Solved: Adware, poss WinAntivirus?

[GrumpyHermit]

Log of Hijack This!

Logfile of HijackThis v1.99.1
Scan saved at 3:32:07 PM, on 7/12/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\PROGRA~1\COMMON~1\Stardock\SDMCP.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\LTMSG.exe
C:\WINDOWS\system32\VTTimer.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Firewall\ca.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\Documents and Settings\Bob Evans\My Documents\Program Downloads\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program Files\Yahoo!\Common\YIeTagBm.dll
O4 - HKLM\..\Run: [LTMSG] LTMSG.exe 7
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Firewall\ca.exe
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: www.accuradio.com
O15 - Trusted Zone: *.akamai.net
O15 - Trusted Zone: rainweb2.streamguys.com
O15 - Trusted Zone: *.yimg.com
O16 - DPF: {01FE8D0A-51AD-459B-B62B-85E135128B32} (DD_v4.DDv4) - http://www.drivershq.com/DD_v4.CAB
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/kws/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1093028462573
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1133357826917
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O20 - Winlogon Notify: MCPClient - C:\PROGRA~1\COMMON~1\Stardock\mcpstub.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe

====================================================

Webroot SpySweeper results:

********
2:21 PM: | Start of Session, Wednesday, July 12, 2006 |
2:21 PM: Spy Sweeper started
2:21 PM: Sweep initiated using definitions version 717
2:21 PM: Starting Memory Sweep
2:24 PM: Memory Sweep Complete, Elapsed Time: 00:03:27
2:24 PM: Starting Registry Sweep
2:25 PM: Registry Sweep Complete, Elapsed Time:00:00:09
2:25 PM: Starting Cookie Sweep
2:25 PM: Found Spy Cookie: websponsors cookie
2:25 PM: karen [email protected][2].txt (ID = 3665)
2:25 PM: Found Spy Cookie: go.com cookie
2:25 PM: karen [email protected][2].txt (ID = 2729)
2:25 PM: Found Spy Cookie: ask cookie
2:25 PM: karen [email protected][2].txt (ID = 2245)
2:25 PM: Found Spy Cookie: atwola cookie
2:25 PM: karen [email protected][1].txt (ID = 2255)
2:25 PM: Found Spy Cookie: bizrate cookie
2:25 PM: karen [email protected][2].txt (ID = 2308)
2:25 PM: Found Spy Cookie: columbiahouse cookie
2:25 PM: karen [email protected][1].txt (ID = 2443)
2:25 PM: Found Spy Cookie: coolsavings cookie
2:25 PM: karen [email protected][2].txt (ID = 2465)
2:25 PM: Found Spy Cookie: 360i cookie
2:25 PM: karen [email protected][2].txt (ID = 1962)
2:25 PM: Found Spy Cookie: dealtime cookie
2:25 PM: karen [email protected][1].txt (ID = 2505)
2:25 PM: karen [email protected][1].txt (ID = 2729)
2:25 PM: karen [email protected][2].txt (ID = 2728)
2:25 PM: Found Spy Cookie: ic-live cookie
2:25 PM: karen [email protected][1].txt (ID = 2821)
2:25 PM: Found Spy Cookie: sb01 cookie
2:25 PM: karen [email protected][2].txt (ID = 3288)
2:25 PM: Found Spy Cookie: metareward.com cookie
2:25 PM: karen [email protected][1].txt (ID = 2990)
2:25 PM: Found Spy Cookie: nextag cookie
2:25 PM: karen [email protected][2].txt (ID = 5014)
2:25 PM: Found Spy Cookie: one-time-offer cookie
2:25 PM: karen [email protected][1].txt (ID = 3095)
2:25 PM: Found Spy Cookie: pub cookie
2:25 PM: karen [email protected][1].txt (ID = 3205)
2:25 PM: Found Spy Cookie: realmedia cookie
2:25 PM: karen [email protected][2].txt (ID = 3235)
2:25 PM: karen [email protected][1].txt (ID = 2729)
2:25 PM: Found Spy Cookie: reunion cookie
2:25 PM: karen [email protected][2].txt (ID = 3255)
2:25 PM: karen [email protected][1].txt (ID = 2729)
2:25 PM: karen [email protected][1].txt (ID = 2729)
2:25 PM: Found Spy Cookie: pch cookie
2:25 PM: karen [email protected][2].txt (ID = 3124)
2:25 PM: karen [email protected][1].txt (ID = 2506)
2:25 PM: Found Spy Cookie: megago cookie
2:25 PM: karen [email protected][1].txt (ID = 2983)
2:25 PM: karen [email protected][1].txt (ID = 2729)
2:25 PM: Found Spy Cookie: clickxchange adware cookie
2:25 PM: karen [email protected][1].txt (ID = 2409)
2:25 PM: Found Spy Cookie: tendollars cookie
2:25 PM: karen [email protected][1].txt (ID = 6367)
2:25 PM: Cookie Sweep Complete, Elapsed Time: 00:00:00
2:25 PM: Starting File Sweep
2:50 PM: Warning: Invalid file - not a PKZip file
2:50 PM: Warning: Invalid file - not a PKZip file
2:50 PM: Warning: Invalid Stream
2:50 PM: Warning: Invalid Stream
2:50 PM: File Sweep Complete, Elapsed Time: 00:25:33
2:50 PM: Full Sweep has completed. Elapsed time 00:29:17
2:50 PM: Traces Found: 28
2:52 PM: Removal process initiated
2:52 PM: Quarantining All Traces: 360i cookie
2:52 PM: Quarantining All Traces: ask cookie
2:52 PM: Quarantining All Traces: atwola cookie
2:52 PM: Quarantining All Traces: bizrate cookie
2:52 PM: Quarantining All Traces: clickxchange adware cookie
2:52 PM: Quarantining All Traces: columbiahouse cookie
2:52 PM: Quarantining All Traces: coolsavings cookie
2:52 PM: Quarantining All Traces: dealtime cookie
2:52 PM: Quarantining All Traces: go.com cookie
2:52 PM: Quarantining All Traces: ic-live cookie
2:52 PM: Quarantining All Traces: megago cookie
2:52 PM: Quarantining All Traces: metareward.com cookie
2:52 PM: Quarantining All Traces: nextag cookie
2:52 PM: Quarantining All Traces: one-time-offer cookie
2:52 PM: Quarantining All Traces: pch cookie
2:52 PM: Quarantining All Traces: pub cookie
2:52 PM: Quarantining All Traces: realmedia cookie
2:52 PM: Quarantining All Traces: reunion cookie
2:52 PM: Quarantining All Traces: sb01 cookie
2:52 PM: Quarantining All Traces: tendollars cookie
2:52 PM: Quarantining All Traces: websponsors cookie
2:52 PM: Removal process completed. Elapsed time 00:00:04
********
2:19 PM: | Start of Session, Wednesday, July 12, 2006 |
2:19 PM: Spy Sweeper started
2:20 PM: Your spyware definitions have been updated.
2:21 PM: | End of Session, Wednesday, July 12, 2006 |

====================================================

Panda ActiveScan results:


Incident Status Location

Spyware:Cookie/Statcounter Not disinfected C:\Documents and Settings\Bob Evans\Application Data\Mozilla\Firefox\Profiles\default.di4\cookies.txt[.statcounter.com/]
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\Bob Evans\Application Data\Mozilla\Firefox\Profiles\default.di4\cookies.txt[.realmedia.com/]
Spyware:Cookie/Go Not disinfected C:\Documents and Settings\Bob Evans\Application Data\Mozilla\Firefox\Profiles\default.di4\cookies.txt[.go.com/]
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\Bob Evans\Application Data\Mozilla\Firefox\Profiles\default.di4\cookies.txt[.atwola.com/]
Spyware:Cookie/Apmebf Not disinfected C:\Documents and Settings\Bob Evans\Application Data\Mozilla\Firefox\Profiles\default.di4\cookies.txt[.apmebf.com/]
Spyware:Cookie/bravenetA Not disinfected C:\Documents and Settings\Bob Evans\Application Data\Mozilla\Firefox\Profiles\default.di4\cookies.txt[.bravenet.com/]
Spyware:Cookie/NewMedia Not disinfected C:\Documents and Settings\Bob Evans\Application Data\Mozilla\Firefox\Profiles\default.di4\cookies.txt[.anm.co.uk/]
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Bob Evans\Desktop\Unused Desktop Shortcuts\VundoFix\VundoFix\process.exe
Spyware:Cookie/Target Not disinfected C:\Documents and Settings\Karen King\Cookies\karen [email protected][2].txt


===============================================

I did an Ewido scan and got some stuff out too, but forgot to save a report of that one, sorry.

Any Help appreciated.

 

[MFDnNC]

Looks fine - all they found were cookies

IE - Block Third party cookies
1. Click on the Tools button on the Internet Explorer tool bar.
2. Highlight and click on Internet options at the bottom of the Tools menu.
3. Select the Privacy Tab of the Internet Options menu.
4. Select the Advanced... button at the bottom of the screen.
5. Select override automatic cookie handling button.
6. To block third party cookies select block under "Third-party cookies".
7. Select "always allow session cookies".
8. Click on the OK button at the bottom of the screen.
===============
In firefox - TOOLS - OPTIONS - PRIVACY - COOKIES - Check originating site only

 

[GrumpyHermit]

Thanks, glad to hear it!

I'll mark it "solved," I guess.