1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Purityscan and more

Discussion in 'Virus & Other Malware Removal' started by mjh2006, Jan 25, 2006.

Thread Status:
Not open for further replies.
Advertisement
  1. mjh2006

    mjh2006 Thread Starter

    Joined:
    Jan 25, 2006
    Messages:
    6
    My daughter's computer appears to be badly infected. A few of the adware programs will not even start... Any help will be greatly appreciated!

    Here is the HyjackThis log:

    Logfile of HijackThis v1.99.1
    Scan saved at 10:28:39 PM, on 1/24/2006
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Altiris\AClient\AClient.exe
    C:\Program Files\Altiris\eXpress\NS Client\AeXNSClient.exe
    C:\Program Files\Altiris\eXpress\NS Client\AeXNSClientTransport.exe
    C:\WINDOWS\System32\Ati2evxx.exe
    C:\WINDOWS\system32\basfipm.exe
    C:\WINDOWS\system32\drivers\dcfssvc.exe
    C:\Program Files\ewido anti-malware\ewidoctrl.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    C:\Program Files\Sunbelt Software\CounterSpy\Consumer\sunThreatEngine.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
    C:\WINDOWS\System32\wltrysvc.exe
    C:\WINDOWS\System32\bcmwltry.exe
    C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
    C:\Program Files\Sunbelt Software\CounterSpy\Consumer\SunProtectionServer.exe
    C:\WINDOWS\system32\carpserv.exe
    C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    C:\Program Files\Dell\QuickSet\quickset.exe
    C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
    C:\Program Files\Altiris\eXpress\NS Client\AeXSWDUsr.exe
    C:\Altiris\AClient\AClntUsr.EXE
    C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
    C:\Program Files\Real\RealPlayer\RealPlay.exe
    C:\Program Files\Real\RealPlayer\tsystray.exe
    C:\Program Files\Ycozwuo\Sbekmy.exe
    C:\PROGRA~1\NORTON~1\navapw32.exe
    C:\Program Files\Apoint2K\Apoint.exe
    C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
    C:\Program Files\Apoint2K\Apntex.exe
    C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
    C:\Program Files\Sunbelt Software\CounterSpy\Consumer\sunserver.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\WINDOWS\system32\??sembly\smss.exe
    C:\Program Files\Digital Line Detect\DLG.exe
    C:\Program Files\KODAK\Kodak EasyShare software\bin\EasyShare.exe
    C:\Program Files\nrpn\osoa.exe
    C:\Documents and Settings\m0430732\Desktop\HijackThis Logs\HijackThis.exe

    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://education.dellnet.com/
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
    R3 - URLSearchHook: (no name) - {11F42866-CBFB-E07B-F368-E92B57BED9EE} - (no file)
    R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
    O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
    O4 - HKLM\..\Run: [CARPService] carpserv.exe
    O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
    O4 - HKLM\..\Run: [AdaptecDirectCD] C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
    O4 - HKLM\..\Run: [AeXSWDUsr] "C:\Program Files\Altiris\eXpress\NS Client\AeXSWDUsr.exe"
    O4 - HKLM\..\Run: [AClntUsr] C:\Altiris\AClient\AClntUsr.EXE
    O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
    O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
    O4 - HKLM\..\Run: [RealJukeboxSystray] "C:\Program Files\Real\RealPlayer\tsystray.exe"
    O4 - HKLM\..\Run: [Ujhxkls] C:\Program Files\Ycozwuo\Sbekmy.exe
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [Windows DLL Services] C:\svchost.exe
    O4 - HKLM\..\Run: [http://www.lienvandekelder.be] \Lien Van de Kelder.exe
    O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
    O4 - HKLM\..\Run: [vùõš/‚²ÆßfÏNb*»1÷C:\Program Files\ISTsvc\istsvc.exe] C:\WINDOWS\nbvmf.exe
    O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
    O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
    O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
    O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
    O4 - HKLM\..\Run: [SunServer] C:\Program Files\Sunbelt Software\CounterSpy\Consumer\sunserver.exe
    O4 - HKLM\..\RunServices: [http://www.lienvandekelder.be] \Lien Van de Kelder.exe
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [Exlcp] C:\WINDOWS\system32\??sembly\smss.exe
    O4 - Global Startup: Digital Line Detect.lnk = ?
    O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\KODAK\Kodak EasyShare software\bin\EasyShare.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
    O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
    O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
    O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
    O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O15 - Trusted Zone: *.media-motor.net
    O15 - Trusted Zone: *.popuppers.com
    O15 - Trusted Zone: http://ny.contentmatch.net (HKLM)
    O15 - Trusted Zone: http://awbeta.net-nucleus.com (HKLM)
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
    O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec.com/techsupp/asa/LSSupCtl.cab
    O16 - DPF: {26098EA2-C95D-48EA-89B4-63C5A63BD42F} - http://www.pacimedia.com/install/pcs_0031.exe
    O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
    O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...pple.com/bonnie/us/win/QuickTimeInstaller.exe
    O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
    O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/asa/SymAData.cab
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = Cornerstone.disciplenet
    O17 - HKLM\Software\..\Telephony: DomainName = Cornerstone.disciplenet
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = Cornerstone.disciplenet
    O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = Cornerstone.disciplenet
    O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
    O23 - Service: Altiris Client Service (AClient) - Altiris, Inc. - C:\Altiris\AClient\AClient.exe
    O23 - Service: Altiris eXpress NS Client (AeXNSClient) - Altiris - C:\Program Files\Altiris\eXpress\NS Client\AeXNSClient.exe
    O23 - Service: Altiris eXpress NS Client Transport (AeXNSClientTransport) - Altiris - C:\Program Files\Altiris\eXpress\NS Client\AeXNSClientTransport.exe
    O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
    O23 - Service: Broadcom ASF IP monitoring service v3.0.1 (BAsfIpM) - Broadcom Corp. - C:\WINDOWS\system32\basfipm.exe
    O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
    O23 - Service: Dcfssvc - Eastman Kodak Company - C:\WINDOWS\system32\drivers\dcfssvc.exe
    O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
    O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
    O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
    O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
    O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
    O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe
     
  2. Cheeseball81

    Cheeseball81 Retired Moderator

    Joined:
    Mar 3, 2004
    Messages:
    84,315
    Welcome to TSG :)

    Download KillBox here: http://www.downloads.subratam.org/KillBox.exe
    Save it to your desktop.
    DO NOT run it yet. We will use it later.

    Download http://www.mvps.org/winhelp2002/DelDomains.inf

    Right click the DelDomains.inf file and click Install, making sure Internet Explorer is closed.
    You won't see anything happen.

    Run ActiveScan online virus scan:
    http://www.pandasoftware.com/products/activescan.htm

    When the scan is finished, anything that it cannot clean have it delete it.
    Make a note of the file location of anything that cannot be deleted so you can delete it yourself.
    Save the results from the scan.

    Post a new Hijack This log and the Activescan results.
     
  3. mjh2006

    mjh2006 Thread Starter

    Joined:
    Jan 25, 2006
    Messages:
    6
    Here are the new reports:
    Logfile of HijackThis v1.99.1
    Scan saved at 6:55:48 AM, on 1/25/2006
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Altiris\AClient\AClient.exe
    C:\Program Files\Altiris\eXpress\NS Client\AeXNSClient.exe
    C:\Program Files\Altiris\eXpress\NS Client\AeXNSClientTransport.exe
    C:\WINDOWS\System32\Ati2evxx.exe
    C:\WINDOWS\system32\basfipm.exe
    C:\WINDOWS\system32\drivers\dcfssvc.exe
    C:\Program Files\ewido anti-malware\ewidoctrl.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    C:\Program Files\Sunbelt Software\CounterSpy\Consumer\sunThreatEngine.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
    C:\WINDOWS\System32\wltrysvc.exe
    C:\WINDOWS\System32\bcmwltry.exe
    C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
    C:\Program Files\Sunbelt Software\CounterSpy\Consumer\SunProtectionServer.exe
    C:\WINDOWS\system32\carpserv.exe
    C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    C:\Program Files\Dell\QuickSet\quickset.exe
    C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
    C:\Program Files\Altiris\eXpress\NS Client\AeXSWDUsr.exe
    C:\Altiris\AClient\AClntUsr.EXE
    C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
    C:\Program Files\Real\RealPlayer\RealPlay.exe
    C:\Program Files\Real\RealPlayer\tsystray.exe
    C:\Program Files\Ycozwuo\Sbekmy.exe
    C:\PROGRA~1\NORTON~1\navapw32.exe
    C:\Program Files\Apoint2K\Apoint.exe
    C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
    C:\Program Files\Apoint2K\Apntex.exe
    C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
    C:\Program Files\Sunbelt Software\CounterSpy\Consumer\sunserver.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\WINDOWS\system32\??sembly\smss.exe
    C:\Program Files\Digital Line Detect\DLG.exe
    C:\Program Files\KODAK\Kodak EasyShare software\bin\EasyShare.exe
    C:\Program Files\nrpn\osoa.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\WINDOWS\system32\NOTEPAD.EXE
    C:\Documents and Settings\m0430732\Desktop\HijackThis Logs\HijackThis.exe

    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://education.dellnet.com/
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
    R3 - URLSearchHook: (no name) - {11F42866-CBFB-E07B-F368-E92B57BED9EE} - (no file)
    R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
    O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
    O4 - HKLM\..\Run: [CARPService] carpserv.exe
    O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
    O4 - HKLM\..\Run: [AdaptecDirectCD] C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
    O4 - HKLM\..\Run: [AeXSWDUsr] "C:\Program Files\Altiris\eXpress\NS Client\AeXSWDUsr.exe"
    O4 - HKLM\..\Run: [AClntUsr] C:\Altiris\AClient\AClntUsr.EXE
    O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
    O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
    O4 - HKLM\..\Run: [RealJukeboxSystray] "C:\Program Files\Real\RealPlayer\tsystray.exe"
    O4 - HKLM\..\Run: [Ujhxkls] C:\Program Files\Ycozwuo\Sbekmy.exe
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [Windows DLL Services] C:\svchost.exe
    O4 - HKLM\..\Run: [http://www.lienvandekelder.be] \Lien Van de Kelder.exe
    O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
    O4 - HKLM\..\Run: [vùõš/‚²ÆßfÏNb*»1÷C:\Program Files\ISTsvc\istsvc.exe] C:\WINDOWS\nbvmf.exe
    O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
    O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
    O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
    O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
    O4 - HKLM\..\Run: [SunServer] C:\Program Files\Sunbelt Software\CounterSpy\Consumer\sunserver.exe
    O4 - HKLM\..\RunServices: [http://www.lienvandekelder.be] \Lien Van de Kelder.exe
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [Exlcp] C:\WINDOWS\system32\??sembly\smss.exe
    O4 - Global Startup: Digital Line Detect.lnk = ?
    O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\KODAK\Kodak EasyShare software\bin\EasyShare.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
    O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
    O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
    O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
    O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
    O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec.com/techsupp/asa/LSSupCtl.cab
    O16 - DPF: {26098EA2-C95D-48EA-89B4-63C5A63BD42F} - http://www.pacimedia.com/install/pcs_0031.exe
    O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
    O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...pple.com/bonnie/us/win/QuickTimeInstaller.exe
    O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
    O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/asa/SymAData.cab
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = Cornerstone.disciplenet
    O17 - HKLM\Software\..\Telephony: DomainName = Cornerstone.disciplenet
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = Cornerstone.disciplenet
    O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = Cornerstone.disciplenet
    O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
    O23 - Service: Altiris Client Service (AClient) - Altiris, Inc. - C:\Altiris\AClient\AClient.exe
    O23 - Service: Altiris eXpress NS Client (AeXNSClient) - Altiris - C:\Program Files\Altiris\eXpress\NS Client\AeXNSClient.exe
    O23 - Service: Altiris eXpress NS Client Transport (AeXNSClientTransport) - Altiris - C:\Program Files\Altiris\eXpress\NS Client\AeXNSClientTransport.exe
    O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
    O23 - Service: Broadcom ASF IP monitoring service v3.0.1 (BAsfIpM) - Broadcom Corp. - C:\WINDOWS\system32\basfipm.exe
    O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
    O23 - Service: Dcfssvc - Eastman Kodak Company - C:\WINDOWS\system32\drivers\dcfssvc.exe
    O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
    O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
    O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
    O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
    O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
    O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe



    Incident Status Location

    Adware:Adware/PurityScan Not disinfected C:\Program Files\nrpn\osoa.exe
    Adware:Adware/Dyfuca Not disinfected C:\Program Files\Ycozwuo\Sbekmy.exe
    Adware:adware/purityscan Not disinfected C:\Documents and Settings\m0430732\Local Settings\Temp\!update.exe
    Adware:adware/dyfuca Not disinfected C:\Documents and Settings\m0430732\Local Settings\Temp\cfout.txt
    Adware:adware/ist.istbar Not disinfected C:\Documents and Settings\m0430732\Local Settings\Temp\shortcuts.txt
    Adware:adware/cws Not disinfected C:\Documents and Settings\m0430732\Favorites\LIVING\Find a Degree.lnk
    Adware:adware/exact.bargainbuddy Not disinfected C:\WINDOWS\SYSTEM32\bbchk.exe
    Adware:adware program Not disinfected C:\WINDOWS\SYSTEM32\data.~
    Adware:adware/talkstocks Not disinfected C:\WINDOWS\SYSTEM32\mstbl.ocx
    Adware:adware/ncase Not disinfected C:\TEMP\salm.log
    Spyware:spyware/media-motor Not disinfected C:\WINDOWS\ubber60.ini
    Adware:adware/imgiant Not disinfected C:\PROGRAM FILES\joystick networks
    Potentially unwanted tool:application/spywarestormer Not disinfected C:\PROGRAM FILES\Spyware Stormer
    Adware:adware/e2give Not disinfected Windows Registry
    Adware:adware/secure32 Not disinfected C:\WINDOWS\system32\drivers\etc\hosts
    Spyware:spyware/adclicker Not disinfected Windows Registry
    Spyware:Cookie/Cgi-bin Not disinfected C:\Documents and Settings\m0430732\Cookies\[email protected][3].txt
    Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\m0430732\Cookies\[email protected][2].txt
    Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\m0430732\Cookies\[email protected][1].txt
    Spyware:Cookie/Hitbox Not disinfected C:\Documents and Settings\m0430732\Cookies\[email protected][1].txt
    Spyware:Cookie/TargetSaver Not disinfected C:\Documents and Settings\m0430732\Cookies\[email protected][2].txt
    Spyware:Cookie/Target Not disinfected C:\Documents and Settings\m0430732\Cookies\[email protected][2].txt
    Spyware:Cookie/Valueclick Not disinfected C:\Documents and Settings\m0430732\Cookies\[email protected][2].txt
    Spyware:Cookie/WinFixer Not disinfected C:\Documents and Settings\m0430732\Cookies\[email protected][2].txt
    Spyware:Cookie/Cgi-bin Not disinfected C:\Documents and Settings\m0430732\Cookies\[email protected][3].txt
    Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\m0430732\Cookies\[email protected][2].txt
    Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\m0430732\Cookies\[email protected][1].txt
    Spyware:Cookie/Hitbox Not disinfected C:\Documents and Settings\m0430732\Cookies\[email protected][1].txt
    Spyware:Cookie/TargetSaver Not disinfected C:\Documents and Settings\m0430732\Cookies\[email protected][2].txt
    Spyware:Cookie/Target Not disinfected C:\Documents and Settings\m0430732\Cookies\[email protected][2].txt
    Spyware:Cookie/Valueclick Not disinfected C:\Documents and Settings\m0430732\Cookies\[email protected][2].txt
    Spyware:Cookie/WinFixer Not disinfected C:\Documents and Settings\m0430732\Cookies\[email protected][2].txt
    Adware:Adware/PurityScan Not disinfected C:\Documents and Settings\m0430732\Local Settings\Temp\!update.exe
    Potentially unwanted tool:Application/Winfixer2005 Not disinfected C:\Documents and Settings\m0430732\Local Settings\Temporary Internet Files\Content.IE5\CMZWWNED\ErrorSafeScannerInstall[1].cab[UERS_0001_NI57M1124NetInstaller.exe]
    Adware:Adware/PurityScan Not disinfected C:\Documents and Settings\m0430732\Local Settings\Temporary Internet Files\Content.IE5\TGDRZ2DB\!update-3195[1].0000
    Adware:Adware/E2Give Not disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\7410A9EB-FCEA-44B5-AD99-7EB924\D3D6C0D0-BC5B-489E-A85F-CB7BD4
    Adware:Adware/PurityScan Not disinfected C:\Program Files\nrpn\osoa.exe
    Adware:Adware/Dyfuca Not disinfected C:\Program Files\Ycozwuo\Sbekmy.exe
    Virus:Trj/Small.FE Disinfected C:\WINDOWS\pi1_25.exe
    Virus:Trj/Prutec.T Disinfected C:\WINDOWS\SYSTEM32\ativar.exe
    Virus:Trj/Qhost.gen Disinfected C:\WINDOWS\SYSTEM32\DRIVERS\ETC\1.hosts
    Virus:Trj/Agent.APG Disinfected C:\WINDOWS\SYSTEM32\fmo_32.exe
     
  4. dvk01

    dvk01 Moderator Malware Specialist

    Joined:
    Dec 14, 2002
    Messages:
    56,223
    First Name:
    Derek
    Isn't spysweeper working as that normally fixes your pests quite well
     
  5. mjh2006

    mjh2006 Thread Starter

    Joined:
    Jan 25, 2006
    Messages:
    6
    No, SpySweeper is not removing all of the problems. I also have CounterSpy, and something is stopping it from working properly. Ewido will not even open.
     
  6. dvk01

    dvk01 Moderator Malware Specialist

    Joined:
    Dec 14, 2002
    Messages:
    56,223
    First Name:
    Derek
    Download pocket killbox from http://www.thespykiller.co.uk/files/killbox.exe & put it on the desktop where you can find it easily


    Run hijackthis, put a tick in the box beside these entries listed below and ONLY these entries, double check to make sure, then make sure all browser & email windows are closed and press fix checked

    R3 - URLSearchHook: (no name) - {11F42866-CBFB-E07B-F368-E92B57BED9EE} - (no file)
    R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)



    O4 - HKLM\..\Run: [Ujhxkls] C:\Program Files\Ycozwuo\Sbekmy.exe

    O4 - HKLM\..\Run: [Windows DLL Services] C:\svchost.exe
    O4 - HKLM\..\Run: [http://www.lienvandekelder.be] \Lien Van de Kelder.exe

    O4 - HKLM\..\Run: [vùõš/‚²ÆßfÏNb*»1÷C:\Program Files\ISTsvc\istsvc.exe] C:\WINDOWS\nbvmf.exe
    O4 - HKLM\..\RunServices: [http://www.lienvandekelder.be] \Lien Van de Kelder.exe

    O4 - HKCU\..\Run: [Exlcp] C:\WINDOWS\system32\??sembly\smss.exe


    O16 - DPF: {26098EA2-C95D-48EA-89B4-63C5A63BD42F} - http://www.pacimedia.com/install/pcs_0031.exe

    O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/...eInstaller.


    now Start killbox, go to options on the top bar and make sure remove directories is enabled and remove duplicates is UNCHECKED paste the first file listed below into the full pathname and file to delete box

    The file name will appear in the window, select delete on reboot , press the red X button, say yes to the prompt and NOto reboot now then repeat for each file in turn

    [Note: Killbox makes backups of all deleted files & folders in a folder called C:\!killbox ] If Killbox tells you any files are missing don't worry but make a note and let us know in your next reply

    C:\WINDOWS\system32\??sembly\smss.exe
    C:\Program Files\ISTsvc\istsvc.exe
    C:\WINDOWS\nbvmf.exe
    C:\svchost.exe
    C:\Program Files\Ycozwuo\Sbekmy.exe
    C:\WINDOWS\system32\Lien Van de Kelder.exe
    C:\Program Files\nrpn\osoa.exe
    C:\Program Files\Ycozwuo\Sbekmy.exe
    C:\Documents and Settings\m0430732\Local Settings\Temp\!update.exe
    C:\Documents and Settings\m0430732\Local Settings\Temp\cfout.txt
    C:\Documents and Settings\m0430732\Local Settings\Temp\shortcuts.txt
    C:\Documents and Settings\m0430732\Favorites\LIVING\Find a Degree.lnk
    C:\WINDOWS\SYSTEM32\bbchk.exe
    C:\WINDOWS\SYSTEM32\data.~
    C:\WINDOWS\SYSTEM32\mstbl.ocx
    C:\TEMP\salm.log
    C:\WINDOWS\ubber60.ini
    C:\PROGRAM FILES\joystick networks
    C:\PROGRAM FILES\Spyware Stormer
    C:\WINDOWS\system32\drivers\etc\hosts
    C:\Documents and Settings\m0430732\Local Settings\Temp\!update.exe

    Then on killbox top bar press tools/delete temp files, in the pop up box in the NT section select temp & temp internet & cookies only and in the 9x section select c:\windows\temp & c:\temp then on the drop down user account box, select your account, then repeat for every user account on the computer

    then reboot & see if spysweeper & ewido etc can run

    if they do , then update them and run them and post teh logs tahey make and a new HJT log
     
  7. mjh2006

    mjh2006 Thread Starter

    Joined:
    Jan 25, 2006
    Messages:
    6
    Thank you for your help. I completed the steps and tried to use Ewido and CounterSpy. Ewido will not load at all. CounterSpy goes through the entire scan, detects infections and at the end is disabled and nothing is fixed.

    The following is the new HjackThis log:

    Logfile of HijackThis v1.99.1
    Scan saved at 1:22:13 PM, on 1/25/2006
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\csrss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Panda Software\Panda Platinum 2006 Internet Security\WebProxy.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    c:\program files\panda software\panda platinum 2006 internet security\firewall\PNMSRV.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\System32\SCardSvr.exe
    C:\Altiris\AClient\AClient.exe
    C:\Program Files\Altiris\eXpress\NS Client\AeXNSClient.exe
    C:\Program Files\Altiris\eXpress\NS Client\AeXNSClientTransport.exe
    C:\WINDOWS\System32\Ati2evxx.exe
    C:\WINDOWS\system32\basfipm.exe
    C:\WINDOWS\system32\drivers\dcfssvc.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe
    C:\Program Files\Panda Software\Panda Platinum 2006 Internet Security\AntiSpam\pskmssvc.exe
    C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
    C:\WINDOWS\System32\wltrysvc.exe
    C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
    C:\WINDOWS\System32\bcmwltry.exe
    C:\WINDOWS\System32\alg.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Sunbelt Software\CounterSpy\Consumer\sunThreatEngine.exe
    C:\Program Files\Sunbelt Software\CounterSpy\Consumer\SunProtectionServer.exe
    C:\WINDOWS\system32\carpserv.exe
    C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    C:\Program Files\Dell\QuickSet\quickset.exe
    C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
    C:\Program Files\Altiris\eXpress\NS Client\AeXSWDUsr.exe
    C:\Altiris\AClient\AClntUsr.EXE
    C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
    C:\Program Files\Real\RealPlayer\RealPlay.exe
    C:\Program Files\Real\RealPlayer\tsystray.exe
    C:\PROGRA~1\NORTON~1\navapw32.exe
    C:\Program Files\Apoint2K\Apoint.exe
    C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
    C:\Program Files\Apoint2K\Apntex.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
    C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
    C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
    C:\Program Files\Sunbelt Software\CounterSpy\Consumer\sunserver.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Digital Line Detect\DLG.exe
    C:\Program Files\KODAK\Kodak EasyShare software\bin\EasyShare.exe
    C:\Program Files\ewido anti-malware\ewidoctrl.exe
    C:\Documents and Settings\m0430732\Desktop\HijackThis Logs\HijackThis.exe

    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://education.dellnet.com/
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
    O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
    O4 - HKLM\..\Run: [CARPService] carpserv.exe
    O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
    O4 - HKLM\..\Run: [AdaptecDirectCD] C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
    O4 - HKLM\..\Run: [AeXSWDUsr] "C:\Program Files\Altiris\eXpress\NS Client\AeXSWDUsr.exe"
    O4 - HKLM\..\Run: [AClntUsr] C:\Altiris\AClient\AClntUsr.EXE
    O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
    O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
    O4 - HKLM\..\Run: [RealJukeboxSystray] "C:\Program Files\Real\RealPlayer\tsystray.exe"
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
    O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
    O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
    O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
    O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
    O4 - HKLM\..\Run: [SunServer] C:\Program Files\Sunbelt Software\CounterSpy\Consumer\sunserver.exe
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - Global Startup: Digital Line Detect.lnk = ?
    O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\KODAK\Kodak EasyShare software\bin\EasyShare.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
    O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
    O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
    O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
    O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
    O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec.com/techsupp/asa/LSSupCtl.cab
    O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
    O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
    O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/asa/SymAData.cab
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = Cornerstone.disciplenet
    O17 - HKLM\Software\..\Telephony: DomainName = Cornerstone.disciplenet
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = Cornerstone.disciplenet
    O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = Cornerstone.disciplenet
    O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
    O23 - Service: Altiris Client Service (AClient) - Altiris, Inc. - C:\Altiris\AClient\AClient.exe
    O23 - Service: Altiris eXpress NS Client (AeXNSClient) - Altiris - C:\Program Files\Altiris\eXpress\NS Client\AeXNSClient.exe
    O23 - Service: Altiris eXpress NS Client Transport (AeXNSClientTransport) - Altiris - C:\Program Files\Altiris\eXpress\NS Client\AeXNSClientTransport.exe
    O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
    O23 - Service: Broadcom ASF IP monitoring service v3.0.1 (BAsfIpM) - Broadcom Corp. - C:\WINDOWS\system32\basfipm.exe
    O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
    O23 - Service: Dcfssvc - Eastman Kodak Company - C:\WINDOWS\system32\drivers\dcfssvc.exe
    O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
    O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
    O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
    O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
    O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
    O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe
     
  8. dvk01

    dvk01 Moderator Malware Specialist

    Joined:
    Dec 14, 2002
    Messages:
    56,223
    First Name:
    Derek
    Ah you have M$ antispyware & counterspy & spysweeper all active and that is not a good idea as tehy will cancell each others fixes out

    disable the active protection of the ones who aren't actually doing the cleaning at teh time

    in fact uninstall M$ antispysware if you are using the others
     
  9. dvk01

    dvk01 Moderator Malware Specialist

    Joined:
    Dec 14, 2002
    Messages:
    56,223
    First Name:
    Derek
    And you have Panda and Norton antiviruses both running together taht also is causing problems
     
  10. mjh2006

    mjh2006 Thread Starter

    Joined:
    Jan 25, 2006
    Messages:
    6
    Again, thank you for all your help. I removed the following programs:

    1. Spybot S&D
    2. Ewido
    3. MS
    4. Panda Antivirus

    Programs kept:
    1. Webroot Spy Sweeper
    2. CounterSpy > Again, scans finish and without action, "ignore" all spyware/adware found.

