Page 1 of 2 12 LastLast
Results 1 to 10 of 15

Thread: MagicControl.Agent & "hidden" program "bwieas.exe"

  1. #1
    Junior Member
    Join Date
    Dec 2005
    Location
    Grayslake, IL - Suburb of Chicago
    Posts
    0

    Exclamation MagicControl.Agent & "hidden" program "bwieas.exe"

    Spybot S&D is reporting MagicControl.Agent; fixing it does not get rid of it.

    I've noticed that Nortan Antivirus is getting probed by C:\windows\system32\bwieas.exe. However that file "doesn't exist" even when show hidden and system files is enabled in Windows Explorer.

    I have run the following programs to clean up several other pieces of spyware on this system:

    McAfee FreeScan
    Norton Antivirus
    Spybot S&D
    smitRem
    approposfix
    CCleaner
    Ewido
    TrojanHunter
    SFC /scannow

    Here is a "min" log: Start /min Hijackthis.exe /autolog

    Logfile of HijackThis v1.99.1
    Scan saved at 9:20:11 AM, on 12/25/2005
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\System32\igfxtray.exe
    C:\WINDOWS\System32\hkcmd.exe
    C:\Program Files\Apoint2K\Apoint.exe
    C:\Program Files\TOSHIBA\TouchPadNF\TPTray.exe
    C:\WINDOWS\System32\CePMTray.exe
    C:\Toshiba\Ivp\ISM\pinger.exe
    C:\Program Files\Yahoo!\browser\ybrwicon.exe
    C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe
    C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPMon32.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
    C:\windows\system32\bwieas.exe
    C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
    C:\PROGRA~1\Yahoo!\browser\ycommon.exe
    C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
    C:\Program Files\Apoint2K\Apntex.exe
    C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
    C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\Program Files\ewido anti-malware\ewidoctrl.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
    C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
    C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    C:\WINDOWS\wanmpsvc.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINDOWS\system32\DfrgNtfs.exe
    C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
    C:\Program Files\Common Files\Symantec Shared\NMain.exe
    C:\Program Files\Common Files\Symantec Shared\ccLgView.exe
    C:\WINDOWS\system32\NOTEPAD.EXE
    C:\Program Files\Messenger\msmsgs.exe
    C:\Updates\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://yahoo.sbc.com/dsl
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
    O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Common\ycomp5_1_6_0.dll
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Common\ycomp5_1_6_0.dll
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
    O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
    O4 - HKLM\..\Run: [TPNF] C:\Program Files\TOSHIBA\TouchPadNF\TPTray.exe
    O4 - HKLM\..\Run: [CeEPOWER] C:\WINDOWS\System32\CePMTray.exe
    O4 - HKLM\..\Run: [Pinger] C:\Toshiba\Ivp\ISM\pinger.exe /run
    O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [YBrowser] C:\Program Files\Yahoo!\browser\ybrwicon.exe
    O4 - HKLM\..\Run: [IPInSightLAN 02] "C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe" -l
    O4 - HKLM\..\Run: [IPInSightMonitor 02] "C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPMon32.exe"
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
    O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
    O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
    O4 - HKLM\..\Run: [bwieas] c:\windows\system32\bwieas.exe bwieas
    O4 - HKLM\..\Run: [CeEKey.exe] C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
    O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    O4 - Global Startup: Desktop Manager.lnk = C:\Program Files\Research In Motion\BlackBerry\DesktopMgr.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O4 - Global Startup: Symantec Fax Starter Edition Port.lnk = C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
    O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
    O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
    O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
    O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
    O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {01010E00-5E80-11D8-9E86-0007E96C65AE} (SupportSoft SmartIssue) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsi.cab
    O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Script Runner Class) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsr.cab
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
    O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - C:\Program Files\Yahoo!\common\yinsthelper.dll
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1135216308388
    O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/tech...l/SymAData.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://download.macromedia.com/pub/...sh/swflash.cab
    O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/is...57/mcfscan.cab
    O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
    O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
    O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
    O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
    O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
    O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
    O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
    O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
    O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
    O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
    O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
    O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE

  2. #2
    In Memoriam -Always in our heart pskelley's Avatar
    Join Date
    Oct 2005
    Location
    Clearwater, Florida
    Posts
    20,252

    Default

    Hello and welcome to the forum. Before we start please return to your C:\ and right click a blank spot and make a new folder. Call it HJT and move the HJT and any logs in the "Updates" folder in to the new folder which will look like this: C:\HJT\HijackThis.exe. You can delete that other folder unless you store something else in it?

    Now I must say that: C:\windows\system32\bwieas.exe is running from your system32 folder and showing plainly in your log, in running processes and also here:
    O4 - HKLM\..\Run: [bwieas] c:\windows\system32\bwieas.exe bwieas This is probably your problem, if you wish to check it before removing it use these free online scanners and share the information with me.
    http://virusscan.jotti.org/
    http://www.kaspersky.com/scanforvirus
    http://www.virustotal.com/flash/index_en.html

    I understand you may have run some of these, I would appreciate your following these directions as I make sure you are clean.

    1) SpybotSD TeaTimer may interfere with our fix, it is a good program but we need to turn it off until finished, make sure you remember to turn it back on.
    http://russelltexas.com/malware/teatimer.htm

    2) Download, update, configure and run these two programs: http://tomcoyote.org/aawsb.php
    The newest version of Ad-aware is 1.06 and Spybot 1.04. Even if you have these programs, use the link to get the newest version, update and configure them as in the link. Run Spybot first, reboot then run Ad-aware. Both programs back up what they remove so delete anything the programs say should be removed.

    3) You have ewido onboard, please open the program and update it, make sure it is configured like this: http://rstones12.geekstogo.com/ewidosetup.htm Run a complete system scan, remove everything located unless you know it is not bad. Make sure you save the scan report, I need to see it.

    4) Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
    O4 - HKLM\..\Run: [bwieas] c:\windows\system32\bwieas.exe bwieas

    Close all programs but HJT and all browser windows, then click on "Fix Checked"

    Enable hidden files&folders..reverse the process when finished.
    (Make sure the instuctions for showing hidden files and folders is followed exactly, we must locate and delete this item)
    http://www.xtra.co.nz/help/0,,4155-1916458,00.html

    RIGHT Click on Start then click on Explore. Locate and delete these items:

    c:\windows\system32\bwieas.exe >>> file

    C:\Windows\Prefetch\ >>> delete everything in this folder (NOT THE FOLDER)
    Prefetch info: http://www.windowsnetworking.com/art...efetch-XP.html


    Thanks...pskelley
    TomCoyote forum
    Expert Member

    I wish to take a moment to give you some information about this program: C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe See this: http://castlecops.com/startuplist-1690.html I suggest you take this up with your Internet Service Provider and have them give you instructions for removing this junk.

    When you are completely finished with the removal procedure and are satisfied that the threat has been removed follow these instructions:
    http://service1.symantec.com/SUPPORT...rc=sec_doc_nam

  3. #3
    Junior Member
    Join Date
    Dec 2005
    Location
    Grayslake, IL - Suburb of Chicago
    Posts
    0

    Thumbs up



    Thanks for the timely post on Christmas Day no less!! I'm working on a laptop for a friend, and you've given us a great Christmas present.

    I was not able to see or delete the bwieas file until I used the command prompt dir and delete commands. I had to boot in safe mode to delete the file.

    One interesting side effect of this infection was that clicking "view report" in the disk deframenter caused MMC to lock up. Once bwieas was gone, that problem went away.

    Here's the result of Jotti's malware scan 2.99-TRANSITION_TO_3.00

    Service
    Service load: 0% 100%

    File: bwieas.exe
    Status: INFECTED/MALWARE

    MD5 05a1c1c15236edfe06469d799768d4f4
    Packers detected: YODAPROTECT
    Scanner results
    AntiVir Found Packer/YodaProt packer
    ArcaVir Found nothing
    Avast Found nothing
    AVG Antivirus Found Generic.IFA
    BitDefender Found nothing
    ClamAV Found nothing
    Dr.Web Found Adware.NaviPromo
    F-Prot Antivirus Found nothing
    Fortinet Found nothing
    Kaspersky Anti-Virus Found not-a-virus:AdWare.Win32.NaviPromo.m
    NOD32 Found a variant of Win32/Adware.NaviPromo application
    Norman Virus Control Found nothing
    UNA Found nothing
    VBA32 Found nothing

    Note: running Kaspersky online scan did not find the virus, I had to upload the file to one of the file specific scanners.

    Note: Uploading the file could not be done with "point and click", I had to manually type in the full path name of the file to get it to upload ("c:\windows\system32\bwieas.exe")

    Thank you for all of your help!

  4. #4
    In Memoriam -Always in our heart pskelley's Avatar
    Join Date
    Oct 2005
    Location
    Clearwater, Florida
    Posts
    20,252

    Default

    I am sorry, perhaps I should not have been doing logs on the holiday. I would like to verify you are clean, would you post the ewido scan report as suggested here:
    Make sure you save the scan report, I need to see it.
    And a new HJT log. Let me know how everything is running now. Thanks for the information about the malware item. I have information for you to help you stay safe and clean once I review this information.

    Thanks...Phil

  5. #5
    Junior Member
    Join Date
    Dec 2005
    Location
    Grayslake, IL - Suburb of Chicago
    Posts
    0

    Smile You are a Saint!

    I deeply appreciate your taking the time for working on this yesterday!

    I will update the logs later today.

    Thank you again!

  6. #6
    Junior Member
    Join Date
    Dec 2005
    Location
    Grayslake, IL - Suburb of Chicago
    Posts
    0

    Default New Logs... Clean??

    I've attached 3 logs:

    Kaspersky On-line Scan log
    Ewido Scan Log
    HTJ Scan log

    I've run the following:

    Disabled TeaTimer & SDHelper (forced reboot due to BSOD "PFN_Corrupt_List" fatal exception)

    Kasperky On-Line Virus Scan - found quarantined viruses in the Norton Quatantine and in the System Restore directories (didn't remove) (Log attached)

    Norton "installed" scan - Found Dialer.InstantAccess in c:\windows\system32\msclock32.dll (removed it) reran and didn't find it. File date 12/24/05.

    Started and updated SpyBot S&D 1.4 (no updates found)
    Disabled ethernet and wireless network connections
    Disabled Norton autoprotect
    Ran Spybot scan - No threats found

    Enabled Norton autoprotect
    Enabled ethernet
    Started and updated Ad-Aware SE Personal 1.06 (no updates found)
    Disabled ethernet
    Disabled Norton autoprotect
    Ran Ad-Aware scan (found a few tracking cookies)

    Enabled Norton autoprotect
    Enabled Ethernet
    Started and updated Ewido (updates successfully downloaded)
    Disabled ethernet
    Disabled Norton Autoprotect
    Ran Ewido Scan - (found 1 tracking cookie Log attached)

    Enabled Norton Autoprotect
    Ran HJT (log attached)

    -------------------------------------------------------------------------------
    KASPERSKY ON-LINE SCANNER REPORT
    Monday, December 26, 2005 11:30:18
    Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
    Kaspersky On-line Scanner version: 5.0.67.0
    Kaspersky Anti-Virus database last update: 26/12/2005
    Kaspersky Anti-Virus database records: 157392
    -------------------------------------------------------------------------------

    Scan Settings:
    Scan using the following antivirus database: standard
    Scan Archives: true
    Scan Mail Bases: true

    Scan Target - My Computer:
    A:\
    C:\
    D:\

    Scan Statistics:
    Total number of scanned objects: 75111
    Number of viruses found: 3
    Number of infected objects: 8
    Number of suspicious objects: 0
    Duration of the scan process: 4945 sec

    Infected Object Name - Virus Name
    C:\Program Files\Norton AntiVirus\Quarantine\214E74FA.tmp Infected: Rootkit.Win32.Agent.ao
    C:\Program Files\Norton AntiVirus\Quarantine\47216914.exe Infected: Trojan.Win32.Crypt.t
    C:\Program Files\Norton AntiVirus\Quarantine\47283D0D.exe Infected: Trojan.Win32.Crypt.t
    C:\Program Files\Norton AntiVirus\Quarantine\473564FF.exe Infected: Trojan-Downloader.Win32.VB.id
    C:\Program Files\Norton AntiVirus\Quarantine\5D3A33B5.tmp Infected: Trojan.Win32.Crypt.t
    C:\System Volume Information\_restore{14157744-4FA2-4CAF-BAFB-72CC49941087}\RP812\A0145201.exe Infected: Trojan.Win32.Crypt.t
    C:\System Volume Information\_restore{14157744-4FA2-4CAF-BAFB-72CC49941087}\RP812\A0145202.dll Infected: Trojan.Win32.Crypt.t
    C:\System Volume Information\_restore{14157744-4FA2-4CAF-BAFB-72CC49941087}\RP812\A0145203.exe Infected: Trojan.Win32.Crypt.t

    Scan process completed.

    ---------------------------------------------------------
    ewido anti-malware - Scan report
    ---------------------------------------------------------

    + Created on: 3:06:55 PM, 12/26/2005
    + Report-Checksum: 7A49515C

    + Scan result:

    C:\Documents and Settings\david hinks\Cookies\david hinks@com[2].txt -> Spyware.Cookie.Com : Cleaned with backup


    ::Report End

    -----------------------------------------------------------------------
    HiJackThis
    -----------------------------------------------------------------------
    Logfile of HijackThis v1.99.1
    Scan saved at 3:10:10 PM, on 12/26/2005
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\System32\igfxtray.exe
    C:\WINDOWS\System32\hkcmd.exe
    C:\Program Files\Apoint2K\Apoint.exe
    C:\Program Files\TOSHIBA\TouchPadNF\TPTray.exe
    C:\WINDOWS\System32\CePMTray.exe
    C:\Toshiba\Ivp\ISM\pinger.exe
    C:\Program Files\Yahoo!\browser\ybrwicon.exe
    C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe
    C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPMon32.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\PROGRA~1\Yahoo!\browser\ycommon.exe
    C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
    C:\Program Files\Apoint2K\Apntex.exe
    C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
    C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\Program Files\ewido anti-malware\ewidoctrl.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
    C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
    C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    C:\WINDOWS\wanmpsvc.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\PROGRA~1\Yahoo!\browser\ybrowser.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\HJT\hijackthis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://yahoo.sbc.com/dsl
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
    O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Common\ycomp5_1_6_0.dll
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Common\ycomp5_1_6_0.dll
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
    O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
    O4 - HKLM\..\Run: [TPNF] C:\Program Files\TOSHIBA\TouchPadNF\TPTray.exe
    O4 - HKLM\..\Run: [CeEPOWER] C:\WINDOWS\System32\CePMTray.exe
    O4 - HKLM\..\Run: [Pinger] C:\Toshiba\Ivp\ISM\pinger.exe /run
    O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [YBrowser] C:\Program Files\Yahoo!\browser\ybrwicon.exe
    O4 - HKLM\..\Run: [IPInSightLAN 02] "C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe" -l
    O4 - HKLM\..\Run: [IPInSightMonitor 02] "C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPMon32.exe"
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
    O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
    O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
    O4 - HKLM\..\Run: [CeEKey.exe] C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
    O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
    O4 - Global Startup: Desktop Manager.lnk = C:\Program Files\Research In Motion\BlackBerry\DesktopMgr.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O4 - Global Startup: Symantec Fax Starter Edition Port.lnk = C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
    O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
    O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
    O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
    O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
    O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {01010E00-5E80-11D8-9E86-0007E96C65AE} (SupportSoft SmartIssue) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsi.cab
    O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Script Runner Class) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsr.cab
    O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/k...an_unicode.cab
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
    O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - C:\Program Files\Yahoo!\common\yinsthelper.dll
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1135216308388
    O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/tech...l/SymAData.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://download.macromedia.com/pub/...sh/swflash.cab
    O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/is...57/mcfscan.cab
    O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
    O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
    O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
    O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
    O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
    O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
    O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
    O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
    O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
    O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
    O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
    O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE

  7. #7
    In Memoriam -Always in our heart pskelley's Avatar
    Join Date
    Oct 2005
    Location
    Clearwater, Florida
    Posts
    20,252

    Default

    Thanks for posting this information, let's look at the HJT log first:
    Logfile of HijackThis v1.99.1 Scan saved at 3:10:10 PM, on 12/26/2005
    I see no evidence of any malware in this HJT log, here is some great information from Tony Klein, Texruss, ChrisRLG and Grinler to help you stay clean and safe online:
    http://boards.cexx.org/viewtopic.php?t=957
    http://russelltexas.com/malware/allclear.htm
    http://forum.malwareremoval.com/viewtopic.php?t=14
    http://www.bleepingcomputer.com/forums/topict2520.html

    ewido anti-malware - Scan report Created on: 3:06:55 PM, 12/26/2005It is obvious this is not the first ewido scan since you already had it. If possible I would like to see the first scan you ran when you downloaded ewido. If this is not possible that will be ok. If that first scan report is there it would be in:
    ewido > security suite > Reports > a mouse over the scans in the Reports file will show the first report. If it is there, open the notepad and paste the information to this thread. Thanks.

    I am concerned about the mention of Rootkit in the quarantine area of Norton in the Kaspersky scan. Let's hope Norton got it all. I would like you to navigate to the: C:\Program Files\Norton AntiVirus\Quarantine\ and delete everything in that folder. You may have to do it in safe mode:
    http://www.bleepingcomputer.com/forums/tutorial61.html if you can't delete the stuff in quarantine. Then follow the instructions I posted earlier to clean out the old System Restore files and set new ones. Then run the Kaspersky scan and post it. I would like to know how everything is running at this point. Review the information from the experts I posted for help staying clean online. Run the computer for a while keeping an eye open for anything abnormal.

    Thanks...Phil

  8. #8
    Junior Member
    Join Date
    Dec 2005
    Location
    Grayslake, IL - Suburb of Chicago
    Posts
    0

    Default Earlier Ewido Scans

    Phil,

    Here are the earlier Ewido scan logs you've requested. Note they did not detect the issue with bwieas.exe (I believe that if hid itself very effectively from the windows shell somehow).

    ---------------------------------------------------------
    ewido anti-malware - Scan report
    ---------------------------------------------------------

    + Created on: 12:56:48 AM, 12/24/2005
    + Report-Checksum: 3C1EFF2B

    + Scan result:

    HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\{c95fe080-8f5d-11d2-a20b-00aa003c157a} -> Spyware.Alexa : Cleaned with backup


    ::Report End

    ---------------------------------------------------------
    ewido anti-malware - Scan report
    ---------------------------------------------------------

    + Created on: 1:23:25 AM, 12/25/2005
    + Report-Checksum: A7B87F8C

    + Scan result:

    No infected objects found.


    ::Report End

  9. #9
    Junior Member
    Join Date
    Dec 2005
    Location
    Grayslake, IL - Suburb of Chicago
    Posts
    0

    Question Restore point deleted, but files not...

    Phil,

    Interesting behavior here:

    Disabled restore points
    Rebooted system
    Re-ran Kaspersky
    RP content files still present and infected; confirmed through System Restore that the restore point was "gone".
    Rebooted in safe mode
    Allowed Administrator access to System Volume Information Folder
    Manually delete RP contents folder
    Rebooted
    Re-ran Kaspersky
    No viruses found
    Re-enabled restore points

    What next??

    Here are the two Kaspersky logs:

    -------------------------------------------------------------------------------
    KASPERSKY ON-LINE SCANNER REPORT
    Monday, December 26, 2005 18:38:19
    Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
    Kaspersky On-line Scanner version: 5.0.67.0
    Kaspersky Anti-Virus database last update: 27/12/2005
    Kaspersky Anti-Virus database records: 167633
    -------------------------------------------------------------------------------

    Scan Settings:
    Scan using the following antivirus database: extended
    Scan Archives: true
    Scan Mail Bases: true

    Scan Target - My Computer:
    A:\
    C:\
    D:\

    Scan Statistics:
    Total number of scanned objects: 69804
    Number of viruses found: 1
    Number of infected objects: 3
    Number of suspicious objects: 0
    Duration of the scan process: 3808 sec

    Infected Object Name - Virus Name
    C:\System Volume Information\_restore{14157744-4FA2-4CAF-BAFB-72CC49941087}\RP812\A0145201.exe Infected: Trojan.Win32.Crypt.t
    C:\System Volume Information\_restore{14157744-4FA2-4CAF-BAFB-72CC49941087}\RP812\A0145202.dll Infected: Trojan.Win32.Crypt.t
    C:\System Volume Information\_restore{14157744-4FA2-4CAF-BAFB-72CC49941087}\RP812\A0145203.exe Infected: Trojan.Win32.Crypt.t

    Scan process completed.

    -------------------------------------------------------------------------------
    KASPERSKY ON-LINE SCANNER REPORT
    Monday, December 26, 2005 22:21:47
    Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
    Kaspersky On-line Scanner version: 5.0.67.0
    Kaspersky Anti-Virus database last update: 27/12/2005
    Kaspersky Anti-Virus database records: 167672
    -------------------------------------------------------------------------------

    Scan Settings:
    Scan using the following antivirus database: extended
    Scan Archives: true
    Scan Mail Bases: true

    Scan Target - My Computer:
    A:\
    C:\
    D:\

    Scan Statistics:
    Total number of scanned objects: 69780
    Number of viruses found: 0
    Number of infected objects: 0
    Number of suspicious objects: 0
    Duration of the scan process: 3758 sec
    No malware has been detected. The sections that have been scanned are CLEAN.

    Scan process completed.

  10. #10
    Junior Member
    Join Date
    Dec 2005
    Location
    Grayslake, IL - Suburb of Chicago
    Posts
    0

    Default Additional History Spybot Fixes*.txt

    Phil,

    Here's additional information on what was fixed in earlier passes of Spybot S&D:


    --- Report generated: 2005-12-22 01:15 ---

    Command Service: System Service (Registry key, fixed)
    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\cmdService

    Connect MFC Application: Settings (Registry key, fixed)
    HKEY_USERS\S-1-5-21-3588590466-2801439982-1300003180-1004\Software\livesvc

    CoolWWWSearch.Aboutblank: IE Search page (Registry change, fixed)
    HKEY_USERSS-1-5-21-3588590466-2801439982-1300003180-1004\Software\Microsoft\Internet Explorer\Main\Search Page=about:blank

    CoolWWWSearch.Aboutblank: IE Search page (Registry change, fixed)
    HKEY_USERSS-1-5-21-3588590466-2801439982-1300003180-1004\Software\Microsoft\Internet Explorer\SearchUrl\=about:blank

    CoolWWWSearch.Aboutblank: IE Search page (Registry change, fixed)
    HKEY_LOCAL_MACHINESoftware\Microsoft\Internet Explorer\Main\Search Page=about:blank

    CoolWWWSearch.Aboutblank: IE Search page (Registry change, fixed)
    HKEY_LOCAL_MACHINESoftware\Microsoft\Internet Explorer\Main\Search Bar=about:blank

    CoolWWWSearch.Aboutblank: IE Search page (Registry change, fixed)
    HKEY_LOCAL_MACHINESoftware\Microsoft\Internet Explorer\Search\SearchAssistant=about:blank

    ISearchTech.SideFind: Settings (Registry key, fixed)
    HKEY_LOCAL_MACHINE\SOFTWARE\Avenue Media

    ShopAtHome: Global settings (Registry key, fixed)
    HKEY_LOCAL_MACHINE\Software\VGroup

    AbetterInternet.Aurora: User settings (Registry key, fixed)
    HKEY_USERS\S-1-5-21-3588590466-2801439982-1300003180-1004\Software\Mvu

    AbetterInternet.Aurora: Settings (Registry key, fixed)
    HKEY_LOCAL_MACHINE\SOFTWARE\Mvu

    AbetterInternet.Aurora: Settings (Registry key, fixed)
    HKEY_LOCAL_MACHINE\SOFTWARE\vidctrl

    AbetterInternet.Aurora: Program directory (Directory, fixed)
    C:\WINDOWS\system32\vidctrl\

    AbetterInternet.Aurora: Data (File, fixed)
    C:\Documents and Settings\david hinks\Local Settings\Temp\cfin

    AbetterInternet.Aurora: Executable (File, fixed)
    C:\Documents and Settings\david hinks\Local Settings\Temp\cfout.txt

    AbetterInternet.Aurora: Text file (File, fixed)
    C:\WINDOWS\affbun.txt

    BookedSpace: Library (File, fixed)
    C:\WINDOWS\libbz2.dll

    ClimaxBucks.InternetOptimizer: Autorun settings (Registry value, fixed)
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Internet Optimizer

    Command Service: Settings (Registry key, fixed)
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\cmdService

    Command Service: Settings (Registry key, fixed)
    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\cmdService

    Command Service: Uninstall settings (Registry key, fixed)
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{3877C2CD-F137-4144-BDB2-0A811492F920}

    DyFuCA.InternetOptimizer: Uninstall settings (Registry key, fixed)
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Kapabout

    DyFuCA.InternetOptimizer: Settings (Registry key, fixed)
    HKEY_USERS\S-1-5-21-3588590466-2801439982-1300003180-1004\Software\Microsoft\Windows\CurrentVersion\Policies\AMeOpt

    DyFuCA.InternetOptimizer: Settings (Registry key, fixed)
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\AMeOpt

    DyFuCA.InternetOptimizer: Settings (Registry key, fixed)
    HKEY_USERS\S-1-5-21-3588590466-2801439982-1300003180-1004\Software\Avenue Media

    DyFuCA.InternetOptimizer: Settings (Registry key, fixed)
    HKEY_USERS\S-1-5-21-3588590466-2801439982-1300003180-1004\Software\Policies\Avenue Media

    DyFuCA.InternetOptimizer: Settings (Registry key, fixed)
    HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Avenue Media

    DyFuCA.InternetOptimizer: Uninstall settings (Registry key, fixed)
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DyFuCA

    DyFuCA.InternetOptimizer: Uninstall settings (Registry key, fixed)
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Internet Optimizer

    E2Give: Settings (Registry key, fixed)
    HKEY_USERS\S-1-5-21-3588590466-2801439982-1300003180-1004\Software\Ptech

    E2Give: Settings (Registry key, fixed)
    HKEY_CLASSES_ROOT\AppID\IeBHOs.DLL

    E2Give: Root class (Registry key, fixed)
    HKEY_LOCAL_MACHINE\Software\Classes\IeBHOs.Control

    E2Give: Root class (Registry key, fixed)
    HKEY_LOCAL_MACHINE\Software\Classes\IeBHOs.Control.1

    E2Give: Class ID (Registry key, fixed)
    HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{3643ABC2-21BF-46B9-B230-F247DB0C6FD6}

    E2Give: Browser helper object (Registry key, fixed)
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3643ABC2-21BF-46B9-B230-F247DB0C6FD6}

    E2Give: Settings (Registry key, fixed)
    HKEY_LOCAL_MACHINE\SOFTWARE\E2G

    E2Give: Uninstall settings (Registry key, fixed)
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\e2g Plugin

    Look2Me.Topconverting: Class ID (Registry key, fixed)
    HKEY_CLASSES_ROOT\CLSID\{D52433A9-A44C-43AB-A013-24B3C756DD2B}

    Look2Me.Topconverting: Interface (Registry key, fixed)
    HKEY_CLASSES_ROOT\Interface\{6CDC3337-01F7-4A79-A4AF-0B19303CC0BE}

    Look2Me.Topconverting: Interface (Registry key, fixed)
    HKEY_CLASSES_ROOT\Interface\{B288F21C-A144-4CA2-9B70-8AFA1FAE4B06}

    Look2Me.Topconverting: Type library (Registry key, fixed)
    HKEY_CLASSES_ROOT\TypeLib\{E0D3B292-A0B0-4640-975C-2F882E039F52}

    Look2Me.Topconverting: Root class (Registry key, fixed)
    HKEY_LOCAL_MACHINE\Software\Classes\SWLAD1.SWLAD

    Look2Me.Topconverting: Class ID (Registry key, fixed)
    HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{D52433A9-A44C-43AB-A013-24B3C756DD2B}

    MagicControl.Agent: Library (File, fixed)
    C:\WINDOWS\system32\msegcompid.dll

    MagicControl.Agent: User settings (Registry key, fixed)
    HKEY_USERS\S-1-5-21-3588590466-2801439982-1300003180-1004\Software\LanConfig

    MagicControl.Agent: User settings (Registry value, fixed)
    HKEY_USERS\S-1-5-21-3588590466-2801439982-1300003180-1004\Software\mc\SA

    MediaMotor: Interface (Registry key, fixed)
    HKEY_CLASSES_ROOT\Interface\{A9136CFD-FD01-41B8-9969-0B37720ED8AB}

    MediaMotor: Interface (Registry key, fixed)
    HKEY_CLASSES_ROOT\Interface\{B2EEDA99-DA99-4D0D-9F7F-143C30521388}

    MediaMotor: Type library (Registry key, fixed)
    HKEY_CLASSES_ROOT\TypeLib\{466C63AC-F26E-49F1-861A-E07DA768A46A}

    SurfSideKick: User settings (Registry key, fixed)
    HKEY_USERS\S-1-5-21-3588590466-2801439982-1300003180-1004\Software\SurfSideKick3

    SurfSideKick: User settings (Registry key, fixed)
    HKEY_LOCAL_MACHINE\Software\SurfSideKick3

    SurfSideKick: Library (File, fixed)
    C:\Documents and Settings\david hinks\Application Data\Sskcwrd.dll

    SurfSideKick: Library (File, fixed)
    C:\Documents and Settings\david hinks\Application Data\Sskknwrd.dll

    Web-Nexus: Class ID (Registry key, fixed)
    HKEY_CLASSES_ROOT\CLSID\{6EC11407-5B2E-4E25-8BDF-77445B52AB37}

    Windows Security Center.FirewallDisableNotify: Settings (Registry change, nothing done)
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify!=dword:0

    Windows Security Center.AntiVirusDisableNotify: Settings (Registry change, nothing done)
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify!=dword:0

    DyFuCA.InternetOptimizer: Settings (Registry key, fixed)
    HKEY_LOCAL_MACHINE\SOFTWARE\Avenue Media\Internet Optimizer

    Exact Advertising.BargainsBuddy: Interface (Registry key, fixed)
    HKEY_CLASSES_ROOT\Interface\{8EEE58D5-130E-4CBD-9C83-35A0564E1357}

    Exact Advertising.BargainsBuddy: Interface (Registry key, fixed)
    HKEY_CLASSES_ROOT\Interface\{C6906A23-4717-4E1F-B6FD-F06EBED11357}

    Exact Advertising.BargainsBuddy: Autorun settings (BullsEye Network) (Registry value, fixed)
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\BullsEye Network

    Exact Advertising.BargainsBuddy: Type library (Registry key, fixed)
    HKEY_CLASSES_ROOT\TypeLib\{4EB7BBE8-2E15-424B-9DDB-2CDB9516C2E3}

    Exact Advertising.BargainsBuddy: Settings (Registry key, fixed)
    HKEY_LOCAL_MACHINE\SOFTWARE\eXactUtil

    Exact Advertising.BargainsBuddy: Class ID (Registry key, fixed)
    HKEY_CLASSES_ROOT\CLSID\{AEECBFDA-12FA-4881-BDCE-8C3E1CE4B344}

    Exact Advertising.BargainsBuddy: Root class (Registry key, fixed)
    HKEY_LOCAL_MACHINE\Software\Classes\NLS.UrlCatcher

    Exact Advertising.BargainsBuddy: Class ID (Registry key, fixed)
    HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{AEECBFDA-12FA-4881-BDCE-8C3E1CE4B344}

    Exact Advertising.BargainsBuddy: Browser helper object (Registry key, fixed)
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AEECBFDA-12FA-4881-BDCE-8C3E1CE4B344}

    Exact Advertising.BargainsBuddy: Root class (Registry key, fixed)
    HKEY_LOCAL_MACHINE\Software\Classes\NLS.UrlCatcher.1

    AdDestroyer: Settings (Registry key, fixed)
    HKEY_USERS\S-1-5-21-3588590466-2801439982-1300003180-1004\Software\VB and VBA Program Settings\AdDestroyer

    AdDestroyer: Program directory (Directory, fixed)
    C:\Documents and Settings\All Users\Application Data\AdDestroyer\

    Adlogix: Interface (Registry key, fixed)
    HKEY_CLASSES_ROOT\Interface\{1CFB8B32-4053-4144-AF6F-1540EEC7F101}

    Delfin Project: Root class (Registry key, fixed)
    HKEY_LOCAL_MACHINE\Software\Classes\VCCPGDATAACCESS.PgDataAccessCtrl.1

    Delfin Project: Class ID (Registry key, fixing failed)
    HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{D0070620-1E72-42E7-A14C-3A255AD31839}

    Delfin Project: Program directory (Directory, fixed)
    C:\Documents and Settings\All Users\Application Data\nsv\

    Delfin Project: Program directory (Directory, fixed)
    C:\WINDOWS\system32\nsvsvc\

    Delfin Project: Class ID (Registry key, fixed)
    HKEY_CLASSES_ROOT\CLSID\{A8BD9566-9895-4FA3-918D-A51D4CD15865}

    Delfin Project: Class ID (Registry key, fixed)
    HKEY_CLASSES_ROOT\CLSID\{D0070620-1E72-42E7-A14C-3A255AD31839}

    Delfin Project: Type library (Registry key, fixed)
    HKEY_CLASSES_ROOT\TypeLib\{2A7DB8D1-43BE-4AD3-A81E-9BB8C9D00073}

    Elitum.EliteBar: Program directory (Directory, fixed)
    C:\WINDOWS\etb\

    Elitum.EliteBar: Configuration file (File, fixed)
    C:\WINDOWS\etb\etb.ini

    Network Essentials.SmartpopOops: Class ID (Registry key, fixed)
    HKEY_CLASSES_ROOT\CLSID\{417386C3-8D4A-4611-9B91-E57E89D603AC}

    Network Essentials.SmartpopOops: Interface (Registry key, fixed)
    HKEY_CLASSES_ROOT\Interface\{10D7DB96-56DC-4617-8EAB-EC506ABE6C7E}

    Network Essentials.SmartpopOops: Interface (Registry key, fixed)
    HKEY_CLASSES_ROOT\Interface\{795398D0-DC2F-4118-A69C-592273BA9C2B}

    Network Essentials.SmartpopOops: Type library (Registry key, fixed)
    HKEY_CLASSES_ROOT\TypeLib\{D0C29A75-7146-4737-98EE-BC4D7CF44AF9}

    Network Essentials.SmartpopOops: Root class (Registry key, fixed)
    HKEY_LOCAL_MACHINE\Software\Classes\PopOops2.PopOops

    Network Essentials.SmartpopOops: Class ID (Registry key, fixed)
    HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{417386C3-8D4A-4611-9B91-E57E89D603AC}

    Qoologic: Settings (Registry key, fixed)
    HKEY_CLASSES_ROOT\Folder\shellex\ColumnHandlers\{6EC11407-5B2E-4E25-8BDF-77445B52AB37}

    Qoologic: Settings (Registry key, fixed)
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{9E248641-0E24-4DDB-9A1F-705087832AD6}

    VBouncer: Program directory (Directory, fixed)
    C:\Documents and Settings\All Users\Application Data\VBouncer\

    VBouncer: Settings (Registry key, fixed)
    HKEY_USERS\S-1-5-21-3588590466-2801439982-1300003180-1004\Software\VB and VBA Program Settings\VBouncer

    VBouncer: Settings (Registry value, fixed)
    HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\Services\DistID

    Windows AdTools: Data (File, fixed)
    C:\WINDOWS\system32\ide21201.vxd

    HitBox: Tracking cookie (Internet Explorer: david hinks) (Cookie, fixed)


    HitBox: Tracking cookie (Internet Explorer: david hinks) (Cookie, fixed)


    Advertising.com: Tracking cookie (Internet Explorer: david hinks) (Cookie, fixed)


    Advertising.com: Tracking cookie (Internet Explorer: david hinks) (Cookie, fixed)


    DoubleClick: Tracking cookie (Internet Explorer: david hinks) (Cookie, fixed)


    Avenue A, Inc.: Tracking cookie (Internet Explorer: david hinks) (Cookie, fixed)


    Hotbar: Tracking cookie (Internet Explorer: david hinks) (Cookie, fixed)



    --- Spybot - Search & Destroy version: 1.4 (build: 20050523) ---

    2005-05-31 blindman.exe (1.0.0.1)
    2005-05-31 SpybotSD.exe (1.4.0.3)
    2005-05-31 TeaTimer.exe (1.4.0.2)
    2005-12-22 unins000.exe (51.41.0.0)
    2005-05-31 Update.exe (1.4.0.0)
    2005-05-31 advcheck.dll (1.0.2.0)
    2005-05-31 aports.dll (2.1.0.0)
    2005-05-31 borlndmm.dll (7.0.4.453)
    2005-05-31 delphimm.dll (7.0.4.453)
    2005-05-31 SDHelper.dll (1.4.0.0)
    2005-05-31 Tools.dll (2.0.0.2)
    2005-05-31 UnzDll.dll (1.73.1.1)
    2005-05-31 ZipDll.dll (1.73.2.0)
    2005-12-16 Includes\Cookies.sbi (*)
    2005-12-16 Includes\Dialer.sbi (*)
    2005-12-16 Includes\Hijackers.sbi (*)
    2005-12-16 Includes\Keyloggers.sbi (*)
    2005-12-16 Includes\Malware.sbi (*)
    2005-12-16 Includes\PUPS.sbi (*)
    2005-12-16 Includes\Revision.sbi (*)
    2005-12-16 Includes\Security.sbi (*)
    2005-12-16 Includes\Spybots.sbi (*)
    2005-02-17 Includes\Tracks.uti
    2005-12-16 Includes\Trojans.sbi (*)


    --- Report generated: 2005-12-22 09:32 ---

    MagicControl.Agent: User settings (Registry key, fixed)
    HKEY_USERS\S-1-5-21-3588590466-2801439982-1300003180-1004\Software\LanConfig


    --- Spybot - Search & Destroy version: 1.4 (build: 20050523) ---

    2005-05-31 blindman.exe (1.0.0.1)
    2005-05-31 SpybotSD.exe (1.4.0.3)
    2005-05-31 TeaTimer.exe (1.4.0.2)
    2005-12-22 unins000.exe (51.41.0.0)
    2005-05-31 Update.exe (1.4.0.0)
    2005-05-31 advcheck.dll (1.0.2.0)
    2005-05-31 aports.dll (2.1.0.0)
    2005-05-31 borlndmm.dll (7.0.4.453)
    2005-05-31 delphimm.dll (7.0.4.453)
    2005-05-31 SDHelper.dll (1.4.0.0)
    2005-05-31 Tools.dll (2.0.0.2)
    2005-05-31 UnzDll.dll (1.73.1.1)
    2005-05-31 ZipDll.dll (1.73.2.0)
    2005-12-16 Includes\Cookies.sbi (*)
    2005-12-16 Includes\Dialer.sbi (*)
    2005-12-16 Includes\Hijackers.sbi (*)
    2005-12-16 Includes\Keyloggers.sbi (*)
    2005-12-16 Includes\Malware.sbi (*)
    2005-12-16 Includes\PUPS.sbi (*)
    2005-12-16 Includes\Revision.sbi (*)
    2005-12-16 Includes\Security.sbi (*)
    2005-12-16 Includes\Spybots.sbi (*)
    2005-02-17 Includes\Tracks.uti
    2005-12-16 Includes\Trojans.sbi (*)


    --- Report generated: 2005-12-22 20:08 ---

    MagicControl.Agent: User settings (Registry key, fixed)
    HKEY_USERS\S-1-5-21-3588590466-2801439982-1300003180-1004\Software\LanConfig


    --- Spybot - Search & Destroy version: 1.4 (build: 20050523) ---

    2005-05-31 blindman.exe (1.0.0.1)
    2005-05-31 SpybotSD.exe (1.4.0.3)
    2005-05-31 TeaTimer.exe (1.4.0.2)
    2005-12-22 unins000.exe (51.41.0.0)
    2005-05-31 Update.exe (1.4.0.0)
    2005-05-31 advcheck.dll (1.0.2.0)
    2005-05-31 aports.dll (2.1.0.0)
    2005-05-31 borlndmm.dll (7.0.4.453)
    2005-05-31 delphimm.dll (7.0.4.453)
    2005-05-31 SDHelper.dll (1.4.0.0)
    2005-05-31 Tools.dll (2.0.0.2)
    2005-05-31 UnzDll.dll (1.73.1.1)
    2005-05-31 ZipDll.dll (1.73.2.0)
    2005-12-16 Includes\Cookies.sbi (*)
    2005-12-16 Includes\Dialer.sbi (*)
    2005-12-16 Includes\Hijackers.sbi (*)
    2005-12-16 Includes\Keyloggers.sbi (*)
    2005-12-16 Includes\Malware.sbi (*)
    2005-12-16 Includes\PUPS.sbi (*)
    2005-12-16 Includes\Revision.sbi (*)
    2005-12-16 Includes\Security.sbi (*)
    2005-12-16 Includes\Spybots.sbi (*)
    2005-02-17 Includes\Tracks.uti
    2005-12-16 Includes\Trojans.sbi (*)


    --- Report generated: 2005-12-22 20:29 ---

    MagicControl.Agent: User settings (Registry key, fixed)
    HKEY_USERS\S-1-5-21-3588590466-2801439982-1300003180-1004\Software\LanConfig


    --- Spybot - Search & Destroy version: 1.4 (build: 20050523) ---

    2005-05-31 blindman.exe (1.0.0.1)
    2005-05-31 SpybotSD.exe (1.4.0.3)
    2005-05-31 TeaTimer.exe (1.4.0.2)
    2005-12-22 unins000.exe (51.41.0.0)
    2005-05-31 Update.exe (1.4.0.0)
    2005-05-31 advcheck.dll (1.0.2.0)
    2005-05-31 aports.dll (2.1.0.0)
    2005-05-31 borlndmm.dll (7.0.4.453)
    2005-05-31 delphimm.dll (7.0.4.453)
    2005-05-31 SDHelper.dll (1.4.0.0)
    2005-05-31 Tools.dll (2.0.0.2)
    2005-05-31 UnzDll.dll (1.73.1.1)
    2005-05-31 ZipDll.dll (1.73.2.0)
    2005-12-16 Includes\Cookies.sbi (*)
    2005-12-16 Includes\Dialer.sbi (*)
    2005-12-16 Includes\Hijackers.sbi (*)
    2005-12-16 Includes\Keyloggers.sbi (*)
    2005-12-16 Includes\Malware.sbi (*)
    2005-12-16 Includes\PUPS.sbi (*)
    2005-12-16 Includes\Revision.sbi (*)
    2005-12-16 Includes\Security.sbi (*)
    2005-12-16 Includes\Spybots.sbi (*)
    2005-02-17 Includes\Tracks.uti
    2005-12-16 Includes\Trojans.sbi (*)


    --- Report generated: 2005-12-24 01:06 ---

    MagicControl.Agent: User settings (Registry key, fixed)
    HKEY_USERS\S-1-5-21-3588590466-2801439982-1300003180-1004\Software\LanConfig

    MagicControl.Agent: User settings (Registry value, fixed)
    HKEY_USERS\S-1-5-21-3588590466-2801439982-1300003180-1004\Software\mc\SA

    Alexa Related: Link (Replace file, fixed)
    C:\WINDOWS\Web\related.htm


    --- Spybot - Search & Destroy version: 1.4 (build: 20050523) ---

    2005-05-31 blindman.exe (1.0.0.1)
    2005-05-31 SpybotSD.exe (1.4.0.3)
    2005-05-31 TeaTimer.exe (1.4.0.2)
    2005-12-22 unins000.exe (51.41.0.0)
    2005-05-31 Update.exe (1.4.0.0)
    2005-05-31 advcheck.dll (1.0.2.0)
    2005-05-31 aports.dll (2.1.0.0)
    2005-05-31 borlndmm.dll (7.0.4.453)
    2005-05-31 delphimm.dll (7.0.4.453)
    2005-05-31 SDHelper.dll (1.4.0.0)
    2005-05-31 Tools.dll (2.0.0.2)
    2005-05-31 UnzDll.dll (1.73.1.1)
    2005-05-31 ZipDll.dll (1.73.2.0)
    2005-12-23 Includes\Cookies.sbi (*)
    2005-12-23 Includes\Dialer.sbi (*)
    2005-12-23 Includes\Hijackers.sbi (*)
    2005-12-23 Includes\Keyloggers.sbi (*)
    2005-12-23 Includes\Malware.sbi (*)
    2005-12-23 Includes\PUPS.sbi (*)
    2005-12-23 Includes\Revision.sbi (*)
    2005-12-23 Includes\Security.sbi (*)
    2005-12-23 Includes\Spybots.sbi (*)
    2005-02-17 Includes\Tracks.uti
    2005-12-23 Includes\Trojans.sbi (*)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •