search.search-exe.com & Downloadware

IndigoRedIndigoRed Perth Western Australia Icrontian
edited April 2007 in Spyware & Virus Removal
G'day folks,

I'm on an inherited pc and have discovered I've inherited one heck of alot more than one would normally expect :tongue:

Let me preface this by saying I've done heaps of disinfecting in my time (and learned alot by you folks along the way...) but this has me stumped. I have removed most of the bugs out of this system, but these ones you see in my log just won't give up.

So what have I tried... I've run Ad-aware, Spybot, (oops, and AVG), Defender, HJT, and Panda. I've tried it both in normal and safe mode. It still comes back.

So without further ado:




Logfile of HijackThis v1.99.1
Scan saved at 10:22:55 AM, on 1/03/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\brsvc01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\brss01a.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\CA\eTrust Antivirus\InoRpc.exe
C:\Program Files\CA\eTrust Antivirus\InoRT.exe
C:\Program Files\CA\eTrust Antivirus\InoTask.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\SiSAudUt.exe
C:\WINDOWS\System32\fxredir.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\Lavasoft\Ad-aware 6\Ad-watch.exe
C:\Program Files\Scansoft\PaperPort\pptd40nt.exe
C:\PROGRA~1\CA\ETRUST~1\realmon.exe
C:\Program Files\Scansoft\PaperPort\SmartUI\SmartUI.exe
C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe
C:\Program Files\Brother\Brmfcmon\BrMfcmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\netterm\netterm.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Documents and Settings\Tamara.MARSDEN\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.theage.com.au/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://search.search-exe.com/nph-search.cgi?tcode=exesrch1&look=stmpl1&fw=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://search.search-exe.com/nph-search.cgi?tcode=exesrch1&look=stmpl1&fw=
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [SiS7012Utility] C:\WINDOWS\System32\SiSAudUt.exe -vxd
O4 - HKLM\..\Run: [fxredir] C:\WINDOWS\System32\fxredir.exe
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [Ad-watch] "C:\Program Files\Lavasoft\Ad-aware 6\Ad-watch.exe"
O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\Scansoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\Scansoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [Realtime Monitor] C:\PROGRA~1\CA\ETRUST~1\realmon.exe -s
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [monitr32] C:\Program Files\Canon\MultiPASS4\monitr32.exe
O4 - HKLM\..\Run: [MPTBox] C:\PROGRA~1\Canon\MULTIP~1\MPTBox.exe
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [PestPatrol Control Center] C:\Program Files\PestPatrol\PPControl.exe
O4 - HKLM\..\Run: [PromulGate] "C:\Program Files\DelFin\PromulGate\PgMonitr.exe"
O4 - HKLM\..\Run: [TimeSink Ad Client] "C:\Program Files\TimeSink\AdGateway\tsadbot.exe"
O4 - HKLM\..\Run: [MediaLoads Installer] "C:\Program Files\DownloadWare\dw.exe" /H
O4 - HKLM\..\Run: [DownloadWare] "C:\Program Files\DownloadWare\dw.exe" /H
O4 - HKLM\..\Run: [Search-Exe] "C:\Program Files\se\v11\se.EXE" /H
O4 - HKCU\..\Run: [sp] C:\sp.exe
O4 - Global Startup: SmartUI.lnk = C:\Program Files\Scansoft\PaperPort\SmartUI\SmartUI.exe
O4 - Global Startup: Status Monitor.lnk = C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Open in new background tab - res://C:\Program Files\Windows Live Toolbar\Components\en-au\msntabres.dll.mui/229?bb0dafe8ffc04715ba1a1ce3634fde07
O8 - Extra context menu item: Open in new foreground tab - res://C:\Program Files\Windows Live Toolbar\Components\en-au\msntabres.dll.mui/230?bb0dafe8ffc04715ba1a1ce3634fde07
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst20040510.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1168998184708
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = marsdenmcgain.com.au
O17 - HKLM\Software\..\Telephony: DomainName = marsdenmcgain.com.au
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = marsdenmcgain.com.au
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = marsdenmcgain.com.au
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = marsdenmcgain.com.au
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\System32\brsvc01a.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: eTrust Antivirus RPC Server (InoRPC) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoRpc.exe
O23 - Service: eTrust Antivirus Realtime Server (InoRT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoRT.exe
O23 - Service: eTrust Antivirus Job Server (InoTask) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoTask.exe



Thanks

Comments

  • VekaVeka Finland
    edited March 2007
    Hi, IndigoRed. I will check your log, please wait.
  • VekaVeka Finland
    edited March 2007
    Let's start as follows:
    • Run HijackThis
    • Click Open the Misc Tool selection
    • Click Unistall Manager
    • Click Save list
    • Save uninstall_list.txt to your desktop
    • Copy uninstall list and post it here
  • IndigoRedIndigoRed Perth Western Australia Icrontian
    edited March 2007
    Thanks Vekarppe,

    Here's the list.

    Also, I'm thinking these adwares and such are no longer related to anything left on the pc since they don't sem to be affecting my performance. Of course I want to be rid of them in case I'm wrong.

    I've also tried deleting them out of the registery manually, but they return as soon as I do and that's with Spybot running in the background. Bloody frustrating!

    Cheers mate.


    Ad-aware 6 Professional
    Ad-Aware SE Personal
    Adobe Acrobat 5.0
    Adobe Flash Player 9 ActiveX
    AVG Anti-Spyware 7.5
    Belarc Advisor 7.2
    Brother MFC Software Suite
    Brother MFL-Pro Suite
    CA eTrust Antivirus
    CADKEY Workshop EX V21
    Canon Camera Support Core Library
    Canon Camera Window DS for ZoomBrowser EX
    Canon Camera Window DVC for ZoomBrowser EX
    Canon Camera Window for ZoomBrowser EX
    Canon MovieEdit Task for ZoomBrowser EX
    Canon MultiPASS Suite 4.00
    Canon PhotoRecord
    Canon RAW Image Task for ZoomBrowser EX
    Canon RemoteCapture Task for ZoomBrowser EX
    Canon Utilities PhotoStitch 3.1
    Canon ZoomBrowser EX
    CCleaner (remove only)
    Eyewitness Encyclopedia of Nature 2.1
    Google Toolbar for Internet Explorer
    HijackThis 1.99.1
    Hotfix for Windows XP (KB914440)
    Hotfix for Windows XP (KB915865)
    Hotfix for Windows XP (KB929120)
    J2SE Runtime Environment 5.0 Update 3
    LimeWire PRO 4.12.6
    Logitech MouseWare 9.79.1
    Microsoft Internationalized Domain Names Mitigation APIs
    Microsoft National Language Support Downlevel APIs
    Microsoft Office XP Professional
    Microsoft Project 98
    Microsoft Publisher 2002
    MONOPOLY
    Mozilla (1.7.12)
    MSXML 4.0 SP2 (KB927978)
    MYOB Accounting Plus v15
    MYOB QuickBooks Conversion Assistant
    Nero - Burning Rom
    NetTerm
    New Atlas of the Solar System
    Panda ActiveScan
    PaperPort
    QuickTime
    Rhapsody Player Engine
    SecondLife (remove only)
    Security Update for Windows Internet Explorer 7 (KB928090)
    Security Update for Windows Media Player (KB911564)
    Security Update for Windows Media Player 10 (KB917734)
    Security Update for Windows Media Player 6.4 (KB925398)
    Security Update for Windows XP (KB890046)
    Security Update for Windows XP (KB893756)
    Security Update for Windows XP (KB896358)
    Security Update for Windows XP (KB896423)
    Security Update for Windows XP (KB896424)
    Security Update for Windows XP (KB896428)
    Security Update for Windows XP (KB899587)
    Security Update for Windows XP (KB899589)
    Security Update for Windows XP (KB899591)
    Security Update for Windows XP (KB900725)
    Security Update for Windows XP (KB901017)
    Security Update for Windows XP (KB901214)
    Security Update for Windows XP (KB902400)
    Security Update for Windows XP (KB904706)
    Security Update for Windows XP (KB905414)
    Security Update for Windows XP (KB905749)
    Security Update for Windows XP (KB908519)
    Security Update for Windows XP (KB911562)
    Security Update for Windows XP (KB911927)
    Security Update for Windows XP (KB912919)
    Security Update for Windows XP (KB913580)
    Security Update for Windows XP (KB914388)
    Security Update for Windows XP (KB914389)
    Security Update for Windows XP (KB917344)
    Security Update for Windows XP (KB917422)
    Security Update for Windows XP (KB917953)
    Security Update for Windows XP (KB918118)
    Security Update for Windows XP (KB919007)
    Security Update for Windows XP (KB920213)
    Security Update for Windows XP (KB920670)
    Security Update for Windows XP (KB920683)
    Security Update for Windows XP (KB920685)
    Security Update for Windows XP (KB921398)
    Security Update for Windows XP (KB921883)
    Security Update for Windows XP (KB922616)
    Security Update for Windows XP (KB922819)
    Security Update for Windows XP (KB923191)
    Security Update for Windows XP (KB923414)
    Security Update for Windows XP (KB923689)
    Security Update for Windows XP (KB923694)
    Security Update for Windows XP (KB923980)
    Security Update for Windows XP (KB924191)
    Security Update for Windows XP (KB924270)
    Security Update for Windows XP (KB924496)
    Security Update for Windows XP (KB924667)
    Security Update for Windows XP (KB925454)
    Security Update for Windows XP (KB926255)
    Security Update for Windows XP (KB926436)
    Security Update for Windows XP (KB927779)
    Security Update for Windows XP (KB927802)
    Security Update for Windows XP (KB928255)
    Security Update for Windows XP (KB928843)
    Sentinel System Driver 5.41.0 (32-bit)
    Shockwave
    SiS Audio Driver
    Smart Explorer 6.1
    Smart Menus (Windows Live Toolbar)
    Spybot - Search & Destroy 1.4
    Stamina 2.5
    Tabbed Browsing (Windows Live Toolbar)
    Update for Windows XP (KB898461)
    Update for Windows XP (KB900485)
    Update for Windows XP (KB904942)
    Update for Windows XP (KB908531)
    Update for Windows XP (KB910437)
    Update for Windows XP (KB911280)
    Update for Windows XP (KB916595)
    Update for Windows XP (KB920872)
    Update for Windows XP (KB922582)
    Update for Windows XP (KB931836)
    Windows Defender
    Windows Installer 3.1 (KB893803)
    Windows Internet Explorer 7
    Windows Live Messenger
    Windows Live Sign-in Assistant
    Windows Live Toolbar
    Windows Live Toolbar
    Windows Live Toolbar Extension (Windows Live Toolbar)
    Windows Live Toolbar Feed Detector (Windows Live Toolbar)
    Windows Media Format Runtime
    Windows Media Player 10
    Windows XP Hotfix - KB873339
    Windows XP Hotfix - KB885835
    Windows XP Hotfix - KB885836
    Windows XP Hotfix - KB885884
    Windows XP Hotfix - KB886185
    Windows XP Hotfix - KB887472
    Windows XP Hotfix - KB888302
    Windows XP Hotfix - KB890859
    Windows XP Hotfix - KB891781
    Windows XP Service Pack 2
    WinRAR archiver
  • VekaVeka Finland
    edited March 2007
    Add or Remove Program list is clean :thumbsup:

    =========================================

    Download ATF Cleaner
    • Run ATF Cleaner
    • Under Main choose Select All
    • Click Empty Selected
    • If you use Firefox browser
      • Click Firefox at the top and choose Select All
      • Click Empty Selected
        NOTE: If you would like to keep your saved passwords, click No at the prompt.
    • If you use Opera browser
      • Click Opera at the top and choose Select All
      • Click Empty Selected
        NOTE: If you would like to keep your saved passwords, click No at the prompt
    • Click Exit on the Main menu to close the program
    =========================================
    • Start AVG Anti-Spyware
    • Click the Update icon
    • Click Start update
    • Wait until updates are downloaded
    • Click the Scanner icon
    • Open the Settings tab
      • Make sure that under How to act? is read Quarantine
        (If not, click the text and choose Quarantine)
      • Under How to scan? all checkboxes should be ticked
      • Under Reports select Automatically generate report after every scan
        and uncheck Only if threats were found
      • Under What to scan? select Scan every file
    • Click the Shield icon
    • Under the "Resident shield is" click active to make it inactive
    • Close AVG Anti-Spyware
    =========================================

    Reboot your computer in Safe Mode
    • If the computer is running, shut down Windows, and then turn off the power.
    • Wait 30 seconds, and then turn the computer on.
    • Start tapping the F8 key. The Windows Advanced Options Menu appears. If you begin tapping the F8 key too soon, some computers display a "keyboard error" message. To resolve this, restart the computer and try again.
    • Ensure that the Safe Mode option is selected.
    • Press Enter. The computer then begins to start in Safe mode.
    • Login on your usual account.
    =========================================
    • Close all open windows / programs / folders
    • Start AVG Anti-Spyware
    • Click the Scanner icon
    • Click Complete System Scan
    • Let the program scan the machine
    • When the scan has finished, follow the instructions below
      • Make sure that under "Set all elements to" is read Quarantine
        (If not, click the text and choose Quarantine)
      • Click Apply all actions
      • Click Save Report
      • Click Save reports as
      • Save report to your Desktop
    =========================================

    Send fresh HijackThis log and AVG Anti-Spyware log
  • IndigoRedIndigoRed Perth Western Australia Icrontian
    edited March 2007
    Well, I hate to say it...
    As you asked, ran ATF, updated AVG and set the settings as asked and ran it in safe mode.

    AVG Anti-Spyware - Scan Report

    + Created at: 10:50:00 AM 2/03/2007

    + Scan result:



    Nothing found.


    ::Report end



    Logfile of HijackThis v1.99.1
    Scan saved at 11:23:48 AM, on 2/03/2007
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16414)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Windows Defender\MsMpEng.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\brsvc01a.exe
    C:\WINDOWS\System32\brss01a.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
    C:\Program Files\CA\eTrust Antivirus\InoRpc.exe
    C:\Program Files\CA\eTrust Antivirus\InoRT.exe
    C:\Program Files\CA\eTrust Antivirus\InoTask.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\System32\SiSAudUt.exe
    C:\WINDOWS\System32\fxredir.exe
    C:\Program Files\Microsoft IntelliPoint\point32.exe
    C:\Program Files\Lavasoft\Ad-aware 6\Ad-watch.exe
    C:\Program Files\Scansoft\PaperPort\pptd40nt.exe
    C:\PROGRA~1\CA\ETRUST~1\realmon.exe
    C:\Program Files\Scansoft\PaperPort\SmartUI\SmartUI.exe
    C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe
    C:\Program Files\Brother\Brmfcmon\BrMfcmon.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
    C:\GSM\GLOBAL.EXE
    C:\Documents and Settings\Tamara.MARSDEN\Desktop\Scanner.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.theage.com.au/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://search.search-exe.com/nph-search.cgi?tcode=exesrch1&look=stmpl1&fw=
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://search.search-exe.com/nph-search.cgi?tcode=exesrch1&look=stmpl1&fw=
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
    O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
    O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
    O4 - HKLM\..\Run: [SiS7012Utility] C:\WINDOWS\System32\SiSAudUt.exe -vxd
    O4 - HKLM\..\Run: [fxredir] C:\WINDOWS\System32\fxredir.exe
    O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
    O4 - HKLM\..\Run: [Ad-watch] "C:\Program Files\Lavasoft\Ad-aware 6\Ad-watch.exe"
    O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\Scansoft\PaperPort\pptd40nt.exe
    O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\Scansoft\PaperPort\IndexSearch.exe
    O4 - HKLM\..\Run: [Realtime Monitor] C:\PROGRA~1\CA\ETRUST~1\realmon.exe -s
    O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [monitr32] C:\Program Files\Canon\MultiPASS4\monitr32.exe
    O4 - HKLM\..\Run: [MPTBox] C:\PROGRA~1\Canon\MULTIP~1\MPTBox.exe
    O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
    O4 - HKLM\..\Run: [PestPatrol Control Center] C:\Program Files\PestPatrol\PPControl.exe
    O4 - HKLM\..\Run: [MediaLoads Installer] "C:\Program Files\DownloadWare\dw.exe" /H
    O4 - HKLM\..\Run: [PromulGate] "C:\Program Files\DelFin\PromulGate\PgMonitr.exe"
    O4 - HKLM\..\Run: [DownloadWare] "C:\Program Files\DownloadWare\dw.exe" /H
    O4 - HKLM\..\Run: [TimeSink Ad Client] "C:\Program Files\TimeSink\AdGateway\tsadbot.exe"
    O4 - HKLM\..\Run: [Search-Exe] "C:\Program Files\se\v11\se.EXE" /H
    O4 - HKCU\..\Run: [sp] C:\sp.exe
    O4 - Global Startup: SmartUI.lnk = C:\Program Files\Scansoft\PaperPort\SmartUI\SmartUI.exe
    O4 - Global Startup: Status Monitor.lnk = C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe
    O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O8 - Extra context menu item: Open in new background tab - res://C:\Program Files\Windows Live Toolbar\Components\en-au\msntabres.dll.mui/229?bb0dafe8ffc04715ba1a1ce3634fde07
    O8 - Extra context menu item: Open in new foreground tab - res://C:\Program Files\Windows Live Toolbar\Components\en-au\msntabres.dll.mui/230?bb0dafe8ffc04715ba1a1ce3634fde07
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O11 - Options group: [INTERNATIONAL] International*
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst20040510.cab
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1168998184708
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = marsdenmcgain.com.au
    O17 - HKLM\Software\..\Telephony: DomainName = marsdenmcgain.com.au
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = marsdenmcgain.com.au
    O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = marsdenmcgain.com.au
    O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = marsdenmcgain.com.au
    O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
    O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
    O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
    O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\System32\brsvc01a.exe
    O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: eTrust Antivirus RPC Server (InoRPC) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoRpc.exe
    O23 - Service: eTrust Antivirus Realtime Server (InoRT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoRT.exe
    O23 - Service: eTrust Antivirus Job Server (InoTask) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoTask.exe



    There's got to be something somewhere putting this stuf back into the registry. I even ran HJT in safe mode and deleted these. But something somewhere is putting them back.
  • VekaVeka Finland
    edited March 2007
    IndigoRed wrote:
    I even ran HJT in safe mode and deleted these. But something somewhere is putting them back.

    Did you closed Spybot SD TeaTimer and AVG Anti-Spyware guard before fixing with HJT?
  • IndigoRedIndigoRed Perth Western Australia Icrontian
    edited March 2007
    Hi Vekarrpe,
    I'm pretty sure I turned Guard off, yes, you asked me to. I don't think I turned off Tea Timer. I don't think it's active in Safe Mode, is it?
    Anyway, today's Saturday and the pc is at work, so I won't be continuing until Monday. Thanks so far for your help. Hopefully we'll get to the bottom of this soon!

    Cheers!
  • IndigoRedIndigoRed Perth Western Australia Icrontian
    edited March 2007
    Hello again Vekarrpe,
    It seems these things just will not go away. There must be a dropper somewhere re-activating these bugs. The files referenced (sp.exe, se.exe, etc) do not exist on my system, but what ever is telling these things to reload into the registry is still around. Any ideas?
    Hjt log has not changed to above. Tried again to scan in safe mode with teatimer off and all seemed clear until I rebooted.
    Is there a good spyware scanner for the registry?
  • VekaVeka Finland
    edited March 2007
    Please print out these instructions or save them to your desktop as a text file with Notepad

    Ok, there is a couple of real time monitoring programs that maybe prevent HJT fixes. Please, turn off these

    Spybot S&D (Teatimer)
    • Run Spybot-S&D in Advanced Mode.
    • If it is not already set to do this Go to the Mode menu select Advanced Mode.
    • On the left hand side, Click on Tools.
    • Then click on the Resident Icon in the List.
    • Uncheck "Resident TeaTimer" and OK any prompts.
    • Restart your computer.
    AVG Anti-Spyware
    • Open AVG Anti-Spyware by double-clicking the multi-colored box emblazoned with an 'S' in the system tray.
    • In the 'Resident Shield' section, toggle the AVG Anti-Spyware active protection 'off' by clicking Change state which will then change the protection status to 'inactive'.
    • If you are instructed to reboot at any time during your cleanup, AVG Anti-Spyware will prompt you as to whether you would like to "Restart the Resident Shield".
    • Reply no and set it to 'inactive' for the duration of your cleanup.
    Windows Defender
    • Click on Tools.
    • Click on General Settings.
    • Scroll down to "Real-time protection options".
    • Uncheck Turn on Real-time protection (recommended).
    • Click Save.
    Ad-Aware Ad-Watch
    • Right click on the Ad-Watch icon in the system tray.
    • At the bottom of the screen there will be two checkable items called Active and Automatic.

      Active: This will turn Ad-Watch On\Off without closing it
      Automatic: Suspicious activity will be blocked automatically
    • Uncheck both of those boxes.
    ==========================================

    When done, run HijackThis (in normal mode) and click Do a system scan only.
    Check the boxes next to all the entries listed below:

    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://search.search-exe.com/nph-sea...ook=stmpl1&fw=
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://search.search-exe.com/nph-sea...ook=stmpl1&fw=

    O4 - HKLM\..\Run: [PromulGate] "C:\Program Files\DelFin\PromulGate\PgMonitr.exe"
    O4 - HKLM\..\Run: [TimeSink Ad Client] "C:\Program Files\TimeSink\AdGateway\tsadbot.exe"
    O4 - HKLM\..\Run: [MediaLoads Installer] "C:\Program Files\DownloadWare\dw.exe" /H
    O4 - HKLM\..\Run: [Search-Exe] "C:\Program Files\se\v11\se.EXE" /H
    O4 - HKCU\..\Run: [sp] C:\sp.exe
    O4 - HKLM\..\Run: [DownloadWare] "C:\Program Files\DownloadWare\dw.exe" /H

    Now close all windows other than HijackThis, then click Fix Checked. Close HijackThis and reboot into safe mode.
    • If the computer is running, shut down Windows, and then turn off the power
    • Wait 30 seconds, and then turn the computer on
    • Start tapping the F8 key
    • The Windows Advanced Options Menu appears
    • Ensure that the Safe Mode option is selected
    • Press Enter. The computer then begins to start in Safe mode
    • Login on your usual account
    Show Hidden Program or System Files
    • Close all programs so that you are at your desktop
    • Double-click on the My Computer icon
    • Select the Tools menu and click Folder Options
    • After the new window appears select the View tab
    • Put a checkmark in the checkbox labeled Display the contents of system folders
    • Under the Hidden files and folders section select the radio button labeled Show hidden files and folders
    • Remove the checkmark from the checkbox labeled Hide file extensions for known file types
    • Remove the checkmark from the checkbox labeled Hide protected operating system files
    • Press the Apply button and then the OK button and shutdown My Computer
    • Now your computer is configured to show all hidden files
    ==========================================

    Find and remove following folders if found:

    C:\Program Files\DelFin
    C:\Program Files\TimeSink
    C:\Program Files\DownloadWare
    C:\Program Files\se

    And this file:

    C:\sp.exe

    ==========================================

    Restart your computer and send new HijackThis log.
  • IndigoRedIndigoRed Perth Western Australia Icrontian
    edited March 2007
    Hi Vekarrpe,

    Well it's fixed. After much hair pulling and prodding I discovered the problem was Lavasoft's Ad-Watch. Basically it was acting like the "dropper" I mentioned. It wasn't allowing the changes to the registry when I was deleting the malware, thus putting the registry back to its state before the deletion. It has to do with the settings within Ad-Watch, but all good now. Funnily enough it was even putting them back when Ad-Aware was deleting them! Now THAT'S ironic!

    But having said I found the issue, I won't detract from your advice. You were a big help in that I started looking at the antispyware guards in the first place due to your instructions.

    That's for your help. Even us pros :rolleyes: get stuck once in a while... :scratch:

    So for you and this outrageously good team...


    :clap::clap::thumbsup::thumbsup: :celebrate :thumbsup::thumbsup::clap::clap:
  • VekaVeka Finland
    edited March 2007
    That is good to hear. :thumbsup: So, everything is OK now?


    Now that you are clean, please follow these simple steps in order to keep your computer clean and secure: Reenable system restore with instructions from tutorial above
    • Make your Internet Explorer more secure - This can be done by following these simple instructions:
    • From within Internet Explorer click on the Tools menu and then click on Options.
    • Click once on the Security tab
    • Click once on the Internet icon so it becomes highlighted.
    • Click once on the Custom Level button.
    • Change the Download signed ActiveX controls to Prompt
    • Change the Download unsigned ActiveX controls to Disable
    • Change the Initialize and script ActiveX controls not marked as safe to Disable
    • Change the Installation of desktop items to Prompt
    • Change the Launching programs and files in an IFRAME to Prompt
    • Change the Navigate sub-frames across different domains to Prompt
    • When all these settings have been made, click on the OK button.
    • If it prompts you as to whether or not you want to save the settings, press the Yes button.
    • Next press the Apply button and then the OK to exit the Internet Properties page.
    • Use an AntiVirus Software - It is very important that your computer has an anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future.
    See this link for a listing of some online & their stand-alone antivirus programs:

    Virus, Spyware, and Malware Protection and Removal Resources
    • Update your AntiVirus Software - It is imperitive that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.
    • Use a Firewall - I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is succeptible to being hacked and taken over. I am very serious about this and see it happen almost every day with my clients. Simply using a Firewall in its default configuration can lower your risk greatly.

      For a tutorial on Firewalls and a listing of some available ones see the link below:

      Understanding and Using Firewalls
    • Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.
    • Install Ad-Aware - Install and download Ad-Aware. ou should also scan your computer with program on a regular basis just as you would an antivirus software in conjunction with Spybot.

      A tutorial on installing & using this product can be found here:

      Using Ad-aware to remove Spyware, Malware, & Hijackers from Your Computer
    • Install Spybot - Search and Destroy - Install and download Spybot - Search and Destroy with its TeaTimer option.

      This will provide real-time spyware & hijacker protection on your computer alongside your virus protection. You should also scan your computer with program on a regular basis just as you would an anti virus software. A tutorial on installing & using this product can be found here:

      Instructions for - Spybot S & D and Ad-aware
    • Install SpywareBlaster - SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.

      A tutorial on installing & using this product can be found here:

      Using SpywareBlaster to protect your computer from Spyware and Malware
    • Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.
    Follow this list and your potential for being infected again will reduce dramatically.

    Here are some additional utilities that will enhance your safety
    • IE/Spyad <= IE/Spyad places over 4000 websites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites.
    • MVPS Hosts file <= The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your coputer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer
    • Google Toolbar <= Get the free google toolbar to help stop pop up windows.
    • Winpatrol <= Download and install the free version of Winpatrol. a tutorial for this product is located here:
      Using Winpatrol to protect your computer from malicious software
    Stand Up and Be Counted ---> Malware Complaints <--- where you can make difference!

    The site offers people who have been (or are) victims of malware the opportunity to document their story and, in that way, launch a complaint against the malware and the makers of the malware.

    Also, please read this great article by Tony Klein So How Did I Get Infected In First Place

    Happy surfing and stay clean! It was glad to help you.
  • edited April 2007
    Good job vekarppe. :)

    Glad Short-Media could be of assistance! The help you received here was free. Please read through some of these Prevention Tips that Short-Media offers.

    This topic is now closed. If you wish it reopened, please send a Private Message (PM) to one of the Spyware Mods with a link to your thread.

    Do not bother contacting us if you are not the topic starter. A valid, working link to the closed topic is required.

    If you are not the user who started this thread, you must start a new Thread instead :)

    Would you also be interested to join Short-Media (Team #93) with the Folding@Home Project? More information available here
This discussion has been closed.