Page 2 of 6 FirstFirst 123456 LastLast
Results 11 to 20 of 53

Thread: WIN32.AGENT.PZ Problem

  1. #11
    Junior Member
    Join Date
    Apr 2007
    Posts
    28

    Default

    Hi shlf life,
    Well the way you direction are wrote,I beleive I had to change folder options in normal mode,done!/ Reboot in safe-mode/searched for C:\WINDOWS\system32\wsnpoem\ and audio.dll and video.dl (unable to find in location???)./ Reboot in normal mode/ went to website and uploaded file, which I assumed to be C:\WINDOWS\system32\ntos.exe (done!)./ Went to Kaspersky virus scanner/ accepted active X control and waited for it to download the database/ note appeared saying:Failed to load Kaspersky online scanner activeXcontrol! You must have administrative rights on this computer: You also must have the IE security settings to the medium level (system is at medium settings!).

  2. #12
    Emeritus
    Join Date
    Nov 2005
    Location
    @localhost
    Posts
    6,066

    Default

    hi E-literat,

    ok good. i got the email report about the ntos.exe . seems its not malware:

    "This file is not flagged as malicious by the Norman Sandbox Information Center.
    However, we can not guarantee that the file is harmless. "

    do another online scan at trend micro and post the report please, and a new hjt log.

    shelf life
    How Can I Reduce My Risk?

  3. #13
    Junior Member
    Join Date
    Apr 2007
    Posts
    28

    Default

    Hi shelf life,
    System is starting to slow down and freeze at times.Attempted to scan with housecall 6.5 but system started to freeze, so I was forced to use Housecall 6.6.
    Trend Micro Housecall 6.6 scan: 8:pm cst. 4/21/2007 DETECTED18 infections

    DETECTED MALWARE
    TROJ_WSNPOEM.W 1 infection General risk rate:?
    No known alias Platform: not specified first occurance:not specified

    DETECTED GRAYWARE/SPYWARE
    RAP_GENERIC 1 infection
    no known information.

    DIALER_COULOMB 1 infection
    Alias: WIN32.SDBOT.BQ(PestPatrol);TROJAN/WIN32.CONDRAG(JIANGMIN);TROJAN-SPY.WIN32 SILENTLog.A (Ikarus);WIN32|Masana (Panda)
    Platform: not specified first occurance: not specified General risk rate:low
    This dialer creater dial-up settings without a user's permission or intervention.

    ADWARE_.F5682932 1 infection
    No information on this one!

    FREELOADER_SMITFRAUD 1 infection
    Alias:TROJAN-SPY-HTML.SMITFRAUD.a(Kaspersky),Phish-Bankfraud.eml.a(NAl)
    Platform:WINDOWS98,ME,NT,2000,XP,server2003
    first occurance: not specified General risk rate:Medium

    ADWARE_NETPALS 3 infections
    Alias: SAHAgent,NelPal,Ezula TopText,ExactSearchBar,BargainBuddy,KeenValue,Incredifin,favoriteMan(PestPatrol);NetPal(Ad-Aware);FavoriteMan.(Mcafee);eAcceleration,IncrediFindBHO,KeenValue.PerfectNav(SpyBot);AdwareBinet(Symantec)
    This ADWARE is a JAVA-Script that downloads the cabinet file FR03TP.CAB.
    The said cabinet file contains the following files:
    *ATpartners.dll(detected by TREND MICRO as ADW_NETPAL.A)
    *ATpartners.inf(a non-malicious configuration file)
    *fr03tp.exe(detected by TREND MICRO as ADW_NETPAL.A)
    This ADWARE runs on WINDOWS95,98,ME,NT,2000,and XP.
    solution?: Minimum scan engine version needed: 7:100

    Important WINDOWS ME/XP cleaning instructions:
    Download the (latest spyware pattern file) and scan your system. Then delete all files detected as ADW.NETPALS.A and ADW_NETPAL.A.
    DETAILS: This ADWARE is a JAVA Script that downloads the cabinet file FR03TP.CAB.
    *ATpartners.dll(detected by TREND MICRO as ADW_NETPAL.A)
    *ATpartners.inf(a non-malicious configuration file)
    *fr03tp.exe(detected by TREND MICRO as ADW_NETPAL.A)

    clicked clean now: all cleaned/ prompted to rescan,cause scan found infections,clicked YES...
    On second scan results: Found 4 infections/click clean now/cleaned all except 2. Those 2 infections were not identified!


    Scan exe. results:
    Logfile of scan exe. v1.99.1
    Scan saved at 12:29:18 AM, on 4/22/2007
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16414)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\csrss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Windows Defender\MsMpEng.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
    C:\Program Files\Alwil Software\Avast4\ashServ.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
    C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
    c:\Program Files\Common Files\LightScribe\LSSrvc.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\WINDOWS\system32\RioMSC.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\wdfmgr.exe
    C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
    C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
    C:\WINDOWS\System32\alg.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\AGRSMMSG.exe
    C:\WINDOWS\SOUNDMAN.EXE
    C:\WINDOWS\ALCWZRD.EXE
    C:\WINDOWS\ALCMTR.EXE
    C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
    C:\Program Files\Windows Defender\MSASCui.exe
    C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
    C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\scan.exe\scan.exe

    F2 - REG:system.ini: UserInit=C:\WINDOWS\SYSTEM32\Userinit.exe,C:\WINDOWS\system32\ntos.exe,
    O2 - BHO: (no name) - {09dd3840-7edd-4855-afe0-ebbd50fc643a} - C:\WINDOWS\system32\mprcht.dll (file missing)
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
    O2 - BHO: Web assistant - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - c:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
    O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
    O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
    O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
    O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
    O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
    O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Enterprise
    O4 - HKLM\..\Run: [WinBuyer Compare & Save] C:\PROGRA~1\WinBuyer\Winbuyer.exe
    O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
    O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
    O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [Acme.PCHButton] C:\PROGRA~1\HELPAN~1\HPQ\XPXWWPP5\plugin\bin\PCHButton.exe
    O4 - HKCU\..\Run: [A00F802D89.exe] C:\DOCUME~1\COMPAQ~1\LOCALS~1\Temp\_A00F802D89.exe
    O4 - HKCU\..\Run: [userinit] C:\WINDOWS\system32\ntos.exe
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O4 - Global Startup: Compaq Connections.lnk = C:\Program Files\Compaq Connections\6750491\Program\Compaq Connections.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
    O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
    O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
    O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O11 - Options group: [INTERNATIONAL] International*
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsof...?1175731963546
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1175731954187
    O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAV...oadManager.ocx
    O20 - AppInit_DLLs:
    O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
    O20 - Winlogon Notify: mprcht - mprcht.dll (file missing)
    O20 - Winlogon Notify: NavLogon - C:\WINDOWS\
    O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
    O20 - Winlogon Notify: __c00E4CE7 - C:\WINDOWS\system32\__c00E4CE7.dat
    O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
    O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
    O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
    O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
    O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
    O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccProxy.exe
    O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
    O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Unknown owner - c:\Program Files\Common Files\LightScribe\LSSrvc.exe
    O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~2.EXE
    O23 - Service: Rio MSC Manager (RioMSC) - Digital Networks North America, Inc. - C:\WINDOWS\system32\RioMSC.exe
    O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

  4. #14
    Emeritus
    Join Date
    Nov 2005
    Location
    @localhost
    Posts
    6,066

    Default

    hi E-literat,

    thanks for the info. iam still not convinced about this:
    ntos.exe
    its part of the problem. that last scan mentioned smifraud, lets run smitfraudFix.

    download smitfraud.exe to desktop:

    http://siri.urz.free.fr/Fix/SmitfraudFix.exe

    Open the SmitfraudFix folder on your desktop and double-click smitfraudfix.cmd

    * Select option #1 - Search by typing 1 and press Enter
    * This program will scan large amounts of files on your computer for known patterns so please be patient while it works. When it is done, the results of the scan will be displayed and it will create a log named rapport.txt in the root of your drive, eg: Local Disk C: or partition where your operating system is installed.

    Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
    ---------------
    please post the .txt file from the smitfraud scan. in next reply
    How Can I Reduce My Risk?

  5. #15
    Junior Member
    Join Date
    Apr 2007
    Posts
    28

    Default

    Hi shelf life,
    Downloaded SmitFraud.exe/typed 1the # 1 and clicked enter (search took less than 10 seconds! Results:
    SmitFraudFix v2.166

    Scan done at 10:41:02.84, Sun 04/22/2007
    Run from C:\Documents and Settings\Compaq_Owner\Desktop\SmitfraudFix
    OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
    The filesystem type is NTFS
    Fix run in normal mode

    »»»»»»»»»»»»»»»»»»»»»»»» Process

    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Windows Defender\MsMpEng.exe
    C:\WINDOWS\System32\svchost.exe
    c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
    C:\Program Files\Alwil Software\Avast4\ashServ.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
    C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
    c:\Program Files\Common Files\LightScribe\LSSrvc.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\WINDOWS\system32\RioMSC.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
    C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\AGRSMMSG.exe
    C:\WINDOWS\SOUNDMAN.EXE
    C:\WINDOWS\ALCWZRD.EXE
    C:\WINDOWS\ALCMTR.EXE
    C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
    C:\Program Files\Windows Defender\MSASCui.exe
    C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
    C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Compaq Connections\6750491\Program\Compaq Connections.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\WINDOWS\system32\cmd.exe

    »»»»»»»»»»»»»»»»»»»»»»»» hosts


    »»»»»»»»»»»»»»»»»»»»»»»» C:\


    »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS


    »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system


    »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web


    »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32


    »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32\LogFiles


    »»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Compaq_Owner


    »»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Compaq_Owner\Application Data


    »»»»»»»»»»»»»»»»»»»»»»»» Start Menu


    »»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\COMPAQ~1\FAVORI~1


    »»»»»»»»»»»»»»»»»»»»»»»» Desktop


    »»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files


    »»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys


    »»»»»»»»»»»»»»»»»»»»»»»» Desktop Components



    »»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
    !!!Attention, following keys are not inevitably infected!!!

    SrchSTS.exe by S!Ri
    Search SharedTaskScheduler's .dll


    »»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
    !!!Attention, following keys are not inevitably infected!!!

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
    "AppInit_DLLs"=" "


    »»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
    !!!Attention, following keys are not inevitably infected!!!

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
    "System"=""


    »»»»»»»»»»»»»»»»»»»»»»»» pe386-msguard-lzx32-huy32



    »»»»»»»»»»»»»»»»»»»»»»»» DNS

    Description: Realtek RTL8139/810x Family Fast Ethernet NIC - Packet Scheduler Miniport
    DNS Server Search Order: 192.168.2.1
    DNS Server Search Order: 192.168.0.1

    HKLM\SYSTEM\CCS\Services\Tcpip\..\{F6D59DF0-01EA-4F1F-B184-72ABAAE32C07}: DhcpNameServer=192.168.2.1 192.168.0.1
    HKLM\SYSTEM\CS1\Services\Tcpip\..\{F6D59DF0-01EA-4F1F-B184-72ABAAE32C07}: DhcpNameServer=192.168.2.1 192.168.0.1
    HKLM\SYSTEM\CS3\Services\Tcpip\..\{F6D59DF0-01EA-4F1F-B184-72ABAAE32C07}: DhcpNameServer=192.168.2.1 192.168.0.1
    HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=192.168.2.1 192.168.0.1
    HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=192.168.2.1 192.168.0.1
    HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: DhcpNameServer=192.168.2.1 192.168.0.1


    »»»»»»»»»»»»»»»»»»»»»»»» Scanning wininet.dll infection


    »»»»»»»»»»»»»»»»»»»»»»»» End

  6. #16
    Emeritus
    Join Date
    Nov 2005
    Location
    @localhost
    Posts
    6,066

    Default

    hi,

    thanks for the info. nothing in the smitfraud report.
    lets do this. again do it all safe mode, so might want to copy/paste this into notepad:

    boot to safe mode, chose first option on list

    look in add/remove programs panel and uninstall winbuyer (if present)

    look for and delete these two: (we tried only ntos.exe before)
    1) c00E4CE7.dat
    2)ntos.exe
    both are in the system32 dir.

    ---------------------
    reboot normally, download pocket killbox to desktop just in case:

    http://www.downloads.subratam.org/KillBox.zip
    we will try that to delete some files next

    i dont like to keep trying app after app to remove something but we seem to be stuck on the same files. you might have something new.

    try the safe mode delete if that dosnt work we will try killbox, then superantispyware.
    also remember to use internet as little as possible and unplug modem.

    shelf life
    How Can I Reduce My Risk?

  7. #17
    Junior Member
    Join Date
    Apr 2007
    Posts
    28

    Default

    Hi shelf life,
    1) c00E4CE7.dat (this is there without the .dat )
    2)ntos.exe( this one cannot be found).How should I proceed?

  8. #18
    Junior Member
    Join Date
    Apr 2007
    Posts
    28

    Default

    In safe mode/ Winbuyer cannot be found/ deleted c00E4CE7 (cannot delete_c00E4CE7:It is being used by another person or program. Close any programs that might be using the file and try again.

  9. #19
    Emeritus
    Join Date
    Nov 2005
    Location
    @localhost
    Posts
    6,066

    Default

    hi E-literat

    lets try a scan with superantispyware to see if it can dig it out of your computer.

    please download superantispyware:

    http://www.superantispyware.com/down...NTISPYWAREFREE

    * Install it and double-click the icon on your desktop to run it.
    * It will ask if you want to update the program definitions, click Yes.
    * Under Configuration and Preferences, click the Preferences button.
    * Click the Scanning Control tab.
    * Under Scanner Options make sure the following are checked:
    o Close browsers before scanning
    o Scan for tracking cookies
    o Terminate memory threats before quarantining.
    o Please leave the others unchecked.
    o Click the Close button to leave the control center screen.
    * On the main screen, under Scan for Harmful Software click Scan your computer.
    * On the left check C:\Fixed Drive.
    * On the right, under Complete Scan, choose Perform Complete Scan.
    * Click Next to start the scan. Please be patient while it scans your computer.
    * After the scan is complete a summary box will appear. Click OK.
    * Make sure everything in the white box has a check next to it, then click Next.
    * It will quarantine what it found and if it asks if you want to reboot, click Yes.
    * To retrieve the removal information for me please do the following:
    o After reboot, double-click the SUPERAntispyware icon on your desktop.
    o Click Preferences. Click the Statistics/Logs tab.
    o Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    o It will open in your default text editor (such as Notepad/Wordpad).
    o Please highlight everything in the notepad, then right-click and choose copy.
    * Click close and close again to exit the program.
    * Please copy/paste the log in next reply, along with a new scan with hjt.

    shelf life
    How Can I Reduce My Risk?

  10. #20
    Junior Member
    Join Date
    Apr 2007
    Posts
    28

    Default

    Hi shelf life,
    Downloaded superantispyware and configured the way you asked and followed direction the way you asked (in normal mode) log results:

    SUPERAntiSpyware Scan Log
    Generated 04/22/2007 at 03:53 PM

    Application Version : 3.6.1000

    Core Rules Database Version : 3222
    Trace Rules Database Version: 1233

    Scan type : Complete Scan
    Total Scan Time : 01:00:10

    Memory items scanned : 416
    Memory threats detected : 0
    Registry items scanned : 5963
    Registry threats detected : 0
    File items scanned : 74917
    File threats detected : 28

    Adware.Tracking Cookie
    C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@imrworldwide[2].txt
    C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@stats.privacyprotector[1].txt
    C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@go.winantivirus[2].txt
    C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@www.burstnet[1].txt
    C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@ad.yieldmanager[2].txt
    C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@go.winantivirus[3].txt
    C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@tribalfusion[2].txt
    C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@stats1.reliablestats[2].txt
    C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@burstnet[2].txt
    C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@winantivirus[2].txt
    C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@aff.primaryads[1].txt
    C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@atdmt[1].txt
    C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@ehg-kasperskylab.hitbox[1].txt
    C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@mediaplex[1].txt
    C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@www.winantivirus[2].txt
    C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@www.amaena[2].txt
    C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@msnportal.112.2o7[1].txt
    C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@precisionclick[1].txt
    C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@ads.xtramsn.co[1].txt
    C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@cpvfeed[2].txt
    C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@statse.webtrendslive[2].txt
    C:\Documents and Settings\Guest\Cookies\guest@ads.as4x.tmcs[1].txt
    C:\Documents and Settings\Guest\Cookies\guest@server2.bkvtrack[2].txt
    C:\Documents and Settings\Guest\Cookies\guest@statse.webtrendslive[1].txt
    C:\Documents and Settings\Guest\Cookies\guest@statse.webtrendslive[2].txt

    Adware.Vundo Variant
    C:\SYSTEM VOLUME INFORMATION\_RESTORE{36EC0028-8B85-4538-BB29-A461B426C5A6}\RP10\A0000663.DLL

    Trojan.Net-Jovi/DN
    C:\SYSTEM VOLUME INFORMATION\_RESTORE{36EC0028-8B85-4538-BB29-A461B426C5A6}\RP10\A0000666.DLL

    Adware.Accoona
    C:\SYSTEM VOLUME INFORMATION\_RESTORE{36EC0028-8B85-4538-BB29-A461B426C5A6}\RP11\A0000778.EXE


    Scan.exe results:

    Logfile of Scan.exe v1.99.1
    Scan saved at 4:03:16 PM, on 4/22/2007
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16414)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Windows Defender\MsMpEng.exe
    C:\WINDOWS\System32\svchost.exe
    c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
    C:\Program Files\Alwil Software\Avast4\ashServ.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
    C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
    c:\Program Files\Common Files\LightScribe\LSSrvc.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\WINDOWS\system32\RioMSC.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
    C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\AGRSMMSG.exe
    C:\WINDOWS\SOUNDMAN.EXE
    C:\WINDOWS\ALCWZRD.EXE
    C:\WINDOWS\ALCMTR.EXE
    C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
    C:\Program Files\Windows Defender\MSASCui.exe
    C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
    C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
    C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    C:\Program Files\Compaq Connections\6750491\Program\Compaq Connections.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\Program Files\scan.exe\scan.exe

    F2 - REG:system.ini: UserInit=C:\WINDOWS\SYSTEM32\Userinit.exe,C:\WINDOWS\system32\ntos.exe,
    O2 - BHO: (no name) - {09dd3840-7edd-4855-afe0-ebbd50fc643a} - C:\WINDOWS\system32\mprcht.dll (file missing)
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
    O2 - BHO: Web assistant - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - c:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
    O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
    O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
    O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
    O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
    O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
    O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Enterprise
    O4 - HKLM\..\Run: [WinBuyer Compare & Save] C:\PROGRA~1\WinBuyer\Winbuyer.exe
    O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
    O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
    O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [Acme.PCHButton] C:\PROGRA~1\HELPAN~1\HPQ\XPXWWPP5\plugin\bin\PCHButton.exe
    O4 - HKCU\..\Run: [A00F802D89.exe] C:\DOCUME~1\COMPAQ~1\LOCALS~1\Temp\_A00F802D89.exe
    O4 - HKCU\..\Run: [userinit] C:\WINDOWS\system32\ntos.exe
    O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O4 - Global Startup: Compaq Connections.lnk = C:\Program Files\Compaq Connections\6750491\Program\Compaq Connections.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
    O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
    O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
    O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O11 - Options group: [INTERNATIONAL] International*
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsof...?1175731963546
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1175731954187
    O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAV...oadManager.ocx
    O20 - AppInit_DLLs:
    O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
    O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
    O20 - Winlogon Notify: mprcht - mprcht.dll (file missing)
    O20 - Winlogon Notify: NavLogon - C:\WINDOWS\
    O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
    O20 - Winlogon Notify: __c00E4CE7 - C:\WINDOWS\system32\__c00E4CE7.dat
    O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
    O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
    O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
    O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
    O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
    O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccProxy.exe
    O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
    O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Unknown owner - c:\Program Files\Common Files\LightScribe\LSSrvc.exe
    O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~2.EXE
    O23 - Service: Rio MSC Manager (RioMSC) - Digital Networks North America, Inc. - C:\WINDOWS\system32\RioMSC.exe
    O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

    By the way, I remember downloading Winbuyer last month, it promised to find the best price on products and to give me a $100 dollar coupon to shop with, but it was a scam. This is probally where I made my mastake!!!

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •