PDA

View Full Version : MagicControl.Agent & "hidden" program "bwieas.exe"



jfreymann
2005-12-25, 17:29
Spybot S&D is reporting MagicControl.Agent; fixing it does not get rid of it.

I've noticed that Nortan Antivirus is getting probed by C:\windows\system32\bwieas.exe. However that file "doesn't exist" even when show hidden and system files is enabled in Windows Explorer.

I have run the following programs to clean up several other pieces of spyware on this system:

McAfee FreeScan
Norton Antivirus
Spybot S&D
smitRem
approposfix
CCleaner
Ewido
TrojanHunter
SFC /scannow

Here is a "min" log: Start /min Hijackthis.exe /autolog

Logfile of HijackThis v1.99.1
Scan saved at 9:20:11 AM, on 12/25/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\TOSHIBA\TouchPadNF\TPTray.exe
C:\WINDOWS\System32\CePMTray.exe
C:\Toshiba\Ivp\ISM\pinger.exe
C:\Program Files\Yahoo!\browser\ybrwicon.exe
C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe
C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPMon32.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\windows\system32\bwieas.exe
C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\DfrgNtfs.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Program Files\Common Files\Symantec Shared\NMain.exe
C:\Program Files\Common Files\Symantec Shared\ccLgView.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\Updates\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://yahoo.sbc.com/dsl
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Common\ycomp5_1_6_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Common\ycomp5_1_6_0.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [TPNF] C:\Program Files\TOSHIBA\TouchPadNF\TPTray.exe
O4 - HKLM\..\Run: [CeEPOWER] C:\WINDOWS\System32\CePMTray.exe
O4 - HKLM\..\Run: [Pinger] C:\Toshiba\Ivp\ISM\pinger.exe /run
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [YBrowser] C:\Program Files\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [IPInSightLAN 02] "C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe" -l
O4 - HKLM\..\Run: [IPInSightMonitor 02] "C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPMon32.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [bwieas] c:\windows\system32\bwieas.exe bwieas
O4 - HKLM\..\Run: [CeEKey.exe] C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Desktop Manager.lnk = C:\Program Files\Research In Motion\BlackBerry\DesktopMgr.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Symantec Fax Starter Edition Port.lnk = C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {01010E00-5E80-11D8-9E86-0007E96C65AE} (SupportSoft SmartIssue) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsi.cab
O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Script Runner Class) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsr.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - C:\Program Files\Yahoo!\common\yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1135216308388
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/asa/ctrl/SymAData.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/mcfscan/2,1,0,4657/mcfscan.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE

pskelley
2005-12-25, 20:03
Hello and welcome to the forum. Before we start please return to your C:\ and right click a blank spot and make a new folder. Call it HJT and move the HJT and any logs in the "Updates" folder in to the new folder which will look like this: C:\HJT\HijackThis.exe. You can delete that other folder unless you store something else in it?

Now I must say that: C:\windows\system32\bwieas.exe is running from your system32 folder and showing plainly in your log, in running processes and also here:
O4 - HKLM\..\Run: [bwieas] c:\windows\system32\bwieas.exe bwieas This is probably your problem, if you wish to check it before removing it use these free online scanners and share the information with me.
http://virusscan.jotti.org/
http://www.kaspersky.com/scanforvirus
http://www.virustotal.com/flash/index_en.html

I understand you may have run some of these, I would appreciate your following these directions as I make sure you are clean.

1) SpybotSD TeaTimer may interfere with our fix, it is a good program but we need to turn it off until finished, make sure you remember to turn it back on.
http://russelltexas.com/malware/teatimer.htm

2) Download, update, configure and run these two programs: http://tomcoyote.org/aawsb.php
The newest version of Ad-aware is 1.06 and Spybot 1.04. Even if you have these programs, use the link to get the newest version, update and configure them as in the link. Run Spybot first, reboot then run Ad-aware. Both programs back up what they remove so delete anything the programs say should be removed.

3) You have ewido onboard, please open the program and update it, make sure it is configured like this: http://rstones12.geekstogo.com/ewidosetup.htm Run a complete system scan, remove everything located unless you know it is not bad. Make sure you save the scan report, I need to see it.

4) Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
O4 - HKLM\..\Run: [bwieas] c:\windows\system32\bwieas.exe bwieas

Close all programs but HJT and all browser windows, then click on "Fix Checked"

Enable hidden files&folders..reverse the process when finished.
(Make sure the instuctions for showing hidden files and folders is followed exactly, we must locate and delete this item)
http://www.xtra.co.nz/help/0,,4155-1916458,00.html

RIGHT Click on Start then click on Explore. Locate and delete these items:

c:\windows\system32\bwieas.exe >>> file

C:\Windows\Prefetch\ >>> delete everything in this folder (NOT THE FOLDER)
Prefetch info: http://www.windowsnetworking.com/articles_tutorials/Gaining-Speed-Empty-Prefetch-XP.html


Thanks...pskelley
TomCoyote forum
Expert Member

I wish to take a moment to give you some information about this program: C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe See this: http://castlecops.com/startuplist-1690.html I suggest you take this up with your Internet Service Provider and have them give you instructions for removing this junk.

When you are completely finished with the removal procedure and are satisfied that the threat has been removed follow these instructions:
http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001111912274039?OpenDocument&src=sec_doc_nam

jfreymann
2005-12-26, 07:45
:angel:

Thanks for the timely post on Christmas Day no less!! I'm working on a laptop for a friend, and you've given us a great Christmas present.

I was not able to see or delete the bwieas file until I used the command prompt dir and delete commands. I had to boot in safe mode to delete the file.

One interesting side effect of this infection was that clicking "view report" in the disk deframenter caused MMC to lock up. Once bwieas was gone, that problem went away.

Here's the result of Jotti's malware scan 2.99-TRANSITION_TO_3.00

Service
Service load: 0% 100%

File: bwieas.exe
Status: INFECTED/MALWARE
MD5 05a1c1c15236edfe06469d799768d4f4
Packers detected: YODAPROTECT
Scanner results
AntiVir Found Packer/YodaProt packer
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found Generic.IFA
BitDefender Found nothing
ClamAV Found nothing
Dr.Web Found Adware.NaviPromo
F-Prot Antivirus Found nothing
Fortinet Found nothing
Kaspersky Anti-Virus Found not-a-virus:AdWare.Win32.NaviPromo.m
NOD32 Found a variant of Win32/Adware.NaviPromo application
Norman Virus Control Found nothing
UNA Found nothing
VBA32 Found nothing

Note: running Kaspersky online scan did not find the virus, I had to upload the file to one of the file specific scanners.

Note: Uploading the file could not be done with "point and click", I had to manually type in the full path name of the file to get it to upload ("c:\windows\system32\bwieas.exe")

Thank you for all of your help!

pskelley
2005-12-26, 15:07
I am sorry, perhaps I should not have been doing logs on the holiday. I would like to verify you are clean, would you post the ewido scan report as suggested here:

Make sure you save the scan report, I need to see it.And a new HJT log. Let me know how everything is running now. Thanks for the information about the malware item. I have information for you to help you stay safe and clean once I review this information.

Thanks...Phil

jfreymann
2005-12-26, 17:11
I deeply appreciate your taking the time for working on this yesterday!

I will update the logs later today.

Thank you again!

jfreymann
2005-12-26, 23:40
I've attached 3 logs:

Kaspersky On-line Scan log
Ewido Scan Log
HTJ Scan log

I've run the following:

Disabled TeaTimer & SDHelper (forced reboot due to BSOD "PFN_Corrupt_List" fatal exception)

Kasperky On-Line Virus Scan - found quarantined viruses in the Norton Quatantine and in the System Restore directories (didn't remove) (Log attached)

Norton "installed" scan - Found Dialer.InstantAccess in c:\windows\system32\msclock32.dll (removed it) reran and didn't find it. File date 12/24/05.

Started and updated SpyBot S&D 1.4 (no updates found)
Disabled ethernet and wireless network connections
Disabled Norton autoprotect
Ran Spybot scan - No threats found

Enabled Norton autoprotect
Enabled ethernet
Started and updated Ad-Aware SE Personal 1.06 (no updates found)
Disabled ethernet
Disabled Norton autoprotect
Ran Ad-Aware scan (found a few tracking cookies)

Enabled Norton autoprotect
Enabled Ethernet
Started and updated Ewido (updates successfully downloaded)
Disabled ethernet
Disabled Norton Autoprotect
Ran Ewido Scan - (found 1 tracking cookie Log attached)

Enabled Norton Autoprotect
Ran HJT (log attached)

-------------------------------------------------------------------------------
KASPERSKY ON-LINE SCANNER REPORT
Monday, December 26, 2005 11:30:18
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky On-line Scanner version: 5.0.67.0
Kaspersky Anti-Virus database last update: 26/12/2005
Kaspersky Anti-Virus database records: 157392
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: standard
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\

Scan Statistics:
Total number of scanned objects: 75111
Number of viruses found: 3
Number of infected objects: 8
Number of suspicious objects: 0
Duration of the scan process: 4945 sec

Infected Object Name - Virus Name
C:\Program Files\Norton AntiVirus\Quarantine\214E74FA.tmp Infected: Rootkit.Win32.Agent.ao
C:\Program Files\Norton AntiVirus\Quarantine\47216914.exe Infected: Trojan.Win32.Crypt.t
C:\Program Files\Norton AntiVirus\Quarantine\47283D0D.exe Infected: Trojan.Win32.Crypt.t
C:\Program Files\Norton AntiVirus\Quarantine\473564FF.exe Infected: Trojan-Downloader.Win32.VB.id
C:\Program Files\Norton AntiVirus\Quarantine\5D3A33B5.tmp Infected: Trojan.Win32.Crypt.t
C:\System Volume Information\_restore{14157744-4FA2-4CAF-BAFB-72CC49941087}\RP812\A0145201.exe Infected: Trojan.Win32.Crypt.t
C:\System Volume Information\_restore{14157744-4FA2-4CAF-BAFB-72CC49941087}\RP812\A0145202.dll Infected: Trojan.Win32.Crypt.t
C:\System Volume Information\_restore{14157744-4FA2-4CAF-BAFB-72CC49941087}\RP812\A0145203.exe Infected: Trojan.Win32.Crypt.t

Scan process completed.

---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 3:06:55 PM, 12/26/2005
+ Report-Checksum: 7A49515C

+ Scan result:

C:\Documents and Settings\david hinks\Cookies\david hinks@com[2].txt -> Spyware.Cookie.Com : Cleaned with backup


::Report End

-----------------------------------------------------------------------
HiJackThis
-----------------------------------------------------------------------
Logfile of HijackThis v1.99.1
Scan saved at 3:10:10 PM, on 12/26/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\TOSHIBA\TouchPadNF\TPTray.exe
C:\WINDOWS\System32\CePMTray.exe
C:\Toshiba\Ivp\ISM\pinger.exe
C:\Program Files\Yahoo!\browser\ybrwicon.exe
C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe
C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPMon32.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\PROGRA~1\Yahoo!\browser\ybrowser.exe
C:\Program Files\Messenger\msmsgs.exe
C:\HJT\hijackthis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://yahoo.sbc.com/dsl
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Common\ycomp5_1_6_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Common\ycomp5_1_6_0.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [TPNF] C:\Program Files\TOSHIBA\TouchPadNF\TPTray.exe
O4 - HKLM\..\Run: [CeEPOWER] C:\WINDOWS\System32\CePMTray.exe
O4 - HKLM\..\Run: [Pinger] C:\Toshiba\Ivp\ISM\pinger.exe /run
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [YBrowser] C:\Program Files\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [IPInSightLAN 02] "C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe" -l
O4 - HKLM\..\Run: [IPInSightMonitor 02] "C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPMon32.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [CeEKey.exe] C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - Global Startup: Desktop Manager.lnk = C:\Program Files\Research In Motion\BlackBerry\DesktopMgr.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Symantec Fax Starter Edition Port.lnk = C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {01010E00-5E80-11D8-9E86-0007E96C65AE} (SupportSoft SmartIssue) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsi.cab
O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Script Runner Class) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsr.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/kws/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - C:\Program Files\Yahoo!\common\yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1135216308388
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/asa/ctrl/SymAData.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/mcfscan/2,1,0,4657/mcfscan.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE

pskelley
2005-12-27, 00:24
Thanks for posting this information, let's look at the HJT log first:
Logfile of HijackThis v1.99.1 Scan saved at 3:10:10 PM, on 12/26/2005
I see no evidence of any malware in this HJT log, here is some great information from Tony Klein, Texruss, ChrisRLG and Grinler to help you stay clean and safe online:
http://boards.cexx.org/viewtopic.php?t=957
http://russelltexas.com/malware/allclear.htm
http://forum.malwareremoval.com/viewtopic.php?t=14
http://www.bleepingcomputer.com/forums/topict2520.html

ewido anti-malware - Scan report Created on: 3:06:55 PM, 12/26/2005It is obvious this is not the first ewido scan since you already had it. If possible I would like to see the first scan you ran when you downloaded ewido. If this is not possible that will be ok. If that first scan report is there it would be in:
ewido > security suite > Reports > a mouse over the scans in the Reports file will show the first report. If it is there, open the notepad and paste the information to this thread. Thanks.

I am concerned about the mention of Rootkit in the quarantine area of Norton in the Kaspersky scan. Let's hope Norton got it all. I would like you to navigate to the: C:\Program Files\Norton AntiVirus\Quarantine\ and delete everything in that folder. You may have to do it in safe mode:
http://www.bleepingcomputer.com/forums/tutorial61.html if you can't delete the stuff in quarantine. Then follow the instructions I posted earlier to clean out the old System Restore files and set new ones. Then run the Kaspersky scan and post it. I would like to know how everything is running at this point. Review the information from the experts I posted for help staying clean online. Run the computer for a while keeping an eye open for anything abnormal.

Thanks...Phil

jfreymann
2005-12-27, 00:38
Phil,

Here are the earlier Ewido scan logs you've requested. Note they did not detect the issue with bwieas.exe (I believe that if hid itself very effectively from the windows shell somehow).

---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 12:56:48 AM, 12/24/2005
+ Report-Checksum: 3C1EFF2B

+ Scan result:

HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\{c95fe080-8f5d-11d2-a20b-00aa003c157a} -> Spyware.Alexa : Cleaned with backup


::Report End

---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 1:23:25 AM, 12/25/2005
+ Report-Checksum: A7B87F8C

+ Scan result:

No infected objects found.


::Report End

jfreymann
2005-12-27, 06:33
Phil,

Interesting behavior here:

Disabled restore points
Rebooted system
Re-ran Kaspersky
RP content files still present and infected; confirmed through System Restore that the restore point was "gone".
Rebooted in safe mode
Allowed Administrator access to System Volume Information Folder
Manually delete RP contents folder
Rebooted
Re-ran Kaspersky
No viruses found
Re-enabled restore points

What next??

Here are the two Kaspersky logs:

-------------------------------------------------------------------------------
KASPERSKY ON-LINE SCANNER REPORT
Monday, December 26, 2005 18:38:19
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky On-line Scanner version: 5.0.67.0
Kaspersky Anti-Virus database last update: 27/12/2005
Kaspersky Anti-Virus database records: 167633
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\

Scan Statistics:
Total number of scanned objects: 69804
Number of viruses found: 1
Number of infected objects: 3
Number of suspicious objects: 0
Duration of the scan process: 3808 sec

Infected Object Name - Virus Name
C:\System Volume Information\_restore{14157744-4FA2-4CAF-BAFB-72CC49941087}\RP812\A0145201.exe Infected: Trojan.Win32.Crypt.t
C:\System Volume Information\_restore{14157744-4FA2-4CAF-BAFB-72CC49941087}\RP812\A0145202.dll Infected: Trojan.Win32.Crypt.t
C:\System Volume Information\_restore{14157744-4FA2-4CAF-BAFB-72CC49941087}\RP812\A0145203.exe Infected: Trojan.Win32.Crypt.t

Scan process completed.

-------------------------------------------------------------------------------
KASPERSKY ON-LINE SCANNER REPORT
Monday, December 26, 2005 22:21:47
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky On-line Scanner version: 5.0.67.0
Kaspersky Anti-Virus database last update: 27/12/2005
Kaspersky Anti-Virus database records: 167672
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\

Scan Statistics:
Total number of scanned objects: 69780
Number of viruses found: 0
Number of infected objects: 0
Number of suspicious objects: 0
Duration of the scan process: 3758 sec
No malware has been detected. The sections that have been scanned are CLEAN.

Scan process completed.

jfreymann
2005-12-28, 02:29
Phil,

Here's additional information on what was fixed in earlier passes of Spybot S&D:


--- Report generated: 2005-12-22 01:15 ---

Command Service: System Service (Registry key, fixed)
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\cmdService

Connect MFC Application: Settings (Registry key, fixed)
HKEY_USERS\S-1-5-21-3588590466-2801439982-1300003180-1004\Software\livesvc

CoolWWWSearch.Aboutblank: IE Search page (Registry change, fixed)
HKEY_USERSS-1-5-21-3588590466-2801439982-1300003180-1004\Software\Microsoft\Internet Explorer\Main\Search Page=about:blank

CoolWWWSearch.Aboutblank: IE Search page (Registry change, fixed)
HKEY_USERSS-1-5-21-3588590466-2801439982-1300003180-1004\Software\Microsoft\Internet Explorer\SearchUrl\=about:blank

CoolWWWSearch.Aboutblank: IE Search page (Registry change, fixed)
HKEY_LOCAL_MACHINESoftware\Microsoft\Internet Explorer\Main\Search Page=about:blank

CoolWWWSearch.Aboutblank: IE Search page (Registry change, fixed)
HKEY_LOCAL_MACHINESoftware\Microsoft\Internet Explorer\Main\Search Bar=about:blank

CoolWWWSearch.Aboutblank: IE Search page (Registry change, fixed)
HKEY_LOCAL_MACHINESoftware\Microsoft\Internet Explorer\Search\SearchAssistant=about:blank

ISearchTech.SideFind: Settings (Registry key, fixed)
HKEY_LOCAL_MACHINE\SOFTWARE\Avenue Media

ShopAtHome: Global settings (Registry key, fixed)
HKEY_LOCAL_MACHINE\Software\VGroup

AbetterInternet.Aurora: User settings (Registry key, fixed)
HKEY_USERS\S-1-5-21-3588590466-2801439982-1300003180-1004\Software\Mvu

AbetterInternet.Aurora: Settings (Registry key, fixed)
HKEY_LOCAL_MACHINE\SOFTWARE\Mvu

AbetterInternet.Aurora: Settings (Registry key, fixed)
HKEY_LOCAL_MACHINE\SOFTWARE\vidctrl

AbetterInternet.Aurora: Program directory (Directory, fixed)
C:\WINDOWS\system32\vidctrl\

AbetterInternet.Aurora: Data (File, fixed)
C:\Documents and Settings\david hinks\Local Settings\Temp\cfin

AbetterInternet.Aurora: Executable (File, fixed)
C:\Documents and Settings\david hinks\Local Settings\Temp\cfout.txt

AbetterInternet.Aurora: Text file (File, fixed)
C:\WINDOWS\affbun.txt

BookedSpace: Library (File, fixed)
C:\WINDOWS\libbz2.dll

ClimaxBucks.InternetOptimizer: Autorun settings (Registry value, fixed)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Internet Optimizer

Command Service: Settings (Registry key, fixed)
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\cmdService

Command Service: Settings (Registry key, fixed)
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\cmdService

Command Service: Uninstall settings (Registry key, fixed)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{3877C2CD-F137-4144-BDB2-0A811492F920}

DyFuCA.InternetOptimizer: Uninstall settings (Registry key, fixed)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Kapabout

DyFuCA.InternetOptimizer: Settings (Registry key, fixed)
HKEY_USERS\S-1-5-21-3588590466-2801439982-1300003180-1004\Software\Microsoft\Windows\CurrentVersion\Policies\AMeOpt

DyFuCA.InternetOptimizer: Settings (Registry key, fixed)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\AMeOpt

DyFuCA.InternetOptimizer: Settings (Registry key, fixed)
HKEY_USERS\S-1-5-21-3588590466-2801439982-1300003180-1004\Software\Avenue Media

DyFuCA.InternetOptimizer: Settings (Registry key, fixed)
HKEY_USERS\S-1-5-21-3588590466-2801439982-1300003180-1004\Software\Policies\Avenue Media

DyFuCA.InternetOptimizer: Settings (Registry key, fixed)
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Avenue Media

DyFuCA.InternetOptimizer: Uninstall settings (Registry key, fixed)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DyFuCA

DyFuCA.InternetOptimizer: Uninstall settings (Registry key, fixed)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Internet Optimizer

E2Give: Settings (Registry key, fixed)
HKEY_USERS\S-1-5-21-3588590466-2801439982-1300003180-1004\Software\Ptech

E2Give: Settings (Registry key, fixed)
HKEY_CLASSES_ROOT\AppID\IeBHOs.DLL

E2Give: Root class (Registry key, fixed)
HKEY_LOCAL_MACHINE\Software\Classes\IeBHOs.Control

E2Give: Root class (Registry key, fixed)
HKEY_LOCAL_MACHINE\Software\Classes\IeBHOs.Control.1

E2Give: Class ID (Registry key, fixed)
HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{3643ABC2-21BF-46B9-B230-F247DB0C6FD6}

E2Give: Browser helper object (Registry key, fixed)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3643ABC2-21BF-46B9-B230-F247DB0C6FD6}

E2Give: Settings (Registry key, fixed)
HKEY_LOCAL_MACHINE\SOFTWARE\E2G

E2Give: Uninstall settings (Registry key, fixed)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\e2g Plugin

Look2Me.Topconverting: Class ID (Registry key, fixed)
HKEY_CLASSES_ROOT\CLSID\{D52433A9-A44C-43AB-A013-24B3C756DD2B}

Look2Me.Topconverting: Interface (Registry key, fixed)
HKEY_CLASSES_ROOT\Interface\{6CDC3337-01F7-4A79-A4AF-0B19303CC0BE}

Look2Me.Topconverting: Interface (Registry key, fixed)
HKEY_CLASSES_ROOT\Interface\{B288F21C-A144-4CA2-9B70-8AFA1FAE4B06}

Look2Me.Topconverting: Type library (Registry key, fixed)
HKEY_CLASSES_ROOT\TypeLib\{E0D3B292-A0B0-4640-975C-2F882E039F52}

Look2Me.Topconverting: Root class (Registry key, fixed)
HKEY_LOCAL_MACHINE\Software\Classes\SWLAD1.SWLAD

Look2Me.Topconverting: Class ID (Registry key, fixed)
HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{D52433A9-A44C-43AB-A013-24B3C756DD2B}

MagicControl.Agent: Library (File, fixed)
C:\WINDOWS\system32\msegcompid.dll

MagicControl.Agent: User settings (Registry key, fixed)
HKEY_USERS\S-1-5-21-3588590466-2801439982-1300003180-1004\Software\LanConfig

MagicControl.Agent: User settings (Registry value, fixed)
HKEY_USERS\S-1-5-21-3588590466-2801439982-1300003180-1004\Software\mc\SA

MediaMotor: Interface (Registry key, fixed)
HKEY_CLASSES_ROOT\Interface\{A9136CFD-FD01-41B8-9969-0B37720ED8AB}

MediaMotor: Interface (Registry key, fixed)
HKEY_CLASSES_ROOT\Interface\{B2EEDA99-DA99-4D0D-9F7F-143C30521388}

MediaMotor: Type library (Registry key, fixed)
HKEY_CLASSES_ROOT\TypeLib\{466C63AC-F26E-49F1-861A-E07DA768A46A}

SurfSideKick: User settings (Registry key, fixed)
HKEY_USERS\S-1-5-21-3588590466-2801439982-1300003180-1004\Software\SurfSideKick3

SurfSideKick: User settings (Registry key, fixed)
HKEY_LOCAL_MACHINE\Software\SurfSideKick3

SurfSideKick: Library (File, fixed)
C:\Documents and Settings\david hinks\Application Data\Sskcwrd.dll

SurfSideKick: Library (File, fixed)
C:\Documents and Settings\david hinks\Application Data\Sskknwrd.dll

Web-Nexus: Class ID (Registry key, fixed)
HKEY_CLASSES_ROOT\CLSID\{6EC11407-5B2E-4E25-8BDF-77445B52AB37}

Windows Security Center.FirewallDisableNotify: Settings (Registry change, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify!=dword:0

Windows Security Center.AntiVirusDisableNotify: Settings (Registry change, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify!=dword:0

DyFuCA.InternetOptimizer: Settings (Registry key, fixed)
HKEY_LOCAL_MACHINE\SOFTWARE\Avenue Media\Internet Optimizer

Exact Advertising.BargainsBuddy: Interface (Registry key, fixed)
HKEY_CLASSES_ROOT\Interface\{8EEE58D5-130E-4CBD-9C83-35A0564E1357}

Exact Advertising.BargainsBuddy: Interface (Registry key, fixed)
HKEY_CLASSES_ROOT\Interface\{C6906A23-4717-4E1F-B6FD-F06EBED11357}

Exact Advertising.BargainsBuddy: Autorun settings (BullsEye Network) (Registry value, fixed)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\BullsEye Network

Exact Advertising.BargainsBuddy: Type library (Registry key, fixed)
HKEY_CLASSES_ROOT\TypeLib\{4EB7BBE8-2E15-424B-9DDB-2CDB9516C2E3}

Exact Advertising.BargainsBuddy: Settings (Registry key, fixed)
HKEY_LOCAL_MACHINE\SOFTWARE\eXactUtil

Exact Advertising.BargainsBuddy: Class ID (Registry key, fixed)
HKEY_CLASSES_ROOT\CLSID\{AEECBFDA-12FA-4881-BDCE-8C3E1CE4B344}

Exact Advertising.BargainsBuddy: Root class (Registry key, fixed)
HKEY_LOCAL_MACHINE\Software\Classes\NLS.UrlCatcher

Exact Advertising.BargainsBuddy: Class ID (Registry key, fixed)
HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{AEECBFDA-12FA-4881-BDCE-8C3E1CE4B344}

Exact Advertising.BargainsBuddy: Browser helper object (Registry key, fixed)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AEECBFDA-12FA-4881-BDCE-8C3E1CE4B344}

Exact Advertising.BargainsBuddy: Root class (Registry key, fixed)
HKEY_LOCAL_MACHINE\Software\Classes\NLS.UrlCatcher.1

AdDestroyer: Settings (Registry key, fixed)
HKEY_USERS\S-1-5-21-3588590466-2801439982-1300003180-1004\Software\VB and VBA Program Settings\AdDestroyer

AdDestroyer: Program directory (Directory, fixed)
C:\Documents and Settings\All Users\Application Data\AdDestroyer\

Adlogix: Interface (Registry key, fixed)
HKEY_CLASSES_ROOT\Interface\{1CFB8B32-4053-4144-AF6F-1540EEC7F101}

Delfin Project: Root class (Registry key, fixed)
HKEY_LOCAL_MACHINE\Software\Classes\VCCPGDATAACCESS.PgDataAccessCtrl.1

Delfin Project: Class ID (Registry key, fixing failed)
HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{D0070620-1E72-42E7-A14C-3A255AD31839}

Delfin Project: Program directory (Directory, fixed)
C:\Documents and Settings\All Users\Application Data\nsv\

Delfin Project: Program directory (Directory, fixed)
C:\WINDOWS\system32\nsvsvc\

Delfin Project: Class ID (Registry key, fixed)
HKEY_CLASSES_ROOT\CLSID\{A8BD9566-9895-4FA3-918D-A51D4CD15865}

Delfin Project: Class ID (Registry key, fixed)
HKEY_CLASSES_ROOT\CLSID\{D0070620-1E72-42E7-A14C-3A255AD31839}

Delfin Project: Type library (Registry key, fixed)
HKEY_CLASSES_ROOT\TypeLib\{2A7DB8D1-43BE-4AD3-A81E-9BB8C9D00073}

Elitum.EliteBar: Program directory (Directory, fixed)
C:\WINDOWS\etb\

Elitum.EliteBar: Configuration file (File, fixed)
C:\WINDOWS\etb\etb.ini

Network Essentials.SmartpopOops: Class ID (Registry key, fixed)
HKEY_CLASSES_ROOT\CLSID\{417386C3-8D4A-4611-9B91-E57E89D603AC}

Network Essentials.SmartpopOops: Interface (Registry key, fixed)
HKEY_CLASSES_ROOT\Interface\{10D7DB96-56DC-4617-8EAB-EC506ABE6C7E}

Network Essentials.SmartpopOops: Interface (Registry key, fixed)
HKEY_CLASSES_ROOT\Interface\{795398D0-DC2F-4118-A69C-592273BA9C2B}

Network Essentials.SmartpopOops: Type library (Registry key, fixed)
HKEY_CLASSES_ROOT\TypeLib\{D0C29A75-7146-4737-98EE-BC4D7CF44AF9}

Network Essentials.SmartpopOops: Root class (Registry key, fixed)
HKEY_LOCAL_MACHINE\Software\Classes\PopOops2.PopOops

Network Essentials.SmartpopOops: Class ID (Registry key, fixed)
HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{417386C3-8D4A-4611-9B91-E57E89D603AC}

Qoologic: Settings (Registry key, fixed)
HKEY_CLASSES_ROOT\Folder\shellex\ColumnHandlers\{6EC11407-5B2E-4E25-8BDF-77445B52AB37}

Qoologic: Settings (Registry key, fixed)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{9E248641-0E24-4DDB-9A1F-705087832AD6}

VBouncer: Program directory (Directory, fixed)
C:\Documents and Settings\All Users\Application Data\VBouncer\

VBouncer: Settings (Registry key, fixed)
HKEY_USERS\S-1-5-21-3588590466-2801439982-1300003180-1004\Software\VB and VBA Program Settings\VBouncer

VBouncer: Settings (Registry value, fixed)
HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\Services\DistID

Windows AdTools: Data (File, fixed)
C:\WINDOWS\system32\ide21201.vxd

HitBox: Tracking cookie (Internet Explorer: david hinks) (Cookie, fixed)


HitBox: Tracking cookie (Internet Explorer: david hinks) (Cookie, fixed)


Advertising.com: Tracking cookie (Internet Explorer: david hinks) (Cookie, fixed)


Advertising.com: Tracking cookie (Internet Explorer: david hinks) (Cookie, fixed)


DoubleClick: Tracking cookie (Internet Explorer: david hinks) (Cookie, fixed)


Avenue A, Inc.: Tracking cookie (Internet Explorer: david hinks) (Cookie, fixed)


Hotbar: Tracking cookie (Internet Explorer: david hinks) (Cookie, fixed)



--- Spybot - Search & Destroy version: 1.4 (build: 20050523) ---

2005-05-31 blindman.exe (1.0.0.1)
2005-05-31 SpybotSD.exe (1.4.0.3)
2005-05-31 TeaTimer.exe (1.4.0.2)
2005-12-22 unins000.exe (51.41.0.0)
2005-05-31 Update.exe (1.4.0.0)
2005-05-31 advcheck.dll (1.0.2.0)
2005-05-31 aports.dll (2.1.0.0)
2005-05-31 borlndmm.dll (7.0.4.453)
2005-05-31 delphimm.dll (7.0.4.453)
2005-05-31 SDHelper.dll (1.4.0.0)
2005-05-31 Tools.dll (2.0.0.2)
2005-05-31 UnzDll.dll (1.73.1.1)
2005-05-31 ZipDll.dll (1.73.2.0)
2005-12-16 Includes\Cookies.sbi (*)
2005-12-16 Includes\Dialer.sbi (*)
2005-12-16 Includes\Hijackers.sbi (*)
2005-12-16 Includes\Keyloggers.sbi (*)
2005-12-16 Includes\Malware.sbi (*)
2005-12-16 Includes\PUPS.sbi (*)
2005-12-16 Includes\Revision.sbi (*)
2005-12-16 Includes\Security.sbi (*)
2005-12-16 Includes\Spybots.sbi (*)
2005-02-17 Includes\Tracks.uti
2005-12-16 Includes\Trojans.sbi (*)


--- Report generated: 2005-12-22 09:32 ---

MagicControl.Agent: User settings (Registry key, fixed)
HKEY_USERS\S-1-5-21-3588590466-2801439982-1300003180-1004\Software\LanConfig


--- Spybot - Search & Destroy version: 1.4 (build: 20050523) ---

2005-05-31 blindman.exe (1.0.0.1)
2005-05-31 SpybotSD.exe (1.4.0.3)
2005-05-31 TeaTimer.exe (1.4.0.2)
2005-12-22 unins000.exe (51.41.0.0)
2005-05-31 Update.exe (1.4.0.0)
2005-05-31 advcheck.dll (1.0.2.0)
2005-05-31 aports.dll (2.1.0.0)
2005-05-31 borlndmm.dll (7.0.4.453)
2005-05-31 delphimm.dll (7.0.4.453)
2005-05-31 SDHelper.dll (1.4.0.0)
2005-05-31 Tools.dll (2.0.0.2)
2005-05-31 UnzDll.dll (1.73.1.1)
2005-05-31 ZipDll.dll (1.73.2.0)
2005-12-16 Includes\Cookies.sbi (*)
2005-12-16 Includes\Dialer.sbi (*)
2005-12-16 Includes\Hijackers.sbi (*)
2005-12-16 Includes\Keyloggers.sbi (*)
2005-12-16 Includes\Malware.sbi (*)
2005-12-16 Includes\PUPS.sbi (*)
2005-12-16 Includes\Revision.sbi (*)
2005-12-16 Includes\Security.sbi (*)
2005-12-16 Includes\Spybots.sbi (*)
2005-02-17 Includes\Tracks.uti
2005-12-16 Includes\Trojans.sbi (*)


--- Report generated: 2005-12-22 20:08 ---

MagicControl.Agent: User settings (Registry key, fixed)
HKEY_USERS\S-1-5-21-3588590466-2801439982-1300003180-1004\Software\LanConfig


--- Spybot - Search & Destroy version: 1.4 (build: 20050523) ---

2005-05-31 blindman.exe (1.0.0.1)
2005-05-31 SpybotSD.exe (1.4.0.3)
2005-05-31 TeaTimer.exe (1.4.0.2)
2005-12-22 unins000.exe (51.41.0.0)
2005-05-31 Update.exe (1.4.0.0)
2005-05-31 advcheck.dll (1.0.2.0)
2005-05-31 aports.dll (2.1.0.0)
2005-05-31 borlndmm.dll (7.0.4.453)
2005-05-31 delphimm.dll (7.0.4.453)
2005-05-31 SDHelper.dll (1.4.0.0)
2005-05-31 Tools.dll (2.0.0.2)
2005-05-31 UnzDll.dll (1.73.1.1)
2005-05-31 ZipDll.dll (1.73.2.0)
2005-12-16 Includes\Cookies.sbi (*)
2005-12-16 Includes\Dialer.sbi (*)
2005-12-16 Includes\Hijackers.sbi (*)
2005-12-16 Includes\Keyloggers.sbi (*)
2005-12-16 Includes\Malware.sbi (*)
2005-12-16 Includes\PUPS.sbi (*)
2005-12-16 Includes\Revision.sbi (*)
2005-12-16 Includes\Security.sbi (*)
2005-12-16 Includes\Spybots.sbi (*)
2005-02-17 Includes\Tracks.uti
2005-12-16 Includes\Trojans.sbi (*)


--- Report generated: 2005-12-22 20:29 ---

MagicControl.Agent: User settings (Registry key, fixed)
HKEY_USERS\S-1-5-21-3588590466-2801439982-1300003180-1004\Software\LanConfig


--- Spybot - Search & Destroy version: 1.4 (build: 20050523) ---

2005-05-31 blindman.exe (1.0.0.1)
2005-05-31 SpybotSD.exe (1.4.0.3)
2005-05-31 TeaTimer.exe (1.4.0.2)
2005-12-22 unins000.exe (51.41.0.0)
2005-05-31 Update.exe (1.4.0.0)
2005-05-31 advcheck.dll (1.0.2.0)
2005-05-31 aports.dll (2.1.0.0)
2005-05-31 borlndmm.dll (7.0.4.453)
2005-05-31 delphimm.dll (7.0.4.453)
2005-05-31 SDHelper.dll (1.4.0.0)
2005-05-31 Tools.dll (2.0.0.2)
2005-05-31 UnzDll.dll (1.73.1.1)
2005-05-31 ZipDll.dll (1.73.2.0)
2005-12-16 Includes\Cookies.sbi (*)
2005-12-16 Includes\Dialer.sbi (*)
2005-12-16 Includes\Hijackers.sbi (*)
2005-12-16 Includes\Keyloggers.sbi (*)
2005-12-16 Includes\Malware.sbi (*)
2005-12-16 Includes\PUPS.sbi (*)
2005-12-16 Includes\Revision.sbi (*)
2005-12-16 Includes\Security.sbi (*)
2005-12-16 Includes\Spybots.sbi (*)
2005-02-17 Includes\Tracks.uti
2005-12-16 Includes\Trojans.sbi (*)


--- Report generated: 2005-12-24 01:06 ---

MagicControl.Agent: User settings (Registry key, fixed)
HKEY_USERS\S-1-5-21-3588590466-2801439982-1300003180-1004\Software\LanConfig

MagicControl.Agent: User settings (Registry value, fixed)
HKEY_USERS\S-1-5-21-3588590466-2801439982-1300003180-1004\Software\mc\SA

Alexa Related: Link (Replace file, fixed)
C:\WINDOWS\Web\related.htm


--- Spybot - Search & Destroy version: 1.4 (build: 20050523) ---

2005-05-31 blindman.exe (1.0.0.1)
2005-05-31 SpybotSD.exe (1.4.0.3)
2005-05-31 TeaTimer.exe (1.4.0.2)
2005-12-22 unins000.exe (51.41.0.0)
2005-05-31 Update.exe (1.4.0.0)
2005-05-31 advcheck.dll (1.0.2.0)
2005-05-31 aports.dll (2.1.0.0)
2005-05-31 borlndmm.dll (7.0.4.453)
2005-05-31 delphimm.dll (7.0.4.453)
2005-05-31 SDHelper.dll (1.4.0.0)
2005-05-31 Tools.dll (2.0.0.2)
2005-05-31 UnzDll.dll (1.73.1.1)
2005-05-31 ZipDll.dll (1.73.2.0)
2005-12-23 Includes\Cookies.sbi (*)
2005-12-23 Includes\Dialer.sbi (*)
2005-12-23 Includes\Hijackers.sbi (*)
2005-12-23 Includes\Keyloggers.sbi (*)
2005-12-23 Includes\Malware.sbi (*)
2005-12-23 Includes\PUPS.sbi (*)
2005-12-23 Includes\Revision.sbi (*)
2005-12-23 Includes\Security.sbi (*)
2005-12-23 Includes\Spybots.sbi (*)
2005-02-17 Includes\Tracks.uti
2005-12-23 Includes\Trojans.sbi (*)

jfreymann
2005-12-28, 02:29
And what didn't fit above....

--- Report generated: 2005-12-25 07:31 ---

MagicControl.Agent: User settings (Registry key, fixed)
HKEY_USERS\S-1-5-21-3588590466-2801439982-1300003180-1004\Software\LanConfig


--- Spybot - Search & Destroy version: 1.4 (build: 20050523) ---

2005-05-31 blindman.exe (1.0.0.1)
2005-05-31 SpybotSD.exe (1.4.0.3)
2005-05-31 TeaTimer.exe (1.4.0.2)
2005-12-22 unins000.exe (51.41.0.0)
2005-05-31 Update.exe (1.4.0.0)
2005-05-31 advcheck.dll (1.0.2.0)
2005-05-31 aports.dll (2.1.0.0)
2005-05-31 borlndmm.dll (7.0.4.453)
2005-05-31 delphimm.dll (7.0.4.453)
2005-05-31 SDHelper.dll (1.4.0.0)
2005-05-31 Tools.dll (2.0.0.2)
2005-05-31 UnzDll.dll (1.73.1.1)
2005-05-31 ZipDll.dll (1.73.2.0)
2005-12-23 Includes\Cookies.sbi (*)
2005-12-23 Includes\Dialer.sbi (*)
2005-12-23 Includes\Hijackers.sbi (*)
2005-12-23 Includes\Keyloggers.sbi (*)
2005-12-23 Includes\Malware.sbi (*)
2005-12-23 Includes\PUPS.sbi (*)
2005-12-23 Includes\Revision.sbi (*)
2005-12-23 Includes\Security.sbi (*)
2005-12-23 Includes\Spybots.sbi (*)
2005-02-17 Includes\Tracks.uti
2005-12-23 Includes\Trojans.sbi (*)


--- Report generated: 2005-12-25 22:47 ---

MagicControl.Agent: User settings (Registry key, fixed)
HKEY_USERS\S-1-5-21-3588590466-2801439982-1300003180-1004\Software\LanConfig

MagicControl.Agent: User settings (Registry value, fixing failed)
HKEY_USERS\S-1-5-21-3588590466-2801439982-1300003180-1004\Software\mc\SA


--- Spybot - Search & Destroy version: 1.4 (build: 20050523) ---

2005-05-31 blindman.exe (1.0.0.1)
2005-05-31 SpybotSD.exe (1.4.0.3)
2005-05-31 TeaTimer.exe (1.4.0.2)
2005-12-22 unins000.exe (51.41.0.0)
2005-05-31 Update.exe (1.4.0.0)
2005-05-31 advcheck.dll (1.0.2.0)
2005-05-31 aports.dll (2.1.0.0)
2005-05-31 borlndmm.dll (7.0.4.453)
2005-05-31 delphimm.dll (7.0.4.453)
2005-05-31 SDHelper.dll (1.4.0.0)
2005-05-31 Tools.dll (2.0.0.2)
2005-05-31 UnzDll.dll (1.73.1.1)
2005-05-31 ZipDll.dll (1.73.2.0)
2005-12-23 Includes\Cookies.sbi (*)
2005-12-23 Includes\Dialer.sbi (*)
2005-12-23 Includes\Hijackers.sbi (*)
2005-12-23 Includes\Keyloggers.sbi (*)
2005-12-23 Includes\Malware.sbi (*)
2005-12-23 Includes\PUPS.sbi (*)
2005-12-23 Includes\Revision.sbi (*)
2005-12-23 Includes\Security.sbi (*)
2005-12-23 Includes\Spybots.sbi (*)
2005-02-17 Includes\Tracks.uti
2005-12-23 Includes\Trojans.sbi (*)


--- Report generated: 2005-12-25 22:47 ---

MagicControl.Agent: User settings (Registry key, fixed)
HKEY_USERS\S-1-5-21-3588590466-2801439982-1300003180-1004\Software\LanConfig

MagicControl.Agent: User settings (Registry value, fixing failed)
HKEY_USERS\S-1-5-21-3588590466-2801439982-1300003180-1004\Software\mc\SA


--- Spybot - Search & Destroy version: 1.4 (build: 20050523) ---

2005-05-31 blindman.exe (1.0.0.1)
2005-05-31 SpybotSD.exe (1.4.0.3)
2005-05-31 TeaTimer.exe (1.4.0.2)
2005-12-22 unins000.exe (51.41.0.0)
2005-05-31 Update.exe (1.4.0.0)
2005-05-31 advcheck.dll (1.0.2.0)
2005-05-31 aports.dll (2.1.0.0)
2005-05-31 borlndmm.dll (7.0.4.453)
2005-05-31 delphimm.dll (7.0.4.453)
2005-05-31 SDHelper.dll (1.4.0.0)
2005-05-31 Tools.dll (2.0.0.2)
2005-05-31 UnzDll.dll (1.73.1.1)
2005-05-31 ZipDll.dll (1.73.2.0)
2005-12-23 Includes\Cookies.sbi (*)
2005-12-23 Includes\Dialer.sbi (*)
2005-12-23 Includes\Hijackers.sbi (*)
2005-12-23 Includes\Keyloggers.sbi (*)
2005-12-23 Includes\Malware.sbi (*)
2005-12-23 Includes\PUPS.sbi (*)
2005-12-23 Includes\Revision.sbi (*)
2005-12-23 Includes\Security.sbi (*)
2005-12-23 Includes\Spybots.sbi (*)
2005-02-17 Includes\Tracks.uti
2005-12-23 Includes\Trojans.sbi (*)



pskelley
2005-12-28, 03:00
I say you are good to go, use the information I provided earlier to help you stay clean and safe online.

safe surfing...Phil:bigthumb:

Thanks...pskelley
Safer Networking Forums
http://www.spybot.info/en/donate/index.html
If you are reading this information...thank a teacher,
If you are reading it in English...thank a soldier.

jfreymann
2005-12-28, 23:53
Phil,

Looking good, ran all the scanners and nothing but cookies!

Thank you :crowned: for all your advice and timely help!

John

pskelley
2005-12-29, 00:17
Thanks John, be careful there is some nasty stuff out there. tashi will be along to close you up shortly.

Phil:greeting:

tashi
2006-01-03, 00:34
As the problem appears to be resolved this topic will be archived.
If you need it re-opened please pm me or one of the forum mods.

Glad we could help. :)