View Full Version : Unknown, possibly randomly renaming popup malware software
Hello folks
The issue I have is with two things - firstly the Bulletproofsoft which I recently found out isn't a legal bit of software - purely for copyright reasons or is it true malware too? I have the Sock fix and will run that to clear that one
The second one is the funny looking name in the hijack log - i can't even find the system32 folder in which it's located. Quite odd. I have show system folders and hidden files checked.
Help appreciated :)
Logfile of HijackThis v1.99.1
Scan saved at 14:12:50, on 15/01/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\CPUCooL\CooLSrv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\FREESE~1\BIN\WIN2K\tidslmon.exe
C:\Program Files\Raptor-Gaming\RGM2\Panel.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\CPUCooL\CPUCooL.exe
F:\Drivers and Downloads\Drive D contents\Drivers and Downloads\Spybot Software\HijackThis1991.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Internet Explorer\iexplore.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.wanadoo.co.uk/
O4 - HKLM\..\Run: [TIxDSL] C:\PROGRA~1\FREESE~1\BIN\WIN2K\tidslmon.exe
O4 - HKLM\..\Run: [NVIDIA nTune] "C:\Program Files\NVIDIA Corporation\nTune\\nTune.exe" clear
O4 - HKLM\..\Run: [NVRTCLK] C:\WINDOWS\system32\NVRTCLK\NVRTClk.exe
O4 - HKLM\..\Run: [PathNvidiaTV] C:\Program Files\Gigabyte\Nvidia\patchnvidiaTVout.exe
O4 - HKLM\..\Run: [Raptor-Gaming M2] "C:\Program Files\Raptor-Gaming\RGM2\Panel.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: CPUCooL.lnk = C:\Program Files\CPUCooL\CPUCooL.exe
O4 - Global Startup: Microsoft Office.lnk = F:\OFFICE\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://F:\OFFICE\Office10\EXCEL.EXE/3000
O10 - Unknown file in Winsock LSP: c:\program files\bulletproofsoft.com\bps spyware & adware remover\apptoport.dll
O20 - Winlogon Notify: Nls - C:\WINDOWS\system32\p68qlgl516q.dll
O23 - Service: CPUCooLServer Service (CPUCooLServer) - Unknown owner - C:\Program Files\CPUCooL\CooLSrv.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
i have trouble removing the 020 entry. No software I have detects any problems. I still get popups though. Thoughts anyone?
My own ham-fisted attempts at clearing out the intrusive software has led to the popups stopping, but I still have the odd line in at O17.
At this rate, a reformat and reinstall is becoming a better idea by the minute
Logfile of HijackThis v1.99.1
Scan saved at 20:13:50, on 17/01/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\CPUCooL\CooLSrv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Softwin\BitDefender8\bdnagent.exe
C:\WINDOWS\system32\RunDLL32.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
c:\program files\softwin\bitdefender8\bdmcon.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Grisoft\AVG Free\avgcc.exe
C:\Program Files\Internet Explorer\iexplore.exe
F:\Drivers and Downloads\Drive D contents\Drivers and Downloads\Spybot Software\HijackThis1991.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.wanadoo.co.uk/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.wanadoo.co.uk/
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [NVIDIA nTune] "C:\Program Files\NVIDIA Corporation\nTune\\nTune.exe" clear
O4 - HKLM\..\Run: [NVRTCLK] C:\WINDOWS\system32\NVRTCLK\NVRTClk.exe
O4 - HKLM\..\Run: [Raptor-Gaming M2] "C:\Program Files\Raptor-Gaming\RGM2\Panel.exe"
O4 - HKLM\..\Run: [BDMCon] "C:\Program Files\Softwin\BitDefender8\bdmcon.exe"
O4 - HKLM\..\Run: [BDNewsAgent] "C:\Program Files\Softwin\BitDefender8\bdnagent.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: CPUCooL.lnk = C:\Program Files\CPUCooL\CPUCooL.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Microsoft Office.lnk = F:\OFFICE\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://F:\OFFICE\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/mcfscan/2,1,0,4672/mcfscan.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{1FD09132-E37B-4BDA-A0EC-E40747E5EBAC}: NameServer = 195.92.195.95 195.92.195.94
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: BitDefender Scan Server (bdss) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe" /service (file missing)
O23 - Service: CPUCooLServer Service (CPUCooLServer) - Unknown owner - C:\Program Files\CPUCooL\CooLSrv.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: BitDefender Communicator (XCOMM) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe" /service (file missing)
pskelley
2006-01-17, 21:20
Hello and welcome to the forum. It appears from a look at your log that that this is your problem:
Winlogon Notify MS-DOS Emulation, Nls, OemStartMenuData, OfficeUpdate,
OptimalLayout, policies, Reinstall, Reliability X random named dll in the System32 folder Variant of Adware.Look2Me
Before we can get to that, we must do a few other things, let's number them to keep us organized. Please do them in the numbered order.
1) You are running HJT from F:\ and I do not know that is safe. The program creates backups for safety and I wish to have them if we need them. I want you to move HJT here: C:\HJT\HijackThis.exe. If you need more instruction use these: http://russelltexas.com/malware/createhjtfolder.htm
2) Tea Timer is a great program but it may block the fix we must make. Use the instructions in this link to turn it off until you are finished:
http://russelltexas.com/malware/teatimer.htm
3) http://www.bulletproofsoft.com/ The is where we check spyware programs: http://www.spywarewarrior.com/rogue_anti-spyware.htm and it is not listed as bad, I know nothing about the product.
4) SpySweeper is generally the easiest way to remove this item, and we will try it first. We must use the FREE TRIAL version. You will find the link to the download at the bottom of the page in the link I am about to provide. Download the FREE TRIAL and follow the instructions.
http://www.webroot.com/consumer/products/spysweeper/latestv.html
Download the free trial version of Spy Sweeper
Note: On that page, in the Spy Sweeper section, click the link for "Free Trial", NOT the link for "Free Spyware Scan".
Install it using the Standard Install option. (You will be asked for your e-mail address, it is safe to give it. If you receive alerts from your firewall, allow all activities for Spy Sweeper)
You will be prompted to check for updated definitions, please do so.
(This may take several minutes)
Click on Options > Sweep Options and check Sweep all Folders on Selected drives. Check Local Disc C. Under What to Sweep, check every box.
Click on Sweep and allow it to fully scan your system.
When the sweep has finished, click Remove. Click Select All and then Next
From 'Results', select the Session Log tab. Click Save to File and save the log somewhere convenient.
Exit Spy Sweeper.
Restart your computer, and then please copy and paste the SpySweeper log into this thread.
Install it using the Standard Install option. (You will be asked for your e-mail address, it is safe to give it. If you receive alerts from your firewall, allow all activities for Spy Sweeper)
You will be prompted to check for updated definitions, please do so.
(This may take several minutes)
Click on Options > Sweep Options and check Sweep all Folders on Selected drives. Check Local Disc C. Under What to Sweep, check every box.
Click on Sweep and allow it to fully scan your system.
When the sweep has finished, click Remove. Click Select All and then Next
From 'Results', select the Session Log tab. Click Save to File and save the log somewhere convenient.
Exit Spy Sweeper.
Restart your computer, and then please copy and paste the SpySweeper log into this thread, along with a new HJT log and let me know how the computer is running now.
Thanks...pskelley
Safer Networking Forums
Hi Pskelly
Many thanks for your response - instructions followed and results posted as requested:
spysweeper log:
********
17:48: | Start of Session, 18 January 2006 |
17:48: Spy Sweeper started
17:48: Sweep initiated using definitions version 602
17:48: Starting Memory Sweep
17:50: Memory Sweep Complete, Elapsed Time: 00:01:10
17:50: Starting Registry Sweep
17:50: Found Adware: elitemediagroup-mediamotor
17:50: HKLM\software\ssprint\ (2 subtraces) (ID = 140214)
17:50: Found Adware: command
17:50: HKLM\system\currentcontrolset\enum\root\legacy_cmdservice\0000\ (6 subtraces) (ID = 1016064)
17:50: HKLM\system\currentcontrolset\enum\root\legacy_cmdservice\ (8 subtraces) (ID = 1016072)
17:50: Registry Sweep Complete, Elapsed Time:00:00:05
17:50: Starting Cookie Sweep
17:50: Found Spy Cookie: clickzs cookie
17:50: administrator@cz7.clickzs[2].txt (ID = 2413)
17:50: Found Spy Cookie: enhance cookie
17:50: system@c.enhance[1].txt (ID = 2614)
17:50: Found Spy Cookie: dealtime cookie
17:50: system@dealtime[1].txt (ID = 2505)
17:50: system@stat.dealtime[1].txt (ID = 2506)
17:50: Cookie Sweep Complete, Elapsed Time: 00:00:00
17:50: Starting File Sweep
17:52: uninstall_nmon.vbs (ID = 231442)
17:58: u36ste.vbs (ID = 185675)
17:58: Warning: File not found
17:58: Warning: File not found
17:58: Warning: File not found
(edited out lots of the 1758 line "warning: file not found")
17:58: File Sweep Complete, Elapsed Time: 00:08:16
17:58: Full Sweep has completed. Elapsed time 00:09:34
17:58: Traces Found: 25
18:03: Removal process initiated
18:03: Quarantining All Traces: command
18:03: Quarantining All Traces: elitemediagroup-mediamotor
18:03: Quarantining All Traces: clickzs cookie
18:03: Quarantining All Traces: dealtime cookie
18:03: Quarantining All Traces: enhance cookie
18:03: Removal process completed. Elapsed time 00:00:00
********
17:47: | Start of Session, 18 January 2006 |
17:47: Spy Sweeper started
17:47: Sweep initiated using definitions version 602
17:47: Starting Memory Sweep
17:48: Sweep Canceled
17:48: Memory Sweep Complete, Elapsed Time: 00:00:35
17:48: Traces Found: 0
17:48: | End of Session, 18 January 2006 |
********
17:45: | Start of Session, 18 January 2006 |
17:45: Spy Sweeper started
17:46: Your spyware definitions have been updated.
17:47: | End of Session, 18 January 2006 |
hjt log created whilst online:
Logfile of HijackThis v1.99.1
Scan saved at 18:26:08, on 18/01/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\CPUCooL\CooLSrv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\Program Files\Raptor-Gaming\RGM2\Panel.exe
C:\Program Files\Softwin\BitDefender8\bdmcon.exe
C:\Program Files\Softwin\BitDefender8\bdnagent.exe
C:\WINDOWS\system32\RunDLL32.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\CPUCooL\CPUCooL.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe
C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\HJT\HijackThis1991.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.wanadoo.co.uk/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.wanadoo.co.uk/
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [NVIDIA nTune] "C:\Program Files\NVIDIA Corporation\nTune\\nTune.exe" clear
O4 - HKLM\..\Run: [NVRTCLK] C:\WINDOWS\system32\NVRTCLK\NVRTClk.exe
O4 - HKLM\..\Run: [Raptor-Gaming M2] "C:\Program Files\Raptor-Gaming\RGM2\Panel.exe"
O4 - HKLM\..\Run: [BDMCon] "C:\Program Files\Softwin\BitDefender8\bdmcon.exe"
O4 - HKLM\..\Run: [BDNewsAgent] "C:\Program Files\Softwin\BitDefender8\bdnagent.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: CPUCooL.lnk = C:\Program Files\CPUCooL\CPUCooL.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Microsoft Office.lnk = F:\OFFICE\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://F:\OFFICE\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/mcfscan/2,1,0,4672/mcfscan.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{1FD09132-E37B-4BDA-A0EC-E40747E5EBAC}: NameServer = 195.92.195.94 195.92.195.95
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: BitDefender Scan Server (bdss) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe" /service (file missing)
O23 - Service: CPUCooLServer Service (CPUCooLServer) - Unknown owner - C:\Program Files\CPUCooL\CooLSrv.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: BitDefender Communicator (XCOMM) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe" /service (file missing)
Not sure that it looks great - still got a funny looking ip address in there :(
I await your verdict
duh - didn't turn tea timer off
tea timer off
Logfile of HijackThis v1.99.1
Scan saved at 19:17:34, on 18/01/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\CPUCooL\CooLSrv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Raptor-Gaming\RGM2\Panel.exe
C:\Program Files\Softwin\BitDefender8\bdmcon.exe
C:\Program Files\Softwin\BitDefender8\bdnagent.exe
C:\WINDOWS\system32\RunDLL32.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\CPUCooL\CPUCooL.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe
C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
C:\HJT\HijackThis1991.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.wanadoo.co.uk/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.wanadoo.co.uk/
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O4 - HKLM\..\Run: [NVIDIA nTune] "C:\Program Files\NVIDIA Corporation\nTune\\nTune.exe" clear
O4 - HKLM\..\Run: [NVRTCLK] C:\WINDOWS\system32\NVRTCLK\NVRTClk.exe
O4 - HKLM\..\Run: [Raptor-Gaming M2] "C:\Program Files\Raptor-Gaming\RGM2\Panel.exe"
O4 - HKLM\..\Run: [BDMCon] "C:\Program Files\Softwin\BitDefender8\bdmcon.exe"
O4 - HKLM\..\Run: [BDNewsAgent] "C:\Program Files\Softwin\BitDefender8\bdnagent.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - Startup: CPUCooL.lnk = C:\Program Files\CPUCooL\CPUCooL.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Microsoft Office.lnk = F:\OFFICE\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://F:\OFFICE\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/mcfscan/2,1,0,4672/mcfscan.cab
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: BitDefender Scan Server (bdss) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe" /service (file missing)
O23 - Service: CPUCooLServer Service (CPUCooLServer) - Unknown owner - C:\Program Files\CPUCooL\CooLSrv.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: BitDefender Communicator (XCOMM) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe" /service (file missing)
and the spysweeper log.
********
18:53: | Start of Session, 18 January 2006 |
18:53: Spy Sweeper started
18:53: Sweep initiated using definitions version 602
18:53: Starting Memory Sweep
18:54: Memory Sweep Complete, Elapsed Time: 00:01:10
18:54: Starting Registry Sweep
18:54: Registry Sweep Complete, Elapsed Time:00:00:05
18:54: Starting Cookie Sweep
18:54: Cookie Sweep Complete, Elapsed Time: 00:00:00
18:54: Starting File Sweep
19:02: Warning: File not found
19:02: Warning: File not found
19:02: Warning: File not found
19:02: Warning: File not found
19:02: Warning: File not found
19:02: Warning: File not found
19:02: Warning: File not found
19:02: File Sweep Complete, Elapsed Time: 00:08:14
19:02: Full Sweep has completed. Elapsed time 00:09:31
19:02: Traces Found: 0
********
17:48: | Start of Session, 18 January 2006 |
17:48: Spy Sweeper started
17:48: Sweep initiated using definitions version 602
17:48: Starting Memory Sweep
17:50: Memory Sweep Complete, Elapsed Time: 00:01:10
17:50: Starting Registry Sweep
17:50: Found Adware: elitemediagroup-mediamotor
17:50: HKLM\software\ssprint\ (2 subtraces) (ID = 140214)
17:50: Found Adware: command
17:50: HKLM\system\currentcontrolset\enum\root\legacy_cmdservice\0000\ (6 subtraces) (ID = 1016064)
17:50: HKLM\system\currentcontrolset\enum\root\legacy_cmdservice\ (8 subtraces) (ID = 1016072)
17:50: Registry Sweep Complete, Elapsed Time:00:00:05
17:50: Starting Cookie Sweep
17:50: Found Spy Cookie: clickzs cookie
17:50: administrator@cz7.clickzs[2].txt (ID = 2413)
17:50: Found Spy Cookie: enhance cookie
17:50: system@c.enhance[1].txt (ID = 2614)
17:50: Found Spy Cookie: dealtime cookie
17:50: system@dealtime[1].txt (ID = 2505)
17:50: system@stat.dealtime[1].txt (ID = 2506)
17:50: Cookie Sweep Complete, Elapsed Time: 00:00:00
17:50: Starting File Sweep
17:52: uninstall_nmon.vbs (ID = 231442)
17:58: u36ste.vbs (ID = 185675)
17:58: Warning: File not found
17:58: Warning: File not found
17:58: Warning: File not found
17:58: File Sweep Complete, Elapsed Time: 00:08:16
17:58: Full Sweep has completed. Elapsed time 00:09:34
17:58: Traces Found: 25
18:03: Removal process initiated
18:03: Quarantining All Traces: command
18:03: Quarantining All Traces: elitemediagroup-mediamotor
18:03: Quarantining All Traces: clickzs cookie
18:03: Quarantining All Traces: dealtime cookie
18:03: Quarantining All Traces: enhance cookie
18:03: Removal process completed. Elapsed time 00:00:00
18:04: Deletion from quarantine initiated
18:04: Processing: clickzs cookie
18:04: Processing: command
18:04: Processing: dealtime cookie
18:04: Processing: elitemediagroup-mediamotor
18:04: Processing: enhance cookie
18:04: Deletion from quarantine completed. Elapsed time 00:00:00
********
17:47: | Start of Session, 18 January 2006 |
17:47: Spy Sweeper started
17:47: Sweep initiated using definitions version 602
17:47: Starting Memory Sweep
17:48: Sweep Canceled
17:48: Memory Sweep Complete, Elapsed Time: 00:00:35
17:48: Traces Found: 0
17:48: | End of Session, 18 January 2006 |
********
17:45: | Start of Session, 18 January 2006 |
17:45: Spy Sweeper started
17:46: Your spyware definitions have been updated.
17:47: | End of Session, 18 January 2006 |
Again - chopped out lots and lots of the 1902 warning file not found messages.
Hoodlum
and a few miutes later, that odd ip address is back
Logfile of HijackThis v1.99.1
Scan saved at 19:23:09, on 18/01/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\CPUCooL\CooLSrv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Raptor-Gaming\RGM2\Panel.exe
C:\Program Files\Softwin\BitDefender8\bdmcon.exe
C:\Program Files\Softwin\BitDefender8\bdnagent.exe
C:\WINDOWS\system32\RunDLL32.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\CPUCooL\CPUCooL.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe
C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
C:\HJT\HijackThis1991.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.wanadoo.co.uk/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.wanadoo.co.uk/
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O4 - HKLM\..\Run: [NVIDIA nTune] "C:\Program Files\NVIDIA Corporation\nTune\\nTune.exe" clear
O4 - HKLM\..\Run: [NVRTCLK] C:\WINDOWS\system32\NVRTCLK\NVRTClk.exe
O4 - HKLM\..\Run: [Raptor-Gaming M2] "C:\Program Files\Raptor-Gaming\RGM2\Panel.exe"
O4 - HKLM\..\Run: [BDMCon] "C:\Program Files\Softwin\BitDefender8\bdmcon.exe"
O4 - HKLM\..\Run: [BDNewsAgent] "C:\Program Files\Softwin\BitDefender8\bdnagent.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - Startup: CPUCooL.lnk = C:\Program Files\CPUCooL\CPUCooL.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Microsoft Office.lnk = F:\OFFICE\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://F:\OFFICE\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/mcfscan/2,1,0,4672/mcfscan.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{1FD09132-E37B-4BDA-A0EC-E40747E5EBAC}: NameServer = 195.92.195.95 195.92.195.94
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: BitDefender Scan Server (bdss) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe" /service (file missing)
O23 - Service: CPUCooLServer Service (CPUCooLServer) - Unknown owner - C:\Program Files\CPUCooL\CooLSrv.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: BitDefender Communicator (XCOMM) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe" /service (file missing)
pskelley
2006-01-18, 22:45
Hello and what I don't see is Look2me left in your log. How is the computer running? Have you located your C:\Windows\System32\ yet? If not it is in the C:\Windows\ folder. don't confuse it with C:\Windows\System\ that is another folder.
This item: O17 - HKLM\System\CCS\Services\Tcpip\..\{1FD09132-E37B-4BDA-A0EC-E40747E5EBAC}: NameServer = 195.92.195.95 195.92.195.94 My search came up with this:
The Wanadoo settingsDomain name service is dynamic - but if domain name server (DNS) addresses are required, you should use 195.92.195.94 and 195.92.195.95 ...
If you wish to be sure, check with your ISP: http://help.wanadoo.co.uk/results.do
Since the HJT log is clean, here is some great information from Tony Klein, Texruss, ChrisRLG and Grinler to help you stay clean and safe online:
http://boards.cexx.org/viewtopic.php?t=957
http://russelltexas.com/malware/allclear.htm
http://forum.malwareremoval.com/viewtopic.php?t=14
http://www.bleepingcomputer.com/forums/topict2520.html
Not a bad idea to make sure nothing bad got backed up in System Restore, use this information:
http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001111912274039?OpenDocument&src=sec_doc_nam
Don't forget SpySweeper using resources and after the trial period (unless you purchase it) does you no good and should be uninstalled.
If we can help with anything else, let us know.
Thanks...pskelley
Safer Networking Forums
http://www.spybot.info/en/donate/index.html
If you are reading this information...thank a teacher, If you are reading it in English...thank a soldier.
Pskelly
Been running the PC for a few hours tonight now and all seems well.
Thankyou very much for your time and effort spent in helping me with my problem. You, sir, are a star.
Regards
Hoodlum.
LonnyRJones
2006-01-22, 13:19
Im Glad we could help
Since the problems are solved Im going to close the topic now, this keeps others with similar problems from posting there logs/question here, they should start a new topic.
If you should need to post another log for the same PC let Me or Tashi know.