFilename : Apoint.exe

#:44 [agrsmmsg.exe]
FilePath : C:\WINDOWS\
ProcessID : 2516
ThreadCreationTime : 4-26-2006 11:32:30 PM
BasePriority : Normal
FileVersion : 2.1.38 2.1.38 02/20/2004 15:00:27
ProductVersion : 2.1.38 2.1.38 02/20/2004 15:00:27
ProductName : Agere SoftModem Messaging Applet
CompanyName : Agere Systems
FileDescription : SoftModem Messaging Applet
InternalName : smdmstat.exe
LegalCopyright : Copyright © Agere Systems 1998-2000
OriginalFilename : smdmstat.exe

#:45 [mtdacq.exe]
FilePath : C:\Program Files\Creative\Shared Files\Media Sniffer\
ProcessID : 2640
ThreadCreationTime : 4-26-2006 11:32:32 PM
BasePriority : Normal
FileVersion : 1.2.3.0
ProductVersion : 1.0.0.0
ProductName : Metadata monitor
CompanyName : Creative Technology Ltd
FileDescription : Metadata monitor
InternalName : MtdAcq.exe
LegalCopyright : Copyright © Creative Technology Ltd., 2002. All rights reserved.
OriginalFilename : MtdAcq.exe

#:46 [ctdetect.exe]
FilePath : C:\Program Files\Creative\MediaSource\Detector\
ProcessID : 2668
ThreadCreationTime : 4-26-2006 11:32:33 PM
BasePriority : Normal
FileVersion : 3.0.2.0
ProductVersion : 3.0.0.0
ProductName : Creative MediaSource Detector
CompanyName : Creative Technology Ltd
FileDescription : Creative MediaSource Detector
InternalName : CTDetect
LegalCopyright : Copyright © Creative Technology Ltd., 2003-2004. All rights reserved.
OriginalFilename : CTDetect.EXE

#:47 [wscntfy.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 2744
ThreadCreationTime : 4-26-2006 11:32:34 PM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Windows Security Center Notification App
InternalName : wscntfy.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : wscntfy.exe

#:48 [ramasst.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 2796
ThreadCreationTime : 4-26-2006 11:32:36 PM
BasePriority : Normal
FileVersion : 1, 0, 9, 0
ProductVersion : 1, 0, 9, 0
CompanyName : Matsushita Electric Industrial Co., Ltd.
FileDescription : CD Burning of Windows XP disabling tool for DVD MULTI Drive
LegalCopyright : Copyright © Matsushita Electric Industrial Co., Ltd. 2002 - 2003
OriginalFilename : RAMASST.EXE

#:49 [wupdmgr.exe]
FilePath : C:\WINDOWS\
ProcessID : 2888
ThreadCreationTime : 4-26-2006 11:32:38 PM
BasePriority : Normal
FileVersion : 1, 0, 0, 1
ProductVersion : 1, 0, 0, 1
ProductName : Balloon Application
FileDescription : Balloon MFC Application
InternalName : Balloon
LegalCopyright : Copyright © 2006
OriginalFilename : Balloon.EXE

#6 VOMAC

VOMAC

    Newbie

  • Members
  • Pip
  • 6 posts

Posted 27 April 2006 - 04:06 AM

[quote name='VOMAC' date='Apr 26 2006, 10:53 PM' post='778']
#:50 [osaupd.exe]
FilePath : C:\WINDOWS\
ProcessID : 2956
ThreadCreationTime : 4-26-2006 11:32:40 PM
BasePriority : Normal
FileVersion : 1, 0, 0, 1
ProductVersion : 1, 0, 0, 1
ProductName : Balloon Application
FileDescription : Balloon MFC Application
InternalName : Balloon
LegalCopyright : Copyright © 2006
OriginalFilename : Balloon.EXE

