I downloaded a free trial of Spy Sweeper, and it has since found CnsMin + 44 traces in my computer. SS tells me that I cannot quarantine or remove until I subscribe (pay). Ok. So I tried some other things: ewido, xoftspy, ccleaner, as well as an on-line cnsmin scan & re-name/delete...at the command prompt. None of these things can even find it! Is in in effect quarantined by SS? The number of traces isn't growing... If I take SS out, will it leave the bad stuff behind, and hidden somewhere? Now what?
carolraydon 0 Junior Poster in Training
'Stein 150 Lapsed Skeptic Team Colleague
Alrite great. Let's begin with HijackThis, a diagnostic software that helps us determine the problem.
Thanks.:)
carolraydon 0 Junior Poster in Training
Logfile of HijackThis v1.99.1
Scan saved at 14:15:45, on 21/04/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\VTTimer.exe
C:\Program Files\Acronis\TrueImage\TrueImageMonitor.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Softwin\BitDefender9\bdoesrv.exe
C:\progra~1\softwin\bitdef~1\bdnagent.exe
C:\progra~1\softwin\bitdef~1\bdswitch.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSI\PC Alert 4\PCAlert4.exe
C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe
C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe
C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
C:\Program Files\Softwin\BitDefender9\vsserv.exe
c:\progra~1\softwin\bitdef~1\bdmcon.exe
C:\Documents and Settings\Reservations\Desktop\hijackthis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.clubbalihai.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - (no file)
O3 - Toolbar: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - (no file)
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [Acronis True Image Monitor] "C:\Program Files\Acronis\TrueImage\TrueImageMonitor.exe"
O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [DeviceDiscovery] C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKLM\..\Run: [BDOESRV] "C:\Program Files\Softwin\BitDefender9\bdoesrv.exe"
O4 - HKLM\..\Run: [BDMCon] C:\PROGRA~1\Softwin\BITDEF~1\bdmcon.exe
O4 - HKLM\..\Run: [BDNewsAgent] "c:\progra~1\softwin\bitdef~1\bdnagent.exe"
O4 - HKLM\..\Run: [BDSwitchAgent] "c:\progra~1\softwin\bitdef~1\bdswitch.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: PC Alert 4.lnk = C:\Program Files\MSI\PC Alert 4\PCAlert4.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: BitDefender Scan Server (bdss) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe" /service (file missing)
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: BitDefender Desktop Update Service (LIVESRV) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe" /service (file missing)
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: BitDefender Virus Shield (VSSERV) - Unknown owner - C:\Program Files\Softwin\BitDefender9\vsserv.exe" /service (file missing)
O23 - Service: BitDefender Communicator (XCOMM) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe" /service (file missing)
'Stein 150 Lapsed Skeptic Team Colleague
Hmm, alrite. We're gonna do several things. First off, outta curiosity, did ya recently uninstall Norton Antivirus, or is it still on your computer?
Other then several entries because of what was mentione above, your log is clean.
The next best thing to do is run a new SpySweeper scan and save the log, posting it here, even though you cannot delete the folders with SpySweeper. We'll do it manually.
Ok, so 1 thing in the nxt post: new SpySweeper log.
Thanks.
carolraydon 0 Junior Poster in Training
Hi again,
I can't find the log - maybe it's another "subscribers only" feature. Here are the keys listed under the item cnsmin: (from the 'remove' page)
HKCR\clsid\{d449eb58-55af-4695-b216-895d546aed89}\ (11 subtraces)
HKCR\typelib\{b7db519e-7131-47b1-a9f5-da8d061c2611}\ (9 subtraces)
HKLM\software\classes\clsid\{d449eb58-55af-4695-b216-895d546aed89}\ (11 subtraces)
HKLM\software\classes\typelib\{b7db519e-7131-47b1-a9f5-da8d061c2611}\ (9 subtraces)
-----I think I'm going blind-----
I imagine that these are the things to take out with REGEDIT, but I don't know if there is an order to the whole thing 1 -2 - 3.
And yes, I did recently uninstall Norton Systemworks 2003, and what an education. With Norton, there are no friendly divorces. It wouldn't uninstall - I had to use some little fixes & then erase keys. I guess I have more to do, eh?
Mauruuru roa
'Stein 150 Lapsed Skeptic Team Colleague
Arg, ure right along that, but I wanna where the physical files are. Did ya try scanning with SpySweeper, or did ya jus look for the scan log?
The best thing to do would be to run a new scan, save the log, and post that, but if ya can't do that cause of membership restrictions, I understand too.
Lastly, fix the following in HJT:
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - (no file)
O3 - Toolbar: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - (no file)
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/S...in/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab
After this, post a new HJT log, and the spysweeper log if possible.
Thanks.
carolraydon 0 Junior Poster in Training
I scanned, then scanned again & looked in all of the nooks & crannies. The only text files for SS are license & read me - nyet... I fixed the stuff you said + I did a new xoftspy scan, at least they give you a log. It follows the new hjt log, in case
Logfile of HijackThis v1.99.1
Scan saved at 19:24:54, on 21/04/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\VTTimer.exe
C:\Program Files\Acronis\TrueImage\TrueImageMonitor.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Softwin\BitDefender9\bdoesrv.exe
C:\progra~1\softwin\bitdef~1\bdnagent.exe
C:\progra~1\softwin\bitdef~1\bdswitch.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSI\PC Alert 4\PCAlert4.exe
C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe
C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe
C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
C:\Program Files\Softwin\BitDefender9\vsserv.exe
c:\progra~1\softwin\bitdef~1\bdmcon.exe
C:\Documents and Settings\Reservations\Desktop\hijackthis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.clubbalihai.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [Acronis True Image Monitor] "C:\Program Files\Acronis\TrueImage\TrueImageMonitor.exe"
O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [DeviceDiscovery] C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKLM\..\Run: [BDOESRV] "C:\Program Files\Softwin\BitDefender9\bdoesrv.exe"
O4 - HKLM\..\Run: [BDMCon] C:\PROGRA~1\Softwin\BITDEF~1\bdmcon.exe
O4 - HKLM\..\Run: [BDNewsAgent] "c:\progra~1\softwin\bitdef~1\bdnagent.exe"
O4 - HKLM\..\Run: [BDSwitchAgent] "c:\progra~1\softwin\bitdef~1\bdswitch.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: PC Alert 4.lnk = C:\Program Files\MSI\PC Alert 4\PCAlert4.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: BitDefender Scan Server (bdss) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe" /service (file missing)
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: BitDefender Desktop Update Service (LIVESRV) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe" /service (file missing)
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: BitDefender Virus Shield (VSSERV) - Unknown owner - C:\Program Files\Softwin\BitDefender9\vsserv.exe" /service (file missing)
O23 - Service: BitDefender Communicator (XCOMM) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe" /service (file missing)
And the xoft one - I did this before I fixed the 4 things that you said
<?xml version = "1.0"?>
<Session START = "21 Apr 06 18:20:42" END = "21 Apr 06 18:32:59">
<Information Version = "4.21" DatabaseVersion = "171" DataBaseDate = "20 APR 2006"/>
<Information OS = "Win XP"/>
<Information ServicePack = "Service Pack 2"/>
<Information WorkingDirectory = "C:\Program Files\XoftSpy\"/>
<Information Option = "AdvSpyware Scan" State = "ON"/>
<Information Option = "Scan IE Favorites" State = "ON"/>
<Information Option = "Scan Host Files" State = "ON"/>
<Information Option = "Scan Drives" State = "OFF"/>
<Information Option = "Do Not Scan Executables" State = "OFF"/>
<Information Option = "Scan Registry" State = "ON"/>
<Information Option = "Scan Active Processes" State = "ON"/>
<Information Option = "Automatic Database Update" State = "ON"/>
<Information Option = "Automatic Program Update" State = "ON"/>
<Information Option = "Automatic Removal" State = "OFF"/>
<Information Option = "Exit When Finished" State = "OFF"/>
<Information RootKey = "HKEY_CURRENT_USER" KeyPath = "Software\Microsoft\Windows\CurrentVersion\Run"/>
<Information Value = "MSMSGS" Data = "C:\Program Files\Messenger\msmsgs.exe /background" MD5 = "74e6e96c6f0e2eca4edbb7f7a468f259" Path = ""/>
<Information Value = "ctfmon.exe" Data = "C:\WINDOWS\system32\ctfmon.exe" MD5 = "24232996a38c0b0cf151c2140ae29fc8" Path = ""/>
<Information RootKey = "HKEY_LOCAL_MACHINE" KeyPath = "Software\Microsoft\Windows\CurrentVersion\Run"/>
<Information Value = "VTTimer" Data = "VTTimer.exe" MD5 = "4e65c3c5accc24d0bc49a0954e5f4885" Path = "C:\WINDOWS\system32\VTTimer.exe"/>
<Information Value = "Acronis True Image Monitor" Data = "C:\Program Files\Acronis\TrueImage\TrueImageMonitor.exe" MD5 = "97bf5366893cc3e31061f79f71b2fc40" Path = ""/>
<Information Value = "Acronis Scheduler2 Service" Data = "C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe" MD5 = "00ed3581af7f8fedc91a4ec9b2311bbb" Path = ""/>
<Information Value = "HPDJ Taskbar Utility" Data = "C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe" MD5 = "b25f66fdaa5a0389500c8a9e0433e5a5" Path = ""/>
<Information Value = "HP Software Update" Data = "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe" MD5 = "821f73b833c4daebc33c1a9a4b16bb5a" Path = ""/>
<Information Value = "HP Component Manager" Data = "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" MD5 = "48ea078d949b13cdc06a47df20489b9c" Path = ""/>
<Information Value = "DeviceDiscovery" Data = "C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe" MD5 = "7eef9e578d2aa3d562d074bfdfe56825" Path = ""/>
<Information Value = "SpySweeper" Data = "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe /startintray" MD5 = "21020afbc436b219e1fb1377b3c05fd4" Path = ""/>
<Information Value = "BDOESRV" Data = "C:\Program Files\Softwin\BitDefender9\bdoesrv.exe" MD5 = "01980366e2a0ee31bab611a141f44e8d" Path = ""/>
<Information Value = "BDMCon" Data = "C:\PROGRA~1\Softwin\BITDEF~1\bdmcon.exe" MD5 = "a4099003cad709c2cea16853b26f2c86" Path = ""/>
<Information Value = "BDNewsAgent" Data = "c:\progra~1\softwin\bitdef~1\bdnagent.exe" MD5 = "8cc570ff9d4c21efc0ca13ac30b39a87" Path = ""/>
<Information Value = "BDSwitchAgent" Data = "c:\progra~1\softwin\bitdef~1\bdswitch.exe" MD5 = "18239361e5c93587da0b96960e646686" Path = ""/>
<Information RootKey = "HKEY_LOCAL_MACHINE" KeyPath = "Software\Microsoft\Windows NT\CurrentVersion\Winlogon"/>
<Information Value = "Userinit" Data = "C:\WINDOWS\system32\userinit.exe,"/>
<Information RootKey = "HKEY_LOCAL_MACHINE" KeyPath = "Software\Microsoft\Windows NT\CurrentVersion\Winlogon"/>
<Information Value = "Shell" Data = "Explorer.exe"/>
<Information RootKey = "HKEY_CURRENT_USER" KeyPath = "Software\Microsoft\Windows NT\CurrentVersion\Windows"/>
<Information Value = "load" Data = ""/>
<Information RootKey = "HKEY_LOCAL_MACHINE" KeyPath = "Software\Microsoft\Windows NT\CurrentVersion\Windows"/>
<Information Value = "AppInit_DLLs" Data = "sockspy.dll" MD5 = "6382040502f8e7271e65a523b70f2b0a" Path = "C:\WINDOWS\system32\sockspy.dll"/>
<Information RootKey = "HKEY_LOCAL_MACHINE" KeyPath = "Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad"/>
<Information Value = "PostBootReminder" Data = "{7849596a-48ea-486e-8937-a2a3009f31a9}"/>
<Information Value = "CDBurn" Data = "{fbeb8a05-beee-4442-804e-409d6c4515e9}"/>
<Information Value = "WebCheck" Data = "{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"/>
<Information Value = "SysTray" Data = "{35CEC8A3-2BE6-11D2-8773-92E220524153}"/>
<Information Value = "UPnPMonitor" Data = "{e57ce738-33e8-4c51-8354-bb4de9d215d1}"/>
<Information RootKey = "HKEY_LOCAL_MACHINE" KeyPath = "Software\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler"/>
<Information Value = "{438755C2-A8BA-11D1-B96B-00A0C90312E1}" Data = "Browseui preloader"/>
<Information Value = "{8C7461EF-2B13-11d2-BE35-3078302C2030}" Data = "Component Categories cache daemon"/>
<Information RootKey = "HKEY_LOCAL_MACHINE" KeyPath = "Software\Microsoft\OLE"/>
<Information Value = "DefaultLaunchPermission" Data = ""/>
<Information Value = "EnableDCOM" Data = "Y"/>
<Information Value = "MachineLaunchRestriction" Data = ""/>
<Information Value = "MachineAccessRestriction" Data = ""/>
<Information RootKey = "HKEY_CURRENT_USER" KeyPath = "Software\Microsoft\Internet Explorer\Main"/>
<Information Value = "NoUpdateCheck" Data = "(DWORD) 0x1 0 0 0"/>
<Information Value = "NoJITSetup" Data = "(DWORD) 0x1 0 0 0"/>
<Information Value = "Cache_Update_Frequency" Data = "Once_Per_Session"/>
<Information Value = "Do404Search" Data = ""/>
<Information Value = "Local Page" Data = "C:\WINDOWS\system32\blank.htm"/>
<Information Value = "Start Page" Data = "http://www.clubbalihai.com/"/>
<Information Value = "Search Page" Data = "http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch"/>
<Information Value = "AddToFavoritesExpanded" Data = "(DWORD) 0 0 0 0"/>
<Information Value = "Window_Placement" Data = ""/>
<Information Value = "NscSingleExpand" Data = "(DWORD) 0x1 0 0 0"/>
<Information Value = "NoWebJITSetup" Data = "(DWORD) 0 0 0 0"/>
<Information Value = "Page_Transitions" Data = "(DWORD) 0x1 0 0 0"/>
<Information Value = "UseThemes" Data = "(DWORD) 0x1 0 0 0"/>
<Information Value = "Force Offscreen Composition" Data = "(DWORD) 0 0 0 0"/>
<Information Value = "AllowWindowReuse" Data = "(DWORD) 0x1 0 0 0"/>
<Information Value = "SmoothScroll" Data = "(DWORD) 0x1 0 0 0"/>
<Information Value = "Show image placeholders" Data = "(DWORD) 0 0 0 0"/>
<Information Value = "AutoSearch" Data = "(DWORD) 0x5 0 0 0"/>
<Information RootKey = "HKEY_LOCAL_MACHINE" KeyPath = "Software\Microsoft\Internet Explorer\Main"/>
<Information Value = "Default_Page_URL" Data = "http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome"/>
<Information Value = "Default_Search_URL" Data = "http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch"/>
<Information Value = "Search Page" Data = "http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch"/>
<Information Value = "Cache_Percent_of_Disk" Data = ""/>
<Information Value = "Local Page" Data = ""/>
<Information Value = "Anchor_Visitation_Horizon" Data = ""/>
<Information Value = "Placeholder_Width" Data = ""/>
<Information Value = "Placeholder_Height" Data = ""/>
<Information Value = "Start Page" Data = "http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home"/>
<Information Value = "CompanyName" Data = "Microsoft Corporation"/>
<Information Value = "Custom_Key" Data = "MICROSO"/>
<Information Value = "Wizard_Version" Data = "6.0.2600.0000"/>
<Information RootKey = "HKEY_LOCAL_MACHINE" KeyPath = "Software\Microsoft\Internet Explorer\Search"/>
<Information Value = "SearchAssistant" Data = "http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm"/>
<Information Value = "CustomizeSearch" Data = "http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm"/>
<Information RootKey = "HKEY_CURRENT_USER" KeyPath = "Software\Microsoft\Internet Explorer\SearchURL"/>
<Information Value = "provider" Data = ""/>
<Information RootKey = "HKEY_CURRENT_USER" KeyPath = "Software\Microsoft\Internet Explorer\URLSearchHooks"/>
<Information Value = "{CFBFAE00-17A6-11D0-99CB-00C04FD64497}" Data = ""/>
<Information RootKey = "HKEY_LOCAL_MACHINE" KeyPath = "Software\Microsoft\Internet Explorer\Toolbar"/>
<Information Value = "{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6}" Data = "Norton AntiVirus"/>
<Information RootKey = "HKEY_CURRENT_USER" KeyPath = "Software\Microsoft\Internet Explorer\Toolbar"/>
<Information Value = "LinksFolderName" Data = "Links"/>
<Information Value = "Locked" Data = "(DWORD) 0x1 0 0 0"/>
<Information RootKey = "HKEY_LOCAL_MACHINE" KeyPath = "SOFTWARE\Classes\exefile\shell\open\command"/>
<Information Value = "" Data = "%1 %*"/>
<Information RootKey = "HKEY_LOCAL_MACHINE" KeyPath = "SOFTWARE\Classes\comfile\shell\open\command"/>
<Information Value = "" Data = "%1 %*"/>
<Information RootKey = "HKEY_LOCAL_MACHINE" KeyPath = "SOFTWARE\Classes\batfile\shell\open\command"/>
<Information Value = "" Data = "%1 %*"/>
<Information RootKey = "HKEY_LOCAL_MACHINE" KeyPath = "SOFTWARE\Classes\piffile\shell\open\command"/>
<Information Value = "" Data = "%1 %*"/>
<Information RootKey = "HKEY_LOCAL_MACHINE" KeyPath = "SOFTWARE\Classes\scrfile\shell\open\command"/>
<Information Value = "" Data = "%1 /S"/>
<Information RootKey = "HKEY_LOCAL_MACHINE" KeyPath = "SOFTWARE\Classes\htafile\shell\open\command"/>
<Information Value = "" Data = "C:\WINDOWS\System32\mshta.exe %1 %*" MD5 = "c4445bd306656ade30900e6197fabed1" Path = ""/>
<Information RootKey = "HKEY_CURRENT_USER" KeyPath = "Software\Microsoft\Windows\CurrentVersion\Internet Settings"/>
<Information Value = "ProxyEnable" Data = "(DWORD) 0 0 0 0"/>
<Information Directory = "C:\Documents and Settings\Reservations\Start Menu\Programs\Startup\*" Program = "desktop.ini" MD5 = "d6a6856702e3f0953e7246a9b4a9fe35" />
<Information Directory = "C:\Documents and Settings\All Users\Start Menu\Programs\Startup\*" Program = "Adobe Reader Speed Launch.lnk" LinkFile = "C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe" MD5 = "deb88aef013dd1eefb462d7cad642166"/>
<Information Directory = "C:\Documents and Settings\All Users\Start Menu\Programs\Startup\*" Program = "desktop.ini" MD5 = "d6a6856702e3f0953e7246a9b4a9fe35" />
<Information Directory = "C:\Documents and Settings\All Users\Start Menu\Programs\Startup\*" Program = "PC Alert 4.lnk" LinkFile = "C:\Program Files\MSI\PC Alert 4\PCAlert4.exe" MD5 = "8ef87927b2f02bb8ae62e847c470c09e"/>
<Scanning TIME = "21 Apr 06 18:20:42">
<PROCESS NAME = "C:\WINDOWS\system32\services.exe" MD5 = "c6ce6eec82f187615d1002bb3bb50ed4"/>
<PROCESS NAME = "C:\WINDOWS\system32\lsass.exe" MD5 = "84885f9b82f4d55c6146ebf6065d75d2"/>
<PROCESS NAME = "C:\WINDOWS\system32\svchost.exe" MD5 = "8f078ae4ed187aaabc0a305146de6716"/>
<PROCESS NAME = "C:\WINDOWS\system32\svchost.exe" MD5 = "8f078ae4ed187aaabc0a305146de6716"/>
<PROCESS NAME = "C:\WINDOWS\System32\svchost.exe" MD5 = "8f078ae4ed187aaabc0a305146de6716"/>
<PROCESS NAME = "C:\WINDOWS\System32\svchost.exe" MD5 = "8f078ae4ed187aaabc0a305146de6716"/>
<PROCESS NAME = "C:\WINDOWS\System32\svchost.exe" MD5 = "8f078ae4ed187aaabc0a305146de6716"/>
<PROCESS NAME = "C:\WINDOWS\system32\spoolsv.exe" MD5 = "da81ec57acd4cdc3d4c51cf3d409af9f"/>
<PROCESS NAME = "C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe" MD5 = "17bd1d37335487f555908a37d28aa2b7"/>
<PROCESS NAME = "C:\Program Files\ewido anti-malware\ewidoctrl.exe" MD5 = "26830b750372ab1bf29c95deebeb802f"/>
<PROCESS NAME = "C:\Program Files\ewido anti-malware\ewidoguard.exe" MD5 = "34a50717ad686900f078f5208f8e908e"/>
<PROCESS NAME = "C:\WINDOWS\System32\svchost.exe" MD5 = "8f078ae4ed187aaabc0a305146de6716"/>
<PROCESS NAME = "C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe" MD5 = "ce9adf8ce48e902faa8ad43a18386dc3"/>
<PROCESS NAME = "C:\WINDOWS\Explorer.EXE" MD5 = "a0732187050030ae399b241436565e64"/>
<PROCESS NAME = "C:\WINDOWS\system32\VTTimer.exe" MD5 = "4e65c3c5accc24d0bc49a0954e5f4885"/>
<PROCESS NAME = "C:\Program Files\Acronis\TrueImage\TrueImageMonitor.exe" MD5 = "97bf5366893cc3e31061f79f71b2fc40"/>
<PROCESS NAME = "C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe" MD5 = "00ed3581af7f8fedc91a4ec9b2311bbb"/>
<PROCESS NAME = "C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe" MD5 = "b25f66fdaa5a0389500c8a9e0433e5a5"/>
<PROCESS NAME = "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe" MD5 = "821f73b833c4daebc33c1a9a4b16bb5a"/>
<PROCESS NAME = "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" MD5 = "48ea078d949b13cdc06a47df20489b9c"/>
<PROCESS NAME = "C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe" MD5 = "7eef9e578d2aa3d562d074bfdfe56825"/>
<PROCESS NAME = "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" MD5 = "21020afbc436b219e1fb1377b3c05fd4"/>
<PROCESS NAME = "C:\Program Files\Softwin\BitDefender9\bdoesrv.exe" MD5 = "01980366e2a0ee31bab611a141f44e8d"/>
<PROCESS NAME = "C:\progra~1\softwin\bitdef~1\bdnagent.exe" MD5 = "8cc570ff9d4c21efc0ca13ac30b39a87"/>
<PROCESS NAME = "C:\progra~1\softwin\bitdef~1\bdswitch.exe" MD5 = "18239361e5c93587da0b96960e646686"/>
<PROCESS NAME = "C:\Program Files\Messenger\msmsgs.exe" MD5 = "74e6e96c6f0e2eca4edbb7f7a468f259"/>
<PROCESS NAME = "C:\WINDOWS\system32\ctfmon.exe" MD5 = "24232996a38c0b0cf151c2140ae29fc8"/>
<PROCESS NAME = "C:\Program Files\MSI\PC Alert 4\PCAlert4.exe" MD5 = "8ef87927b2f02bb8ae62e847c470c09e"/>
<PROCESS NAME = "C:\WINDOWS\system32\wdfmgr.exe" MD5 = "ab0a7ca90d9e3d6a193905dc1715ded0"/>
<PROCESS NAME = "C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe" MD5 = "b31359d3cd699a484af46477231c019c"/>
<PROCESS NAME = "C:\WINDOWS\System32\alg.exe" MD5 = "f1958fbf86d5c004cf19a5951a9514b7"/>
<PROCESS NAME = "C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe" MD5 = "5eaf1275c7c576fb7c74908f3c39e338"/>
<PROCESS NAME = "C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe" MD5 = "17f055b75c66eee725251767f57bfa6a"/>
<PROCESS NAME = "C:\Program Files\Softwin\BitDefender9\vsserv.exe" MD5 = "9fc5348617bc24ac0f1d2643b41e7a3c"/>
<PROCESS NAME = "c:\progra~1\softwin\bitdef~1\bdmcon.exe" MD5 = "a4099003cad709c2cea16853b26f2c86"/>
<PROCESS NAME = "C:\Program Files\XoftSpy\XoftSpy.exe" MD5 = "14a25102642960b794b4cf5981b2c341"/>
<ScanningRegKeys>
</ScanningRegKeys>
<ScanningRegValues>
</ScanningRegValues>
<ScanningRegValuesChanged>
</ScanningRegValuesChanged>
</Scanning>
</Session>
'Stein 150 Lapsed Skeptic Team Colleague
Hmm, well the log looks clean. Let's try this. Uninstall SpySweeper.
After doing this, run another Ewido scan, and if it just finds tracking cookies, then ya don't need to post it.
After that, to be sure it's clean, we'll run 2 online scans:
http://www.kaspersky.com/scanforvirus.html
http://housecall.trendmicro.com/
Run both, and post back logs here if they give them to ya.
Then, 1 more HJT log after it all.
Thanks.
carolraydon 0 Junior Poster in Training
It worked - SS must have taken everything with is when it went. Ewido & Housecall both said "squeaky clean". Thanks for holding my hand. Here's the last hjt log...
Logfile of HijackThis v1.99.1
Scan saved at 19:29:39, on 23/04/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\VTTimer.exe
C:\Program Files\Acronis\TrueImage\TrueImageMonitor.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Softwin\BitDefender9\bdoesrv.exe
C:\progra~1\softwin\bitdef~1\bdnagent.exe
C:\progra~1\softwin\bitdef~1\bdswitch.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSI\PC Alert 4\PCAlert4.exe
C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe
C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
C:\Program Files\Softwin\BitDefender9\vsserv.exe
c:\progra~1\softwin\bitdef~1\bdmcon.exe
C:\Documents and Settings\Reservations\Desktop\hijackthis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.clubbalihai.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [Acronis True Image Monitor] "C:\Program Files\Acronis\TrueImage\TrueImageMonitor.exe"
O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [DeviceDiscovery] C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
O4 - HKLM\..\Run: [BDOESRV] "C:\Program Files\Softwin\BitDefender9\bdoesrv.exe"
O4 - HKLM\..\Run: [BDMCon] C:\PROGRA~1\Softwin\BITDEF~1\bdmcon.exe
O4 - HKLM\..\Run: [BDNewsAgent] "c:\progra~1\softwin\bitdef~1\bdnagent.exe"
O4 - HKLM\..\Run: [BDSwitchAgent] "c:\progra~1\softwin\bitdef~1\bdswitch.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: PC Alert 4.lnk = C:\Program Files\MSI\PC Alert 4\PCAlert4.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: BitDefender Scan Server (bdss) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe" /service (file missing)
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: BitDefender Desktop Update Service (LIVESRV) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe" /service (file missing)
O23 - Service: BitDefender Virus Shield (VSSERV) - Unknown owner - C:\Program Files\Softwin\BitDefender9\vsserv.exe" /service (file missing)
O23 - Service: BitDefender Communicator (XCOMM) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe" /service (file missing)
'Stein 150 Lapsed Skeptic Team Colleague
Yep, all clean.
Glad we could help :)
Thanks.
Be a part of the DaniWeb community
We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.