Chadi
17 Dec 2005, 4:12pm
Not sure where it all began but I'm just about 100% sure it is 1 of these 3 that I got from this site:
http://www.desktopgadgets.com/
I downloaded:
Stickies
OMNI analogue
Neowin RSS Reader
Then I downloaded something I got from a link in the RSS reader. I can't get the link anymore because I cleared all my cache / history / cookies. However, it was something related to "weather" script, worked fine too and used MS .Net framework and was "Weather Channel" integrated (www.weather.com).
Software I Ran (Xp Pro Safe Mode) latest definitions:
CCleaner
HiJack This
Spybot
S&D
Spyware Blaster
MS Antispyware
Trend Micro Antispyware
CWShredder
AdAware
Spybot
Spyware Sweeper
Ewido
Can't run any online virus checks as the spyware is preventing me from actually doing that!
Specs:
XP Pro
IBM Thinkpad
Problems I noticed to confirm some spyware:
My personal site, can't see portions (works on other computers).
I can't input in certain text field boxes including RSS reader (was working prior)
Download.com - can't click on "expand" in software list
Some portions of download.com missing (download links)
SPYWARE SWEEPER REPORT:
********
1:21 AM: | Start of Session, Saturday, December 17, 2005 |
1:21 AM: Spy Sweeper started
1:21 AM: Sweep initiated using definitions version 586
1:21 AM: Starting Memory Sweep
1:26 AM: Memory Sweep Complete, Elapsed Time: 00:05:11
1:26 AM: Starting Registry Sweep
1:27 AM: Registry Sweep Complete, Elapsed Time:00:00:10
1:27 AM: Starting Cookie Sweep
1:27 AM: Cookie Sweep Complete, Elapsed Time: 00:00:00
1:27 AM: Starting File Sweep
1:33 AM: Found Adware: altnet
1:33 AM: a0018498.exe (ID = 111765)
1:33 AM: Found Adware: instafinder
1:33 AM: a0018455.exe (ID = 63654)
1:33 AM: Found Adware: directrevenue-thebestoffersnetwork
1:33 AM: a0018474.exe (ID = 166800)
1:33 AM: a0018489.manifest (ID = 49859)
1:34 AM: a0018456.exe (ID = 166800)
1:34 AM: a0018504.exe (ID = 49802)
1:35 AM: Found Adware: screensavers
1:35 AM: a0020061.exe (ID = 74759)
1:37 AM: a0020062.dll (ID = 74752)
1:40 AM: a0018490.dll (ID = 49877)
1:42 AM: a0018488.exe (ID = 49862)
1:43 AM: a0018503.exe (ID = 49793)
1:49 AM: Found System Monitor: potentially rootkit-masked files
1:49 AM: irunin.lng (ID = 0)
1:49 AM: sdctrls.dll (ID = 0)
1:49 AM: dlp.dll (ID = 0)
1:49 AM: hiddenfiles.txt (ID = 0)
1:49 AM: quarantinedexecutables.txt (ID = 0)
1:49 AM: quarantinedlibraries.txt (ID = 0)
1:50 AM: Warning: Unhandled Archive Type
1:50 AM: File Sweep Complete, Elapsed Time: 00:23:43
1:50 AM: Full Sweep has completed. Elapsed time 00:28:39
1:50 AM: Traces Found: 17
1:51 AM: Removal process initiated
1:51 AM: Quarantining All Traces: potentially rootkit-masked files
1:51 AM: potentially rootkit-masked files is in use. It will be removed on reboot.
1:51 AM: hiddenfiles.txt is in use. It will be removed on reboot.
1:51 AM: quarantinedexecutables.txt is in use. It will be removed on reboot.
1:51 AM: quarantinedlibraries.txt is in use. It will be removed on reboot.
1:51 AM: Quarantining All Traces: altnet
1:51 AM: Quarantining All Traces: instafinder
1:51 AM: Quarantining All Traces: screensavers
1:51 AM: Quarantining All Traces: directrevenue-thebestoffersnetwork
1:51 AM: Removal process completed. Elapsed time 00:00:10
********
10:06 PM: | Start of Session, Friday, December 16, 2005 |
10:06 PM: Spy Sweeper started
10:06 PM: Sweep initiated using definitions version 586
10:06 PM: Starting Memory Sweep
10:07 PM: BHO Shield: found: SCActiveBlock.dll-- BHO installation allowed at user request
10:08 PM: Memory Sweep Complete, Elapsed Time: 00:02:10
10:08 PM: Starting Registry Sweep
10:08 PM: Found Adware: cws-aboutblank
10:08 PM: HKCR\protocols\filter\text/html\ (2 subtraces) (ID = 114343)
10:08 PM: HKLM\software\classes\protocols\filter\text/html\ (2 subtraces) (ID = 115907)
10:08 PM: Found Adware: screensavers
10:08 PM: HKLM\software\screensavers.com\ (14 subtraces) (ID = 140569)
10:08 PM: Registry Sweep Complete, Elapsed Time:00:00:13
10:08 PM: Starting Cookie Sweep
10:08 PM: Cookie Sweep Complete, Elapsed Time: 00:00:00
10:08 PM: Starting File Sweep
10:16 PM: File Sweep Complete, Elapsed Time: 00:07:13
10:16 PM: Full Sweep has completed. Elapsed time 00:09:39
10:16 PM: Traces Found: 21
10:16 PM: Removal process initiated
10:16 PM: Quarantining All Traces: cws-aboutblank
10:16 PM: Quarantining All Traces: screensavers
10:16 PM: Removal process completed. Elapsed time 00:00:07
11:27 PM: Processing Startup Alerts
11:27 PM: Allowed Startup entry: SpyCatcher Reminder
11:27 PM: Allowed Startup entry: Stickies.lnk
11:27 PM: Allowed Startup entry: gcasServ
********
10:05 PM: | Start of Session, Friday, December 16, 2005 |
10:05 PM: Spy Sweeper started
10:05 PM: Your spyware definitions have been updated.
10:06 PM: Updating spyware definitions
10:06 PM: Your definitions are up to date.
10:06 PM: | End of Session, Friday, December 16, 2005 |
EWIDO REPORT:
---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------
+ Created on: 1:54:34 AM, 12/17/2005
+ Report-Checksum: 4B8EDDB5
+ Scan result:
C:\Documents and Settings\Chadi\Cookies\chadi@com[2].txt -> Spyware.Cookie.Com : Cleaned with backup
C:\Utilities\backups\backup-20051216-221949-982.dll -> Adware.Webdir : Cleaned with backup
Logfile of HijackThis v1.99.1
Scan saved at 10:46:05 AM, on 12/17/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Utilities\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\Explorer.EXE
C:\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Utilities\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.talkjesus.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.talkjesus.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Utilities\Spybot\SDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\UTILIT~1\SPYWAR~3\tools\iesdsg.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Forms\roboform.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Forms\roboform.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [TpShocks] TpShocks.exe
O4 - HKLM\..\Run: [ControlCenter] "C:\Program Files\IBM fingerprint software\ctlcntr.exe" /startup
O4 - HKLM\..\Run: [TP4EX] tp4ex.exe
O4 - HKLM\..\Run: [EZEJMNAP] C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [FRYMXINS] "C:\Program Files\ATI Technologies\Fire GL 3D Studio Max\atiimxgl"
O4 - HKLM\..\Run: [IBMPRC] C:\IBMTOOLS\UTILS\ibmprc.exe
O4 - HKLM\..\Run: [BMMMONWND] rundll32.exe C:\PROGRA~1\ThinkPad\UTILIT~1\BatInfEx.dll,BMMAutonomicMonitor
O4 - HKLM\..\Run: [CTSysVol] C:\Multimedia\Creative\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [SbUsb AudCtrl] RunDll32 sbusbdll.dll,RCMonitor
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [UC_Start] C:\Program Files\IBM\Updater\\ucstartup.exe
O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM\..\Run: [BMMLREF] C:\Program Files\ThinkPad\Utilities\BMMLREF.EXE
O4 - HKLM\..\Run: [SpyHunter] C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter.exe
O4 - HKCU\..\Run: [RemoteCenter] C:\MULTIM~1\Creative\RemoteControl\RcMan.exe
O4 - HKCU\..\Run: [Creative MediaSource Go] C:\Multimedia\Creative\Go\CTCMSGo.exe /SYS
O8 - Extra context menu item: &ieSpell Options - res://C:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTM
O8 - Extra context menu item: Check &Spelling - res://C:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM
O8 - Extra context menu item: Customize Menu - file://C:\Program Files\Forms\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\MICROS~1\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Fill Forms - file://C:\Program Files\Forms\RoboFormComFillForms.html
O8 - Extra context menu item: RoboForm Toolbar - file://C:\Program Files\Forms\RoboFormComShowToolbar.html
O8 - Extra context menu item: Save Forms - file://C:\Program Files\Forms\RoboFormComSavePass.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: (no name) - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell Options - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\UTILIT~1\SPYWAR~3\tools\iesdpb.dll (file missing)
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Forms\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Forms\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Forms\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Forms\RoboFormComSavePass.html
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Forms\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Forms\RoboFormComShowToolbar.html
O11 - Options group: [JAVA_IBM] Java (IBM)
O12 - Plugin for .mid: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll
O12 - Plugin for .mp3: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin4.dll
O12 - Plugin for .mpg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O12 - Plugin for .wav: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/15015/CTSUEng.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secure/HPGetDownloadManager.ocx
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (ASquaredScanForm Element) - http://www.windowsecurity.com/trojanscan/axscan.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15016/CTPID.cab
O20 - Winlogon Notify: psfus - C:\Program Files\IBM fingerprint software\psfus.dll
O20 - Winlogon Notify: WBSrv - C:\PROGRA~1\WINDOW~4\wbsrv.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: Adobe Active File Monitor (AdobeActiveFileMonitor) - Unknown owner - C:\Adobe\Photoshop Elements\PhotoshopElementsFileAgent.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: IBM Rapid Restore Ultra Service - Unknown owner - C:\Program Files\IBM\IBM Rapid Restore Ultra\rrpcsb.exe
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\System32\ibmpmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: MobilePre Installer (MobilePreInstallerService) - M-Audio - C:\Program Files\M-Audio MobilePre\Install\MPInst.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Photoshop Elements Device Connect (PhotoshopElementsDeviceConnect) - Unknown owner - C:\Adobe\Photoshop Elements\PhotoshopElementsDeviceConnect.exe
O23 - Service: IBM PSA Access Driver Control (PsaSrv) - Unknown owner - C:\WINDOWS\system32\PsaSrv.exe (file missing)
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools - C:\Utilities\Spyware Doctor\sdhelp.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Utilities\Spy Sweeper\WRSSSDK.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: IBM KCU Service (TpKmpSVC) - Unknown owner - C:\WINDOWS\system32\TpKmpSVC.exe
O23 - Service: TuneUp WinStyler Theme Service (TUWinStylerThemeSvc) - TuneUp Software GmbH - C:\Utilities\Tune Up\WinStylerThemeSvc.exe
O23 - Service: Protector Suite Virtual Token (vtserver) - UPEK Inc. - C:\Program Files\Common Files\Virtual Token\vtserver.exe
http://www.desktopgadgets.com/
I downloaded:
Stickies
OMNI analogue
Neowin RSS Reader
Then I downloaded something I got from a link in the RSS reader. I can't get the link anymore because I cleared all my cache / history / cookies. However, it was something related to "weather" script, worked fine too and used MS .Net framework and was "Weather Channel" integrated (www.weather.com).
Software I Ran (Xp Pro Safe Mode) latest definitions:
CCleaner
HiJack This
Spybot
S&D
Spyware Blaster
MS Antispyware
Trend Micro Antispyware
CWShredder
AdAware
Spybot
Spyware Sweeper
Ewido
Can't run any online virus checks as the spyware is preventing me from actually doing that!
Specs:
XP Pro
IBM Thinkpad
Problems I noticed to confirm some spyware:
My personal site, can't see portions (works on other computers).
I can't input in certain text field boxes including RSS reader (was working prior)
Download.com - can't click on "expand" in software list
Some portions of download.com missing (download links)
SPYWARE SWEEPER REPORT:
********
1:21 AM: | Start of Session, Saturday, December 17, 2005 |
1:21 AM: Spy Sweeper started
1:21 AM: Sweep initiated using definitions version 586
1:21 AM: Starting Memory Sweep
1:26 AM: Memory Sweep Complete, Elapsed Time: 00:05:11
1:26 AM: Starting Registry Sweep
1:27 AM: Registry Sweep Complete, Elapsed Time:00:00:10
1:27 AM: Starting Cookie Sweep
1:27 AM: Cookie Sweep Complete, Elapsed Time: 00:00:00
1:27 AM: Starting File Sweep
1:33 AM: Found Adware: altnet
1:33 AM: a0018498.exe (ID = 111765)
1:33 AM: Found Adware: instafinder
1:33 AM: a0018455.exe (ID = 63654)
1:33 AM: Found Adware: directrevenue-thebestoffersnetwork
1:33 AM: a0018474.exe (ID = 166800)
1:33 AM: a0018489.manifest (ID = 49859)
1:34 AM: a0018456.exe (ID = 166800)
1:34 AM: a0018504.exe (ID = 49802)
1:35 AM: Found Adware: screensavers
1:35 AM: a0020061.exe (ID = 74759)
1:37 AM: a0020062.dll (ID = 74752)
1:40 AM: a0018490.dll (ID = 49877)
1:42 AM: a0018488.exe (ID = 49862)
1:43 AM: a0018503.exe (ID = 49793)
1:49 AM: Found System Monitor: potentially rootkit-masked files
1:49 AM: irunin.lng (ID = 0)
1:49 AM: sdctrls.dll (ID = 0)
1:49 AM: dlp.dll (ID = 0)
1:49 AM: hiddenfiles.txt (ID = 0)
1:49 AM: quarantinedexecutables.txt (ID = 0)
1:49 AM: quarantinedlibraries.txt (ID = 0)
1:50 AM: Warning: Unhandled Archive Type
1:50 AM: File Sweep Complete, Elapsed Time: 00:23:43
1:50 AM: Full Sweep has completed. Elapsed time 00:28:39
1:50 AM: Traces Found: 17
1:51 AM: Removal process initiated
1:51 AM: Quarantining All Traces: potentially rootkit-masked files
1:51 AM: potentially rootkit-masked files is in use. It will be removed on reboot.
1:51 AM: hiddenfiles.txt is in use. It will be removed on reboot.
1:51 AM: quarantinedexecutables.txt is in use. It will be removed on reboot.
1:51 AM: quarantinedlibraries.txt is in use. It will be removed on reboot.
1:51 AM: Quarantining All Traces: altnet
1:51 AM: Quarantining All Traces: instafinder
1:51 AM: Quarantining All Traces: screensavers
1:51 AM: Quarantining All Traces: directrevenue-thebestoffersnetwork
1:51 AM: Removal process completed. Elapsed time 00:00:10
********
10:06 PM: | Start of Session, Friday, December 16, 2005 |
10:06 PM: Spy Sweeper started
10:06 PM: Sweep initiated using definitions version 586
10:06 PM: Starting Memory Sweep
10:07 PM: BHO Shield: found: SCActiveBlock.dll-- BHO installation allowed at user request
10:08 PM: Memory Sweep Complete, Elapsed Time: 00:02:10
10:08 PM: Starting Registry Sweep
10:08 PM: Found Adware: cws-aboutblank
10:08 PM: HKCR\protocols\filter\text/html\ (2 subtraces) (ID = 114343)
10:08 PM: HKLM\software\classes\protocols\filter\text/html\ (2 subtraces) (ID = 115907)
10:08 PM: Found Adware: screensavers
10:08 PM: HKLM\software\screensavers.com\ (14 subtraces) (ID = 140569)
10:08 PM: Registry Sweep Complete, Elapsed Time:00:00:13
10:08 PM: Starting Cookie Sweep
10:08 PM: Cookie Sweep Complete, Elapsed Time: 00:00:00
10:08 PM: Starting File Sweep
10:16 PM: File Sweep Complete, Elapsed Time: 00:07:13
10:16 PM: Full Sweep has completed. Elapsed time 00:09:39
10:16 PM: Traces Found: 21
10:16 PM: Removal process initiated
10:16 PM: Quarantining All Traces: cws-aboutblank
10:16 PM: Quarantining All Traces: screensavers
10:16 PM: Removal process completed. Elapsed time 00:00:07
11:27 PM: Processing Startup Alerts
11:27 PM: Allowed Startup entry: SpyCatcher Reminder
11:27 PM: Allowed Startup entry: Stickies.lnk
11:27 PM: Allowed Startup entry: gcasServ
********
10:05 PM: | Start of Session, Friday, December 16, 2005 |
10:05 PM: Spy Sweeper started
10:05 PM: Your spyware definitions have been updated.
10:06 PM: Updating spyware definitions
10:06 PM: Your definitions are up to date.
10:06 PM: | End of Session, Friday, December 16, 2005 |
EWIDO REPORT:
---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------
+ Created on: 1:54:34 AM, 12/17/2005
+ Report-Checksum: 4B8EDDB5
+ Scan result:
C:\Documents and Settings\Chadi\Cookies\chadi@com[2].txt -> Spyware.Cookie.Com : Cleaned with backup
C:\Utilities\backups\backup-20051216-221949-982.dll -> Adware.Webdir : Cleaned with backup
Logfile of HijackThis v1.99.1
Scan saved at 10:46:05 AM, on 12/17/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Utilities\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\Explorer.EXE
C:\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Utilities\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.talkjesus.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.talkjesus.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Utilities\Spybot\SDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\UTILIT~1\SPYWAR~3\tools\iesdsg.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Forms\roboform.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Forms\roboform.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [TpShocks] TpShocks.exe
O4 - HKLM\..\Run: [ControlCenter] "C:\Program Files\IBM fingerprint software\ctlcntr.exe" /startup
O4 - HKLM\..\Run: [TP4EX] tp4ex.exe
O4 - HKLM\..\Run: [EZEJMNAP] C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [FRYMXINS] "C:\Program Files\ATI Technologies\Fire GL 3D Studio Max\atiimxgl"
O4 - HKLM\..\Run: [IBMPRC] C:\IBMTOOLS\UTILS\ibmprc.exe
O4 - HKLM\..\Run: [BMMMONWND] rundll32.exe C:\PROGRA~1\ThinkPad\UTILIT~1\BatInfEx.dll,BMMAutonomicMonitor
O4 - HKLM\..\Run: [CTSysVol] C:\Multimedia\Creative\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [SbUsb AudCtrl] RunDll32 sbusbdll.dll,RCMonitor
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [UC_Start] C:\Program Files\IBM\Updater\\ucstartup.exe
O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM\..\Run: [BMMLREF] C:\Program Files\ThinkPad\Utilities\BMMLREF.EXE
O4 - HKLM\..\Run: [SpyHunter] C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter.exe
O4 - HKCU\..\Run: [RemoteCenter] C:\MULTIM~1\Creative\RemoteControl\RcMan.exe
O4 - HKCU\..\Run: [Creative MediaSource Go] C:\Multimedia\Creative\Go\CTCMSGo.exe /SYS
O8 - Extra context menu item: &ieSpell Options - res://C:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTM
O8 - Extra context menu item: Check &Spelling - res://C:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM
O8 - Extra context menu item: Customize Menu - file://C:\Program Files\Forms\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\MICROS~1\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Fill Forms - file://C:\Program Files\Forms\RoboFormComFillForms.html
O8 - Extra context menu item: RoboForm Toolbar - file://C:\Program Files\Forms\RoboFormComShowToolbar.html
O8 - Extra context menu item: Save Forms - file://C:\Program Files\Forms\RoboFormComSavePass.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: (no name) - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell Options - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\UTILIT~1\SPYWAR~3\tools\iesdpb.dll (file missing)
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Forms\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Forms\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Forms\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Forms\RoboFormComSavePass.html
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Forms\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Forms\RoboFormComShowToolbar.html
O11 - Options group: [JAVA_IBM] Java (IBM)
O12 - Plugin for .mid: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll
O12 - Plugin for .mp3: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin4.dll
O12 - Plugin for .mpg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O12 - Plugin for .wav: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/15015/CTSUEng.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secure/HPGetDownloadManager.ocx
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (ASquaredScanForm Element) - http://www.windowsecurity.com/trojanscan/axscan.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15016/CTPID.cab
O20 - Winlogon Notify: psfus - C:\Program Files\IBM fingerprint software\psfus.dll
O20 - Winlogon Notify: WBSrv - C:\PROGRA~1\WINDOW~4\wbsrv.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: Adobe Active File Monitor (AdobeActiveFileMonitor) - Unknown owner - C:\Adobe\Photoshop Elements\PhotoshopElementsFileAgent.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: IBM Rapid Restore Ultra Service - Unknown owner - C:\Program Files\IBM\IBM Rapid Restore Ultra\rrpcsb.exe
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\System32\ibmpmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: MobilePre Installer (MobilePreInstallerService) - M-Audio - C:\Program Files\M-Audio MobilePre\Install\MPInst.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Photoshop Elements Device Connect (PhotoshopElementsDeviceConnect) - Unknown owner - C:\Adobe\Photoshop Elements\PhotoshopElementsDeviceConnect.exe
O23 - Service: IBM PSA Access Driver Control (PsaSrv) - Unknown owner - C:\WINDOWS\system32\PsaSrv.exe (file missing)
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools - C:\Utilities\Spyware Doctor\sdhelp.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Utilities\Spy Sweeper\WRSSSDK.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: IBM KCU Service (TpKmpSVC) - Unknown owner - C:\WINDOWS\system32\TpKmpSVC.exe
O23 - Service: TuneUp WinStyler Theme Service (TUWinStylerThemeSvc) - TuneUp Software GmbH - C:\Utilities\Tune Up\WinStylerThemeSvc.exe
O23 - Service: Protector Suite Virtual Token (vtserver) - UPEK Inc. - C:\Program Files\Common Files\Virtual Token\vtserver.exe