    I disabled Webroot Spy Sweeper and ran another scan with Counterspy. Again, it immediately reported all found items were ignored.

    Some of CounterSpy's last report:
    (System will not allow entire scan details as they are too long - States: Please shorten it to 30000 characters long)

    Spyware Scan Details
    Start Date: 7/24/2006 7:26:16 AM (Note: date is wrong for some reason?)
    End Date: 7/24/2006 8:34:16 AM
    Total Time: 1 hrs 8 mins

    Detected spyware

    Prutect Security Disabler more information...
    Details: Prutect attempts to shut down or tamper with a number of anti spyware applications, like Ad-Aware and SpyBot S&D.
    Status: Ignored

    Infected files detected
    c:\windows\system32\var_32.exe
    c:\windows\pi1_25.exe
    C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP478\A0185268.exe
    C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP478\A0185269.dll
    C:\WINDOWS\SYSTEM32\fmo_32.exe
    C:\WINDOWS\SYSTEM32\var_32.dll

    Infected registry entries detected
    HKEY_CURRENT_USER\Software\PTech
    HKEY_CURRENT_USER\Software\PTech\1 25
    HKEY_CURRENT_USER\Software\PTech Vendor 1
    HKEY_CURRENT_USER\Software\PTech Parameter 25
    HKEY_CURRENT_USER\Software\PTech Id 10922699
    HKEY_CURRENT_USER\Software\PTech nextCheck 1153809671
    HKEY_CURRENT_USER\Software\PTech lastCheck 1153674067


    E2give Adware more information...
    Details: E2Give is an Internet Explorer Browser Helper Object that redirects accesses to web merchants in order to claim their affiliate fees.
    Status: Ignored

    Infected files detected
    c:\program files\e2g\iebhos.dll
    c:\program files\e2g\data19
    c:\documents and settings\m0430732\local settings\temp\ei.exe
    c:\WINDOWS\SYSTEM32\key.~
    c:\WINDOWS\SYSTEM32\log.~
    c:\WINDOWS\SYSTEM32\data.~
    C:\Documents and Settings\m0430732\Local Settings\Temp\~DFD273.tmp
    C:\Documents and Settings\m0430732\Local Settings\Temp\~DFD28D.tmp
    C:\Documents and Settings\m0430732\Local Settings\Temp\~DFD391.tmp
    C:\Documents and Settings\m0430732\Local Settings\Temp\~DFD3BB.tmp
    C:\Documents and Settings\m0430732\Local Settings\Temp\~DFD3CA.tmp
    C:\Documents and Settings\m0430732\Local Settings\Temp\~DFD3FF.tmp
    C:\Documents and Settings\m0430732\Local Settings\Temp\~DFD44C.tmp
    C:\Documents and Settings\m0430732\Local Settings\Temp\~DFD583.tmp
    C:\Documents and Settings\m0430732\Local Settings\Temp\~DFD711.tmp
    C:\Documents and Settings\m0430732\Local Settings\Temp\~DFD71C.tmp
    C:\Documents and Settings\m0430732\Local Settings\Temp\~DFD916.tmp
    C:\Documents and Settings\m0430732\Local Settings\Temp\~DFD98B.tmp
    C:\Documents and Settings\m0430732\Local Settings\Temp\~DFDA96.tmp
    C:\Documents and Settings\m0430732\Local Settings\Temp\~DFDC45.tmp
    C:\Documents and Settings\m0430732\Local Settings\Temp\~DFDF70.tmp
    C:\Documents and Settings\m0430732\Local Settings\Temp\~DFE11D.tmp
    C:\Documents and Settings\m0430732\Local Settings\Temp\~DFE2E0.tmp
    C:\Documents and Settings\m0430732\Local Settings\Temp\~DFE2F2.tmp
    C:\Documents and Settings\m0430732\Local Settings\Temp\~DFE323.tmp
    C:\Documents and Settings\m0430732\Local Settings\Temp\~DFE4B8.tmp
    C:\Documents and Settings\m0430732\Local Settings\Temp\~DFE535.tmp
    C:\Documents and Settings\m0430732\Local Settings\Temp\~DFE53C.tmp
    C:\Documents and Settings\m0430732\Local Settings\Temp\~DFE56.tmp
    C:\Documents and Settings\m0430732\Local Settings\Temp\~DFE64.tmp
    C:\Documents and Settings\m0430732\Local Settings\Temp\~DFE7DF.tmp
    C:\Documents and Settings\m0430732\Local Settings\Temp\~DFEA8D.tmp
    C:\Documents and Settings\m0430732\Local Settings\Temp\~DFED2B.tmp
    C:\Documents and Settings\m0430732\Local Settings\Temp\~DFEEA8.tmp
    C:\Documents and Settings\m0430732\Local Settings\Temp\~DFEF52.tmp
    C:\Documents and Settings\m0430732\Local Settings\Temp\~DFF0B5.tmp
    C:\Documents and Settings\m0430732\Local Settings\Temp\~DFF4E2.tmp
    C:\Documents and Settings\m0430732\Local Settings\Temp\~DFF707.tmp
    C:\Documents and Settings\m0430732\Local Settings\Temp\~DFF793.tmp
    C:\Documents and Settings\m0430732\Local Settings\Temp\~DFF846.tmp
    C:\Documents and Settings\m0430732\Local Settings\Temp\~DFF8BA.tmp
    C:\Documents and Settings\m0430732\Local Settings\Temp\~DFF9F4.tmp
    C:\Documents and Settings\m0430732\Local Settings\Temp\~DFFA05.tmp
    C:\Documents and Settings\m0430732\Local Settings\Temp\~DFFB31.tmp
    C:\Documents and Settings\m0430732\Local Settings\Temp\~DFFC71.tmp
    C:\Documents and Settings\m0430732\Local Settings\Temp\~DFFCCA.tmp
    C:\Documents and Settings\m0430732\Local Settings\Temp\~DFFDBA.tmp
    C:\Documents and Settings\m0430732\Local Settings\Temp\~DFFECD.tmp