#:51 [apntex.exe]
FilePath : C:\Program Files\Apoint2K\
ProcessID : 3008
ThreadCreationTime : 4-26-2006 11:32:42 PM
BasePriority : Normal
FileVersion : 5.0.1.15
ProductVersion : 5.0.1.15
ProductName : Alps Pointing-device Driver for Windows NT/2000/XP
CompanyName : Alps Electric Co., Ltd.
FileDescription : Alps Pointing-device Driver for Windows NT/2000/XP
InternalName : Alps Pointing-device Driver for Windows NT/2000/XP
LegalCopyright : Copyright © 1998-2003 Alps Electric Co., Ltd.
OriginalFilename : ApntEx.exe

#:52 [wzqkpick.exe]
FilePath : C:\PROGRA~1\WINZIP\
ProcessID : 464
ThreadCreationTime : 4-27-2006 12:08:45 AM
BasePriority : Normal
FileVersion : 1.0 (32-bit)
ProductVersion : 8.1 (4319)
ProductName : WinZip
CompanyName : WinZip Computing, Inc.
FileDescription : WinZip Executable
InternalName : WZQKPICK.EXE
LegalCopyright : Copyright © WinZip Computing, Inc. 1991-2001 - All Rights Reserved
LegalTrademarks : WinZip is a registered trademark of WinZip Computing, Inc
OriginalFilename : WZQKPICK.EXE
Comments : StringFileInfo: U.S. English

#:53 [ad-aware.exe]
FilePath : C:\Program Files\Lavasoft\Ad-Aware SE Plus\
ProcessID : 2932
ThreadCreationTime : 4-27-2006 12:13:42 AM
BasePriority : Normal
FileVersion : 6.2.0.237
ProductVersion : SE 106
ProductName : Lavasoft Ad-Aware SE
CompanyName : Lavasoft Sweden
FileDescription : Ad-Aware SE Core application
InternalName : Ad-Aware.exe
LegalCopyright : Copyright © Lavasoft AB Sweden
OriginalFilename : Ad-Aware.exe
Comments : All Rights Reserved

Memory scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 0


Started registry scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

SpywareNo Object Recognized!
Type : Regkey
Data :
TAC Rating : 10
Category : Misc
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : clsid\{1ca7dbaf-b066-4554-977e-5cebb7fa59c8}

Registry Scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 1
Objects found so far: 1


Started deep registry scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Deep registry scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 1


Started Tracking Cookie scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»


Tracking cookie scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 1



Deep scanning and examining files (C:)
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Disk Scan Result for C:\
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 1


Deep scanning and examining files (K:)
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Disk Scan Result for K:\
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 1


Scanning Hosts file......
Hosts file location:"C:\WINDOWS\system32\drivers\etc\hosts".
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Hosts file scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
1 entries scanned.
New critical objects:0
Objects found so far: 1




Performing conditional scans...
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

SpywareNo Object Recognized!
Type : Regkey
Data :
TAC Rating : 10
Category : Misc
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : balloon.application

Conditional scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 1
Objects found so far: 2

8:21:49 PM Scan Complete

Summary Of This Scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Total scanning time:00:05:55.437
Objects scanned:123190
Objects identified:2
Objects ignored:0
New critical objects:2



RAPPORT
SmitFraudFix v2.33b

Scan done at 19:28:10.45, Wed 04/26/2006
Run from C:\Documents and Settings\MACK\Desktop\SmitfraudFix\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600]

»»»»»»»»»»»»»»»»»»»»»»»» C:\


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS

C:\WINDOWS\osaupd.exe FOUND !
C:\WINDOWS\wupdmgr.exe FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32\LogFiles


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\MACK\Application Data


»»»»»»»»»»»»»»»»»»»»»»»» Start Menu


»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\MACK\FAVORI~1


»»»»»»»»»»»»»»»»»»»»»»»» Desktop


»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files


»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys


»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components



»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"

[HKEY_CLASSES_ROOT\CLSID\{438755C2-A8BA-11D1-B96B-00A0C90312E1}\InProcServer32]
@="%SystemRoot%\System32\browseui.dll"

[HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{438755C2-A8BA-11D1-B96B-00A0C90312E1}\InProcServer32]
@="%SystemRoot%\System32\browseui.dll"


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_CLASSES_ROOT\CLSID\{8C7461EF-2B13-11d2-BE35-3078302C2030}\InProcServer32]
@="%SystemRoot%\System32\browseui.dll"

[HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{8C7461EF-2B13-11d2-BE35-3078302C2030}\InProcServer32]
@="%SystemRoot%\System32\browseui.dll"


»»»»»»»»»»»»»»»»»»»»»»»» Scanning wininet.dll infection


»»»»»»»»»»»»»»»»»»»»»»»» End


2nd run
SmitFraudFix v2.33b

Scan done at 18:42:47.34, Wed 04/26/2006
Run from C:\Documents and Settings\MACK\Desktop\SmitfraudFix\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600]

»»»»»»»»»»»»»»»»»»»»»»»» Killing process


»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files

C:\WINDOWS\osaupd.exe Deleted

»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files


»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

Registry Cleaning done.

»»»»»»»»»»»»»»»»»»»»»»»» End


Thanks again for your help. I hope that info will help in fixing this problem.

#7 Guest_winchester73_*

Guest_winchester73_*
  • Guests

Posted 27 April 2006 - 01:45 PM

Let's have a look at a HijackThis log. See this thread: http://www.lavasofts...p?showtopic=216

#8 Guest_winchester73_*

Guest_winchester73_*
  • Guests

Posted 27 April 2006 - 07:41 PM

Just discovered that S!Ri updated last night to version 2.35 ... download a fresh copy, and see if it does the trick. Let's also see a HJT log when you are finished.

#9 VOMAC

VOMAC

    Newbie

  • Members
  • Pip
  • 6 posts

Posted 28 April 2006 - 01:56 AM

[color=#FF6666]

Just discovered that S!Ri updated last night to version 2.35 ... download a fresh copy, and see if it does the trick. Let's also see a HJT log when you are finished.


Thanks, here is Hijack

Logfile of HijackThis v1.99.1
Scan saved at 8:14:52 PM, on 4/27/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\ACS.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\TOSHIBA\TouchPad\TPTray.exe
C:\WINDOWS\SM1BG.EXE
C:\toshiba\ivp\ism\pinger.exe
C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\TOSHIBA\Power Management\CePMTray.exe
C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\Lavasoft\AD-AWA~1\Ad-Watch.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Creative\Shared Files\Media Sniffer\MtdAcq.exe
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\WINDOWS\system32\RAMASST.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINDOWS\wupdmgr.exe
C:\WINDOWS\osaupd.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Toshiba\Power Management\CeEPwrSvc.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\WINDOWS\System32\DVDRAMSV.exe
C:\Program Files\Norton Internet Security\ISSVC.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\System32\svchost.exe
c:\TOSHIBA\Ivp\Swupdate\swupdtmr.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\explorer.exe
C:\DOWNLOADS_vomac\HijACk THiS\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: Norton Internet Security - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [{78-8F-FC-C1-ZN}] 0
O4 - HKLM\..\Run: [TPNF] C:\Program Files\TOSHIBA\TouchPad\TPTray.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [SM1BG] C:\WINDOWS\SM1BG.EXE
O4 - HKLM\..\Run: [Pinger] c:\toshiba\ivp\ism\pinger.exe /run
O4 - HKLM\..\Run: [PadTouch] C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
O4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [CeEPOWER] C:\Program Files\TOSHIBA\Power Management\CePMTray.exe
O4 - HKLM\..\Run: [CeEKEY] C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [AWMON] "C:\PROGRA~1\Lavasoft\AD-AWA~1\Ad-Watch.exe"
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKCU\..\Run: [MtdAcq] C:\Program Files\Creative\Shared Files\Media Sniffer\MtdAcq.exe /s
O4 - HKCU\..\Run: [Creative Detector] C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe /R
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.toshiba.com
O16 - DPF: {01010E00-5E80-11D8-9E86-0007E96C65AE} (SupportSoft SmartIssue) - http://www.symantec....trl/tgctlsi.cab
O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Script Runner Class) - http://www.symantec....trl/tgctlsr.cab
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative....015/CTSUEng.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {44990200-3C9D-426D-81DF-AAB636FA4345} - http://www.symantec....trl/tgctlsi.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1140652834906
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.s...rl/SymAData.cab
O16 - DPF: {D7BF3304-138B-4DD5-86EE-491BB6A2286C} - http://www.azebar.com/install/1.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative....15016/CTPID.cab
O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\System32\ACS.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: CeEPwrSvc - COMPAL ELECTRONIC INC. - C:\Program Files\Toshiba\Power Management\CeEPwrSvc.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\System32\DVDRAMSV.exe
O23 - Service: ISSvc (ISSVC) - Symantec Corporation - C:\Program Files\Norton Internet Security\ISSVC.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Pml Driver - HP - C:\WINDOWS\system32\HPHipm09.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: Swupdtmr - Unknown owner - c:\TOSHIBA\Ivp\Swupdate\swupdtmr.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

Thanks guys.

#10 Guest_winchester73_*

Guest_winchester73_*
  • Guests

Posted 28 April 2006 - 02:06 PM

I don't see ZeroAds installed, but the item in blue below should be left alone IF you are using it. Otherwise, add it to the items to be fixed.

Close all open windows, and run HJT again. Put a checkmark next to the following items, and press "Fix Checked":

O4 - HKLM\..\Run: [{78-8F-FC-C1-ZN}] 0

O16 - DPF: {D7BF3304-138B-4DD5-86EE-491BB6A2286C} - http://www.azebar.com/install/1.cab


Reboot.

Post the results of the 2.35 scan please.

Run Ad-Aware SE again, and see if it detects anything.

Let us know the status of your problem.

#11 tianyu

tianyu

    Newbie

  • Members
  • Pip
  • 1 posts

Posted 01 May 2006 - 03:54 PM

heys.........does anyone here know how to remove atmclk.exe and dcomcfg?? I have tried using spybot and adaware SE personal core application 1.06r1 with the latest definition filedated 26-4-2006 but it is still there.......I also tried deleting it thru the windows task manager but it reappears after i press delete.

hope someone could help.

#12 Corrine

Corrine

    Advanced Member

  • Members
  • PipPipPip
  • 238 posts

Posted 01 May 2006 - 05:00 PM

Hi, tianyu. Just follow the instructions I gave above:

http://www.lavasofts...=findpost&p=384

#13 mikeroo

mikeroo

    Newbie

  • Members
  • Pip
  • 1 posts

Posted 02 May 2006 - 11:06 PM

Hi, tianyu. Just follow the instructions I gave above:

http://www.lavasofts...=findpost&p=384



I registered to say thanks, this was the ONLY procedure that worked for me in getting rid of "Safetydefender" browser hijacking. Nice work. By the way, the two links provided were blocked by the spyware/malware :)

#14 VOMAC

VOMAC

    Newbie

  • Members
  • Pip
  • 6 posts

Posted 03 May 2006 - 07:27 AM

I don't see ZeroAds installed, but the item in blue below should be left alone IF you are using it. Otherwise, add it to the items to be fixed.

Close all open windows, and run HJT again. Put a checkmark next to the following items, and press "Fix Checked":

O4 - HKLM\..\Run: [{78-8F-FC-C1-ZN}] 0

O16 - DPF: {D7BF3304-138B-4DD5-86EE-491BB6A2286C} - http://www.azebar.com/install/1.cab


Reboot.

Post the results of the 2.35 scan please.

Run Ad-Aware SE again, and see if it detects anything.

Let us know the status of your problem.



Thanks guys. I think I have got this critter caught. After running HJT,I reviewed the log and located any files that I did not recognize from past experience. I googled these files and found two that were spywareno.
Wupdmgr.exe and osaupd.exe original filename balloon.exe(I had previously deleted that entry from the registry). I then booted to safe mode and deleted those two files. Deleted the desktop icon and boom, I am smoking again!!
Thanks for all the help. You guys were great. Thanks Corrine for the first shove.
Peace up!!

#15 Corrine

Corrine

    Advanced Member

  • Members
  • PipPipPip
  • 238 posts

Posted 03 May 2006 - 12:34 PM

Good news!




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users