    Infected registry entries detected
    HKEY_CLASSES_ROOT\appid\{3b99f202-145a-4e5a-ac7b-88a36910bf5e}
    HKEY_CLASSES_ROOT\appid\{3b99f202-145a-4e5a-ac7b-88a36910bf5e} IeBHOs
    HKEY_CLASSES_ROOT\appid\iebhos.dll
    HKEY_CLASSES_ROOT\appid\iebhos.dll AppID {3B99F202-145A-4E5A-AC7B-88A36910BF5E}
    HKEY_CLASSES_ROOT\iebhos.control.1
    HKEY_CLASSES_ROOT\iebhos.control.1\CLSID {3643ABC2-21BF-46B9-B230-F247DB0C6FD6}
    HKEY_CLASSES_ROOT\iebhos.control.1 CControl Object
    HKEY_CLASSES_ROOT\iebhos.control
    HKEY_CLASSES_ROOT\iebhos.control\CLSID {3643ABC2-21BF-46B9-B230-F247DB0C6FD6}
    HKEY_CLASSES_ROOT\iebhos.control\CurVer IeBHOs.Control.1
    HKEY_CLASSES_ROOT\iebhos.control CControl Object
    HKEY_CLASSES_ROOT\typelib\{3b99f202-145a-4e5a-ac7b-88a36910bf5e}
    HKEY_CLASSES_ROOT\typelib\{3b99f202-145a-4e5a-ac7b-88a36910bf5e}\1.0\0\win32 C:\Program Files\E2G\IeBHOs.dll
    HKEY_CLASSES_ROOT\typelib\{3b99f202-145a-4e5a-ac7b-88a36910bf5e}\1.0\FLAGS 0
    HKEY_CLASSES_ROOT\typelib\{3b99f202-145a-4e5a-ac7b-88a36910bf5e}\1.0\HELPDIR C:\Program Files\E2G\
    HKEY_CLASSES_ROOT\typelib\{3b99f202-145a-4e5a-ac7b-88a36910bf5e}\1.0 IeBHOs 1.0 Type Library
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\IeBHOs.Control
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\IeBHOs.Control\CLSID {3643ABC2-21BF-46B9-B230-F247DB0C6FD6}
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\IeBHOs.Control\CurVer IeBHOs.Control.1
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\IeBHOs.Control CControl Object
    HKEY_LOCAL_MACHINE\software\e2g
    HKEY_LOCAL_MACHINE\software\e2g installDir C:\Program Files\E2G
    HKEY_LOCAL_MACHINE\software\e2g source 25
    HKEY_LOCAL_MACHINE\software\e2g checkStarted 1153688697
    HKEY_LOCAL_MACHINE\software\e2g id 12442936
    HKEY_LOCAL_MACHINE\software\e2g lastBuild 40
    HKEY_LOCAL_MACHINE\software\e2g lastCheck 1153688697
    HKEY_LOCAL_MACHINE\software\e2g lastMerchant -684182637
    HKEY_LOCAL_MACHINE\software\e2g lastReplacement 1153688919
    HKEY_LOCAL_MACHINE\software\e2g popup 0
    HKEY_LOCAL_MACHINE\software\e2g lastAggregator 1
    HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\browser helper objects\{3643abc2-21bf-46b9-b230-f247db0c6fd6}
    HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\e2g plugin
    HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\e2g plugin DisplayName E2give Plug-in
    HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\e2g plugin UninstallString regsvr32 /u /s "C:\Program Files\E2G\IeBHOs.dll"
    HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\e2g plugin HelpLink mailto:[email protected]
    HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\e2g plugin Publisher e2give, LLC (click here to read license agreement)
    HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\e2g plugin URLInfoAbout http://e2give.com/license.html
    HKEY_CLASSES_ROOT\clsid\{3643abc2-21bf-46b9-b230-f247db0c6fd6}
    HKEY_CLASSES_ROOT\clsid\{3643abc2-21bf-46b9-b230-f247db0c6fd6}\InprocServer32 C:\Program Files\E2G\IeBHOs.dll
    HKEY_CLASSES_ROOT\clsid\{3643abc2-21bf-46b9-b230-f247db0c6fd6}\InprocServer32 ThreadingModel apartment
    HKEY_CLASSES_ROOT\clsid\{3643abc2-21bf-46b9-b230-f247db0c6fd6}\ProgID IeBHOs.Control.1
    HKEY_CLASSES_ROOT\clsid\{3643abc2-21bf-46b9-b230-f247db0c6fd6}\TypeLib {3B99F202-145A-4E5A-AC7B-88A36910BF5E}
    HKEY_CLASSES_ROOT\clsid\{3643abc2-21bf-46b9-b230-f247db0c6fd6}\VersionIndependentProgID IeBHOs.Control
    HKEY_CLASSES_ROOT\clsid\{3643abc2-21bf-46b9-b230-f247db0c6fd6} CControl Object
    HKEY_CLASSES_ROOT\clsid\{3643abc2-21bf-46b9-b230-f247db0c6fd6} AppID
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{3B99F202-145A-4E5A-AC7B-88A36910BF5E}
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{3B99F202-145A-4E5A-AC7B-88A36910BF5E} IeBHOs
    HKEY_LOCAL_MACHINE\software\classes\clsid\{3643abc2-21bf-46b9-b230-f247db0c6fd6}
    HKEY_LOCAL_MACHINE\software\classes\clsid\{3643abc2-21bf-46b9-b230-f247db0c6fd6}\InprocServer32 C:\Program Files\E2G\IeBHOs.dll
    HKEY_LOCAL_MACHINE\software\classes\clsid\{3643abc2-21bf-46b9-b230-f247db0c6fd6}\InprocServer32 ThreadingModel apartment
    HKEY_LOCAL_MACHINE\software\classes\clsid\{3643abc2-21bf-46b9-b230-f247db0c6fd6}\ProgID IeBHOs.Control.1
    HKEY_LOCAL_MACHINE\software\classes\clsid\{3643abc2-21bf-46b9-b230-f247db0c6fd6}\TypeLib {3B99F202-145A-4E5A-AC7B-88A36910BF5E}
    HKEY_LOCAL_MACHINE\software\classes\clsid\{3643abc2-21bf-46b9-b230-f247db0c6fd6}\VersionIndependentProgID IeBHOs.Control
    HKEY_LOCAL_MACHINE\software\classes\clsid\{3643abc2-21bf-46b9-b230-f247db0c6fd6} CControl Object
    HKEY_LOCAL_MACHINE\software\classes\clsid\{3643abc2-21bf-46b9-b230-f247db0c6fd6} AppID
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\IeBHOs.DLL
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\IeBHOs.DLL AppID {3B99F202-145A-4E5A-AC7B-88A36910BF5E}
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\IeBHOs.Control.1
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\IeBHOs.Control.1\CLSID {3643ABC2-21BF-46B9-B230-F247DB0C6FD6}
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\IeBHOs.Control.1 CControl Object
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\IeBHOs.DLL AppID {3B99F202-145A-4E5A-AC7B-88A36910BF5E}
    HKEY_LOCAL_MACHINE\SOFTWARE\E2G installDir C:\Program Files\E2G
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3643ABC2-21BF-46B9-B230-F247DB0C6FD6} AppID
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3643ABC2-21BF-46B9-B230-F247DB0C6FD6}\InprocServer32 ThreadingModel apartment
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3643ABC2-21BF-46B9-B230-F247DB0C6FD6}\Programmable
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{3B99F202-145A-4E5A-AC7B-88A36910BF5E}
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{3B99F202-145A-4E5A-AC7B-88A36910BF5E}\1.0\0\win32 C:\Program Files\E2G\IeBHOs.dll
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{3B99F202-145A-4E5A-AC7B-88A36910BF5E}\1.0\FLAGS 0
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{3B99F202-145A-4E5A-AC7B-88A36910BF5E}\1.0\HELPDIR C:\Program Files\E2G\
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{3B99F202-145A-4E5A-AC7B-88A36910BF5E}\1.0 IeBHOs 1.0 Type Library
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{3B99F202-145A-4E5A-AC7B-88A36910BF5E}\1.0\0
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{3B99F202-145A-4E5A-AC7B-88A36910BF5E}\1.0\0\win32 C:\Program Files\E2G\IeBHOs.dll
    HKEY_LOCAL_MACHINE\SOFTWARE\E2G installDir C:\Program Files\E2G
    HKEY_LOCAL_MACHINE\SOFTWARE\E2G checkStarted 1153688697
    HKEY_LOCAL_MACHINE\SOFTWARE\E2G lastBuild 40
    HKEY_LOCAL_MACHINE\SOFTWARE\E2G lastCheck 1153688697
    HKEY_LOCAL_MACHINE\SOFTWARE\E2G lastMerchant -684182637
    HKEY_LOCAL_MACHINE\SOFTWARE\E2G lastReplacement 1153688919
    HKEY_LOCAL_MACHINE\SOFTWARE\E2G lastAggregator 1
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\e2g Plugin URLInfoAbout http://e2give.com/license.html
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\e2g Plugin Publisher e2give, LLC (click here to read license agreement)
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\e2g Plugin HelpLink mailto:[email protected]
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\e2g Plugin UninstallString regsvr32 /u /s "C:\Program Files\E2G\IeBHOs.dll"
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\e2g Plugin DisplayName E2give Plug-in


    BearShare P2P more information...
    Details: BearShare is a file sharing network. The free version installs a number of known spyware and adware programs.
    Status: Ignored

    Infected files detected
    c:\program files\bearshare\bearshare.dat
    c:\program files\bearshare\freepeers.ini
    c:\program files\bearshare\db\config.bin
    c:\program files\bearshare\db\connect.txt
    c:\program files\bearshare\db\gwebcache.dat
    c:\program files\bearshare\db\hostiles-chat.txt
    c:\program files\bearshare\db\hostiles.txt
    c:\program files\bearshare\db\library.2.db
    c:\program files\bearshare\db\library.2.db.lastgoodload.bak
    c:\program files\bearshare\db\library.dat
    c:\program files\bearshare\db\library.db
    c:\program files\bearshare\db\library.db.lastgoodload.bak
    c:\program files\bearshare\db\searches.ini
    c:\program files\bearshare\logs\hosts-state.txt
    c:\program files\bearshare\logs\memory.txt
    c:\program files\bearshare\logs\ordinal.txt
    c:\program files\bearshare\logs\streams.txt
    c:\program files\bearshare\temp\tmp1 - todd agnew - romans 121(1).dat
    c:\program files\bearshare\temp\tmp1 - todd agnew - romans 121(1).dat.bak
    c:\program files\bearshare\temp\tmp1 - todd agnew - romans 121(1).mp3
    c:\program files\bearshare\temp\tmpiworship next - 1 - todd agnew - romans 121.dat
    c:\program files\bearshare\temp\tmpiworship next - 1 - todd agnew - romans 121.dat.bak
    c:\program files\bearshare\temp\tmpiworship next - 1 - todd agnew - romans 121.mp3
    c:\program files\bearshare\temp\tmptodd agnew romans 121 1.dat
    c:\program files\bearshare\temp\tmptodd agnew romans 121 1.dat.bak
    c:\program files\bearshare\temp\tmptodd agnew romans 121 1.mp3
    c:\program files\bearshare\temp\tmptodd agnew romans 121.dat
    c:\program files\bearshare\temp\tmptodd agnew romans 121.dat.bak
    c:\program files\bearshare\temp\tmptodd agnew romans 121.mp3

    Infected registry entries detected
    HKEY_CLASSES_ROOT\clsid\{9f95f736-0f62-4214-a4b4-caa6738d4c07}
    HKEY_CLASSES_ROOT\clsid\{9f95f736-0f62-4214-a4b4-caa6738d4c07}\InprocServer32 C:\Program Files\BearShare\RunMSC.dll
    HKEY_CLASSES_ROOT\clsid\{9f95f736-0f62-4214-a4b4-caa6738d4c07}\InprocServer32 ThreadingModel Apartment
    HKEY_CLASSES_ROOT\clsid\{9f95f736-0f62-4214-a4b4-caa6738d4c07}\ProgID RunMSC.Loader.1
    HKEY_CLASSES_ROOT\clsid\{9f95f736-0f62-4214-a4b4-caa6738d4c07}\TypeLib {905D0DF2-3A0A-4D94-853C-54A12A745905}
    HKEY_CLASSES_ROOT\clsid\{9f95f736-0f62-4214-a4b4-caa6738d4c07}\VersionIndependentProgID RunMSC.Loader
    HKEY_CLASSES_ROOT\clsid\{9f95f736-0f62-4214-a4b4-caa6738d4c07} Loader Class
    HKEY_CLASSES_ROOT\typelib\{905d0df2-3a0a-4d94-853c-54a12a745905}
    HKEY_CLASSES_ROOT\typelib\{905d0df2-3a0a-4d94-853c-54a12a745905}\1.0\0\win32 C:\Program Files\BearShare\RunMSC.dll
    HKEY_CLASSES_ROOT\typelib\{905d0df2-3a0a-4d94-853c-54a12a745905}\1.0\FLAGS 0
    HKEY_CLASSES_ROOT\typelib\{905d0df2-3a0a-4d94-853c-54a12a745905}\1.0\HELPDIR C:\Program Files\BearShare\
    HKEY_CLASSES_ROOT\typelib\{905d0df2-3a0a-4d94-853c-54a12a745905}\1.0 RunMSC 1.0 Type Library
    HKEY_LOCAL_MACHINE\software\classes\typelib\{905d0df2-3a0a-4d94-853c-54a12a745905}
    HKEY_LOCAL_MACHINE\software\classes\typelib\{905d0df2-3a0a-4d94-853c-54a12a745905}\1.0\0\win32 C:\Program Files\BearShare\RunMSC.dll
    HKEY_LOCAL_MACHINE\software\classes\typelib\{905d0df2-3a0a-4d94-853c-54a12a745905}\1.0\FLAGS 0
    HKEY_LOCAL_MACHINE\software\classes\typelib\{905d0df2-3a0a-4d94-853c-54a12a745905}\1.0\HELPDIR C:\Program Files\BearShare\
    HKEY_LOCAL_MACHINE\software\classes\typelib\{905d0df2-3a0a-4d94-853c-54a12a745905}\1.0 RunMSC 1.0 Type Library


    ViewPoint Beta Potential Privacy Risk more information...
    Details: ViewPoint Toolbar will hijack your search queries and also transmits non personally identifiable information back to their servers
    Status: Ignored

    Infected files detected
    c:\program files\viewpoint\viewpoint manager\read_me.txt
    c:\program files\viewpoint\viewpoint manager\vetscriptinterpreter.dll
    c:\program files\viewpoint\viewpoint manager\viewcp.cpl
    c:\program files\viewpoint\viewpoint manager\viewmgr.exe
    c:\program files\viewpoint\viewpoint manager\viewmgrcore.dll
    c:\program files\viewpoint\viewpoint manager\viewmgrinstaller.exe
    c:\program files\viewpoint\viewpoint manager\notifydata\header.gif
    c:\program files\viewpoint\viewpoint manager\notifydata\no.gif
    c:\program files\viewpoint\viewpoint manager\notifydata\options.ini
    c:\program files\viewpoint\viewpoint manager\notifydata\updates.html
    c:\program files\viewpoint\viewpoint manager\notifydata\yes.gif
    c:\program files\viewpoint\viewpoint manager\viewcpdata\images\s.gif
    c:\program files\viewpoint\viewpoint manager\viewcpdata\images\vm_header_av.gif
    c:\program files\viewpoint\viewpoint manager\viewcpdata\images\vm_header_cp.gif
    c:\program files\viewpoint\viewpoint manager\viewcpdata\images\vm_header_up.gif
    c:\program files\viewpoint\viewpoint manager\viewcpdata\images\vm_inner_bg.gif
    c:\program files\viewpoint\viewpoint manager\viewcpdata\images\vm_inner_bottom.gif
    c:\program files\viewpoint\viewpoint manager\viewcpdata\images\vm_tab1_off.gif
    c:\program files\viewpoint\viewpoint manager\viewcpdata\images\vm_tab1_on.gif
    c:\program files\viewpoint\viewpoint manager\viewcpdata\images\vm_tab2_off.gif
    c:\program files\viewpoint\viewpoint manager\viewcpdata\images\vm_tab2_on.gif
    c:\program files\viewpoint\viewpoint manager\viewcpdata\images\vm_tab_bg.gif
    c:\program files\viewpoint\viewpoint manager\viewcpdata\images\vwpt_logo.gif
    c:\program files\viewpoint\viewpoint manager\viewcpdata\options.ini
    c:\program files\viewpoint\viewpoint manager\viewcpdata\viewpoint.ico
    c:\program files\viewpoint\viewpoint manager\viewcpdata\vmctrl.html

    xe /u /k
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Viewpoint Manager DisplayIcon C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgrInstaller.exe,0


    Trojan.JoystickNetworks.DesktopIcons Adware more information...
    Details: This Adware creates a set of Desktop Icons with weblinks to associated sites.
    Status: Ignored

    Infected files detected
    c:\program files\joystick networks\setup\celebs.ico
    c:\program files\joystick networks\setup\gamesjoy.ico
    c:\program files\joystick networks\setup\imgiant.ico
    c:\program files\joystick networks\setup\joywar.ico
    c:\program files\joystick networks\setup\news.ico
    c:\program files\joystick networks\setup\savers.ico
    C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP480\A0185332.exe


    misc.SpywareStormer Misc more information...
    Details: Spyware Stormer is a rogue anti-spyware program that reports false positive infections. It then directs users to the spywarestormer.com web site and asks for payment to clean the PC.
    Status: Ignored

    Infected files detected
    c:\program files\spyware stormer\setup.exe


    C2.Lop Spyware more information...
    Details: Lop is a group of spyware and hijacker programs that set your Internet Explorer start page and search features to use the site lop.com ('Live Online Portal') or one of its clone sites.
    Status: Ignored

    Infected files detected
    c:\documents and settings\m0430732\favorites\going places\travel.lnk


    AvenueMedia.DyFuCA Browser Plug-in more information...
    Details: DyFuCA Internet Optimizer is an adware which also hijacks your browser error page. It opens pop-up windows to display ads from its network sites periodically, also is known to update itself.
    Status: Ignored

    Infected files detected
    c:\documents and settings\m0430732\local settings\temp\cfin
    c:\documents and settings\m0430732\local settings\temp\cfout.txt

    Infected registry entries detected
    HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks _{CFBFAE00-17A6-11D0-99CB-00C04FD64497}


    Adw.MRJ.Lowzone Adware more information...
    Details: Adw.MRJ.Lowzone adds trusted zones and displays ads.
    Status: Ignored
     
  11. dvk01

    dvk01 Moderator Malware Specialist

    Joined:
    Dec 14, 2002
    Messages:
    56,223
    First Name:
    Derek
    when you have completed the cs scan can't you change the drop down box from ignore to remopve or quarantine
     
  12. mjh2006

    mjh2006 Thread Starter

    Joined:
    Jan 25, 2006
    Messages:
    6
    No. As soon as the scan finishes, it immediately goes to a pop up with the screen with the information and the ignore messages. It looks like something is disabling the program.
     
  13. dvk01

    dvk01 Moderator Malware Specialist

    Joined:
    Dec 14, 2002
    Messages:
    56,223
    First Name:
    Derek
    • Download WinPFind
    • Right Click the Zip Folder and Select "Extract All"
    • Extract it somewhere you will remember like the Desktop
    • Dont do anything with it yet!

    Reboot into Safe Mode
    Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.

    Doubleclick WinPFind.exe
    • Click " Configure Scan Options"
    • Select " Run Add ONs" and then select ALL the options in the box below it, Press Apply
    • Now Click "Start Scan"
    • It will scan the entire System, so please be patient!
    • Once the Scan is Complete
      • Reboot back to Normal Mode!
      • Go to the WinPFind folder
      • Locate WinPFind.txt
      • Place those results in the next post!. It will be too big to post so you will need to attach it to your reply
     
  14. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Similar Threads - Purityscan more
  1. LiveOrRegret
    Replies:
    4
    Views:
    413
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/437065

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice