MyTechSupport.ca :: Your Computer Technical Resource Headquarters! MyTechSupport.ca :: Your Computer Technical Resource Headquarters!
HOME FORUMS RESOURCES & TOOLS ARTICLES ONLINE STORE ABOUT US
Computer Support Forums arrow Internet & Network Support arrow Security & Viruses arrow Topic: SearchMiracle.EliteBar Issue
May 31, 2020, 01:41:05 PM
 

Home Forum Rules Help Search Mobile Version Login Register

Welcome, Guest. Please login or register.
Did you miss your activation email?
May 31, 2020, 01:41:05 PM

Login with username, password and session length
 Featured Sites:
News
Help us help you! Help us help you by helping out! The more people know about us, the more help will be available. Click here to find out how...
  0 Members and 1 Guest are viewing this topic.
Pages: [1] 2  All Go Down Print
Author Topic: SearchMiracle.EliteBar Issue  (Read 4679 times)
justllama
Jr. Member
**

Karma: +0/-0
Offline Offline

Gender: Female
Posts: 12


Bookmark and Share

View Profile
« on: September 24, 2005, 03:19:01 AM »

PLEASE SUPPLY RELEVANT INFORMATION:
Operating System Version: Windows XP
Problem Application Name & Version: MSN AntiSpyware Beta Version:  1.0.615
Problem Hardware Make & Model:
Error Messages: SearchMiracle.EliteBar



I am continually getting a message from MSN AntiSpyware telling me that it is finding SearchMiracle.EliteBar and prompting me to Remove it (which I always do).  This shows up everytime I log in.

Here is my Hijack This log...

Thanks for any help anyone can provide!

Logfile of HijackThis v1.99.1
Scan saved at 10:11:42 PM, on 9/23/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton Personal Firewall\NISUM.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Norton Personal Firewall\ccPxySvc.exe
C:\iFtpSvc\iFtpSvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\D-Tools\daemon.exe
C:\WINDOWS\system32\LXSUPMON.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\lexpps.exe
C:\Program Files\Yahoo!\Messenger\ypager.exe
C:\Program Files\IE New Window Maximizer\iemaximizer.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Google\Google Talk\googletalk.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\LimeWire\LimeWire.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program Files\Yahoo!\Common\YIeTagBm.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: MSN Search Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar Suite\TB\02.05.0000.1082\en-us\msntb.dll
O3 - Toolbar: MSN Search Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar Suite\TB\02.05.0000.1082\en-us\msntb.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe
O4 - HKLM\..\Run: [ccRegVfy] C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe"  -lang 1033
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\\NeroCheck.exe
O4 - HKLM\..\Run: [LXSUPMON] C:\WINDOWS\system32\LXSUPMON.EXE RUN
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet
O4 - HKCU\..\Run: [IE New Window Maximizer] C:\Program Files\IE New Window Maximizer\iemaximizer.exe
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [googletalk] "C:\Program Files\Google\Google Talk\googletalk.exe" /autostart
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &MSN Search - res://C:\Program Files\MSN Toolbar Suite\TB\02.05.0000.1082\en-us\msntb.dll/search.htm
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Open in new background tab - res://C:\Program Files\MSN Toolbar Suite\TAB\02.05.0000.1082\en-us\msntabres.dll/229?d67ebd008a5c4318a89d17ec165dd58
O8 - Extra context menu item: Open in new foreground tab - res://C:\Program Files\MSN Toolbar Suite\TAB\02.05.0000.1082\en-us\msntabres.dll/230?d67ebd008a5c4318a89d17ec165dd58
O8 - Extra context menu item: Save Image - res://C:\Program Files\Picture Ace Lite\PictureAceLite.exe/130
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: HotWhois - {CF4DA62E-8A85-4C89-8232-F555BC352B0B} - C:\Program Files\HotWhois\awie.exe
O9 - Extra 'Tools' menuitem: &HotWhois - {CF4DA62E-8A85-4C89-8232-F555BC352B0B} - C:\Program Files\HotWhois\awie.exe
O9 - Extra button: (no name) - {BC8FABCD-8649-4eef-89DB-C012144ADFB1} - C:\Program Files\Picture Ace Lite\PictureAceLite.exe (HKCU)
O9 - Extra 'Tools' menuitem: Picture Ace Lite - {BC8FABCD-8649-4eef-89DB-C012144ADFB1} - C:\Program Files\Picture Ace Lite\PictureAceLite.exe (HKCU)
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by106fd.bay106.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/controls/msnchat45.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - AppInit_DLLs: MsgPlusLoader.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Proxy Service (ccPxySvc) - Symantec Corporation - C:\Program Files\Norton Personal Firewall\ccPxySvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Ipswitch WS_FTP Service (iFtpSvc) - Ipswitch, Inc.  10 Maguire Road - Suite 220 Lexington MA. - C:\iFtpSvc\iFtpSvc.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Norton Personal Firewall Accounts Manager (NISUM) - Symantec Corporation - C:\Program Files\Norton Personal Firewall\NISUM.EXE
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

Logged

 
sUBs
Global Moderator
Hero Member
*****

Karma: +0/-0
Offline Offline

Posts: 278


Bookmark and Share

View Profile
« Reply #1 on: September 24, 2005, 09:18:28 AM »

Download LQfix.exe and place it on your desktop.
Doubleclick LQfix.exe and click install.
Leave the default settings. If you change them, the fix will fail.
Make sure 'Launch LQfix' is checked. After clicking finish in the install, the fix will start.
Follow the prompts on the screen.
Your system will reboot afterwards.
Please be patient after reboot, because there is a script running in the background.

When you have completed the above, Go to Start> Run - type cleanmgr (this starts Windows DiskCleanup)
1. Select Drive C: & click the 'OK' button
2. Select the following options:
    Temporary Internet Files
     Recycle Bin
     Temporary Files
3. Click the 'OK' button


Then Perform an online scan with Internet Explorer with  Kaspersky WebScanner

Next Click on Launch Kaspersky Anti-Virus Web Scanner

You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
The program will launch and then begin downloading the latest definition files:
Once the files have been downloaded click on NEXT
Now click on Scan Settings
In the scan settings make that the following are selected:
  1. Scan using the following Anti-Virus database:
    • Standard
  2. Scan Options:
    • Scan Archives
    • Scan Mail Bases
Click OK
Now under select a target to scan:Select My Computer
This will program will start and scan your system.
The scan will take a while so be patient and let it run.
Once the scan is complete it will display if your system has been infected.
Now click on the Save as Text button:
Save the file to your desktop.
Copy and paste that information in your next post along with a new HJT log.
Logged

 
justllama
Jr. Member
**

Karma: +0/-0
Offline Offline

Gender: Female
Posts: 12


Bookmark and Share

View Profile
« Reply #2 on: September 24, 2005, 01:01:30 PM »

-------------------------------------------------------------------------------
 KASPERSKY ON-LINE SCANNER REPORT
 Saturday, September 24, 2005 07:57:38
 Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
 Kaspersky On-line Scanner version: 5.0.67.0
 Kaspersky Anti-Virus database last update: 24/09/2005
 Kaspersky Anti-Virus database records: 141879
-------------------------------------------------------------------------------

Scan Settings:
   Scan using the following antivirus database: standard
   Scan Archives: true
   Scan Mail Bases: true

Scan Target - My Computer:
   A:\
   C:\
   D:\
   E:\
   F:\
   G:\
   I:\
   J:\

Scan Statistics:
   Total number of scanned objects: 180553
   Number of viruses found: 8
   Number of infected objects: 23
   Number of suspicious objects: 0
   Duration of the scan process: 7236 sec

Infected Object Name - Virus Name
C:\System Volume Information\_restore{4D0D8DDA-32BB-4281-A51B-E8C32BEB4A46}\RP169\A0103177.exe   Infected: Trojan-Dropper.Win32.Small.mq
C:\WINDOWS\system32\wudupdate.exe   Infected: Trojan-Downloader.Win32.IstBar.gen
D:\System Volume Information\_restore{4D0D8DDA-32BB-4281-A51B-E8C32BEB4A46}\RP156\A0065234.exe   Infected: Worm.Win32.VB.an
D:\System Volume Information\_restore{4D0D8DDA-32BB-4281-A51B-E8C32BEB4A46}\RP156\A0065235.exe   Infected: Worm.Win32.VB.an
E:\Website Stuff\backup-6.4.2004_10-57-59_llama1.tar.gz/packed/backup-6.4.2004_10-57-59_llama1/homedir/mail/inbox/[From ProSystem_fx@prosystemfx.com][Date Mon, 8 Dec 2003 14:20:53 -0800]/html/[From jenleck <jenleck@viafamily.com>][Date Wed, 10 Dec 2003 17:43:15 -0800]/UNNAMED   Infected: Email-Worm.Win32.Klez.h
E:\Website Stuff\backup-6.4.2004_10-57-59_llama1.tar.gz/packed/backup-6.4.2004_10-57-59_llama1/homedir/mail/inbox/[From ProSystem_fx@prosystemfx.com][Date Mon, 8 Dec 2003 14:20:53 -0800]/html/[From  George Ferguson <gferguson@rootsweb.com>][Date Thu, 11 Dec 2003 15:50:22 +0000 (GMT)]/UNNAMED   Infected: Email-Worm.Win32.Tanatos.b
E:\Website Stuff\backup-6.4.2004_10-57-59_llama1.tar.gz/packed/backup-6.4.2004_10-57-59_llama1/homedir/mail/inbox/[From ProSystem_fx@prosystemfx.com][Date Mon, 8 Dec 2003 14:20:53 -0800]/html/[From ProSystem_fx@prosystemfx.com][Date Tue, 9 Mar 2004 13:00:32 -0800]/html/[From "Advanced Settlements" <postmaster@focusmkt.com>][Date Wed, 10 Mar 2004 13:42:21 -0500]/text/[From "Stephanie's WeatherBug Values" <values@smailer1.weatherbug.com>][Date Wed, 17 Mar 20 ... /document.txt                                                                   .exe   Infected: Email-Worm.Win32.NetSky.q
E:\Website Stuff\backup-6.4.2004_10-57-59_llama1.tar.gz/packed/backup-6.4.2004_10-57-59_llama1/homedir/mail/inbox/[From ProSystem_fx@prosystemfx.com][Date Mon, 8 Dec 2003 14:20:53 -0800]/html/[From ProSystem_fx@prosystemfx.com][Date Tue, 9 Mar 2004 13:00:32 -0800]/html/[From "Advanced Settlements" <postmaster@focusmkt.com>][Date Wed, 10 Mar 2004 13:42:21 -0500]/text/[From "Stephanie's WeatherBug Values" <values@smailer1.weatherbug.com>][Date Wed, 17 Mar 2004 19:07:04 -0500 ... /[From 24712@aol.com][Date Mon, 22 Mar 2004 12:07:02 -0600]/UNNAMED   Infected: Email-Worm.Win32.NetSky.q
E:\Website Stuff\backup-6.4.2004_10-57-59_llama1.tar.gz/packed/backup-6.4.2004_10-57-59_llama1/homedir/mail/inbox/[From ProSystem_fx@prosystemfx.com][Date Mon, 8 Dec 2003 14:20:53 -0800]/html/[From ProSystem_fx@prosystemfx.com][Date Tue, 9 Mar 2004 13:00:32 -0800]/html/[From "Advanced Settlements" <postmaster@focusmkt.com>][Date Wed, 10 Mar 2004 13:42:21 -0500]/text/[From "Stephanie's WeatherBug Values" <values@smailer1.weatherbug.com>][Date Wed, 17 Ma ... /data.rtf                                                                           .scr   Infected: Email-Worm.Win32.NetSky.q
E:\Website Stuff\backup-6.4.2004_10-57-59_llama1.tar.gz/packed/backup-6.4.2004_10-57-59_llama1/homedir/mail/inbox/[From ProSystem_fx@prosystemfx.com][Date Mon, 8 Dec 2003 14:20:53 -0800]/html/[From ProSystem_fx@prosystemfx.com][Date Tue, 9 Mar 2004 13:00:32 -0800]/html/[From "Advanced Settlements" <postmaster@focusmkt.com>][Date Wed, 10 Mar 2004 13:42:21 -0500]/text/[From "Stephanie's WeatherBug Values" <values@smailer1.weatherbug.com>][Date Wed, 17 Mar ... /[From Brian Williams <brianw@kbwilliams.com>][Date 22 Mar 2004 18:44:44 -0000]/UNNAMED   Infected: Email-Worm.Win32.NetSky.q
E:\Website Stuff\backup-6.4.2004_10-57-59_llama1.tar.gz/packed/backup-6.4.2004_10-57-59_llama1/homedir/mail/inbox/[From ProSystem_fx@prosystemfx.com][Date Mon, 8 Dec 2003 14:20:53 -0800]/html/[From ProSystem_fx@prosystemfx.com][Date Tue, 9 Mar 2004 13:00:32 -0800]/html/[From "Advanced Settlements" <postmaster@focusmkt.com>][Date Wed, 10 Mar 2004 13:42:21 -0500]/text/[From "Stephanie's WeatherBug Values" <values@smailer1.weatherbug.com>][Date Wed, 17 Mar 2004 19:07:04 -0500]/UNNAMED   Infected: Email-Worm.Win32.NetSky.q
E:\Website Stuff\backup-6.4.2004_10-57-59_llama1.tar.gz/packed/backup-6.4.2004_10-57-59_llama1/homedir/mail/inbox/[From ProSystem_fx@prosystemfx.com][Date Mon, 8 Dec 2003 14:20:53 -0800]/html/[From ProSystem_fx@prosystemfx.com][Date Tue, 9 Mar 2004 13:00:32 -0800]/html/[From "Advanced Settlements" <postmaster@focusmkt.com>][Date Wed, 10 Mar 2004 13:42:21 -0500]/text   Infected: Email-Worm.Win32.NetSky.q
E:\Website Stuff\backup-6.4.2004_10-57-59_llama1.tar.gz/packed/backup-6.4.2004_10-57-59_llama1/homedir/mail/inbox/[From ProSystem_fx@prosystemfx.com][Date Mon, 8 Dec 2003 14:20:53 -0800]/html/[From ProSystem_fx@prosystemfx.com][Date Tue, 9 Mar 2004 13:00:32 -0800]/html   Infected: Email-Worm.Win32.NetSky.q
E:\Website Stuff\backup-6.4.2004_10-57-59_llama1.tar.gz/packed/backup-6.4.2004_10-57-59_llama1/homedir/mail/inbox/[From ProSystem_fx@prosystemfx.com][Date Mon, 8 Dec 2003 14:20:53 -0800]/html/[From "Institute of Business and Finance" <ibf@fmgdata.com>][Date Mon, 17 May 2004 09:14:09 -0600]/html/[From "guaranteed traffic" <webmaster@buslness.com>][Date Mon, 17 May 2004 20:35:42 -0500]/UNNAMED/[From hostmaster@fmo.com][Date Wed, 19 May 2004 20:10:25 GMT]/UNNAMED/p-zipped_file_data         .pif   Infected: Email-Worm.Win32.Sober.g
E:\Website Stuff\backup-6.4.2004_10-57-59_llama1.tar.gz/packed/backup-6.4.2004_10-57-59_llama1/homedir/mail/inbox/[From ProSystem_fx@prosystemfx.com][Date Mon, 8 Dec 2003 14:20:53 -0800]/html/[From "Institute of Business and Finance" <ibf@fmgdata.com>][Date Mon, 17 May 2004 09:14:09 -0600]/html/[From "guaranteed traffic" <webmaster@buslness.com>][Date Mon, 17 May 2004 20:35:42 -0500]/UNNAMED/[From hostmaster@fmo.com][Date Wed, 19 May 2004 20:10:25 GMT]/UNNAMED   Infected: Email-Worm.Win32.Sober.g
E:\Website Stuff\backup-6.4.2004_10-57-59_llama1.tar.gz/packed/backup-6.4.2004_10-57-59_llama1/homedir/mail/inbox/[From ProSystem_fx@prosystemfx.com][Date Mon, 8 Dec 2003 14:20:53 -0800]/html/[From "Institute of Business and Finance" <ibf@fmgdata.com>][Date Mon, 17 May 2004 09:14:09 -0600]/html/[From "guaranteed traffic" <webmaster@buslness.com>][Date Mon, 17 May 2004 20:35:42 -0500]/UNNAMED/[From GolfSwingHelpline <GolfSwingHelpline@omninamed.com>] ... /[From "Scott Perkins" <aew2217@urlintl.net>][Date Thu, 20 May 2004 02:51:23 +0000]/UNNAMED   Infected: Trojan-PSW.Win32.LdPinch.ea
E:\Website Stuff\backup-6.4.2004_10-57-59_llama1.tar.gz/packed/backup-6.4.2004_10-57-59_llama1/homedir/mail/inbox/[From ProSystem_fx@prosystemfx.com][Date Mon, 8 Dec 2003 14:20:53 -0800]/html/[From "Institute of Business and Finance" <ibf@fmgdata.com>][Date Mon, 17 May 2004 09:14:09 -0600]/html/[From "guaranteed traffic" <webmaster@buslness.com>][Date Mon, 17 May 2004 20:35:42 -0500]/UNNAMED/[From GolfSwingHelpline <GolfSwingHelpline@omninamed.com>][Date Wed, 19 May 2004 16:45:13 -0700]/html   Infected: Trojan-PSW.Win32.LdPinch.ea
E:\Website Stuff\backup-6.4.2004_10-57-59_llama1.tar.gz/packed/backup-6.4.2004_10-57-59_llama1/homedir/mail/inbox/[From ProSystem_fx@prosystemfx.com][Date Mon, 8 Dec 2003 14:20:53 -0800]/html/[From "Institute of Business and Finance" <ibf@fmgdata.com>][Date Mon, 17 May 2004 09:14:09 -0600]/html/[From "guaranteed traffic" <webmaster@buslness.com>][Date Mon, 17 May 2004 20:35:42 -0500]/UNNAMED   Infected: Trojan-PSW.Win32.LdPinch.ea
E:\Website Stuff\backup-6.4.2004_10-57-59_llama1.tar.gz/packed/backup-6.4.2004_10-57-59_llama1/homedir/mail/inbox/[From ProSystem_fx@prosystemfx.com][Date Mon, 8 Dec 2003 14:20:53 -0800]/html/[From "Institute of Business and Finance" <ibf@fmgdata.com>][Date Mon, 17 May 2004 09:14:09 -0600]/html   Infected: Trojan-PSW.Win32.LdPinch.ea
E:\Website Stuff\backup-6.4.2004_10-57-59_llama1.tar.gz/packed/backup-6.4.2004_10-57-59_llama1/homedir/mail/inbox/[From ProSystem_fx@prosystemfx.com][Date Mon, 8 Dec 2003 14:20:53 -0800]/html   Infected: Trojan-PSW.Win32.LdPinch.ea
E:\Website Stuff\backup-6.4.2004_10-57-59_llama1.tar.gz/packed/backup-6.4.2004_10-57-59_llama1/homedir/mail/inbox   Infected: Trojan-PSW.Win32.LdPinch.ea
E:\Website Stuff\backup-6.4.2004_10-57-59_llama1.tar.gz/packed   Infected: Trojan-PSW.Win32.LdPinch.ea
E:\Website Stuff\backup-6.4.2004_10-57-59_llama1.tar.gz   Infected: Trojan-PSW.Win32.LdPinch.ea

Scan process completed.




Logfile of HijackThis v1.99.1
Scan saved at 8:00:42 AM, on 9/24/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton Personal Firewall\NISUM.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Norton Personal Firewall\ccPxySvc.exe
C:\iFtpSvc\iFtpSvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\D-Tools\daemon.exe
C:\WINDOWS\system32\LXSUPMON.EXE
C:\Program Files\Yahoo!\Messenger\ypager.exe
C:\Program Files\IE New Window Maximizer\iemaximizer.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program Files\Yahoo!\Common\YIeTagBm.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: MSN Search Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar Suite\TB\02.05.0000.1082\en-us\msntb.dll
O3 - Toolbar: MSN Search Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar Suite\TB\02.05.0000.1082\en-us\msntb.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe
O4 - HKLM\..\Run: [ccRegVfy] C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe"  -lang 1033
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\\NeroCheck.exe
O4 - HKLM\..\Run: [LXSUPMON] C:\WINDOWS\system32\LXSUPMON.EXE RUN
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet
O4 - HKCU\..\Run: [IE New Window Maximizer] C:\Program Files\IE New Window Maximizer\iemaximizer.exe
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &MSN Search - res://C:\Program Files\MSN Toolbar Suite\TB\02.05.0000.1082\en-us\msntb.dll/search.htm
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Open in new background tab - res://C:\Program Files\MSN Toolbar Suite\TAB\02.05.0000.1082\en-us\msntabres.dll/229?d67ebd008a5c4318a89d17ec165dd58
O8 - Extra context menu item: Open in new foreground tab - res://C:\Program Files\MSN Toolbar Suite\TAB\02.05.0000.1082\en-us\msntabres.dll/230?d67ebd008a5c4318a89d17ec165dd58
O8 - Extra context menu item: Save Image - res://C:\Program Files\Picture Ace Lite\PictureAceLite.exe/130
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: HotWhois - {CF4DA62E-8A85-4C89-8232-F555BC352B0B} - C:\Program Files\HotWhois\awie.exe
O9 - Extra 'Tools' menuitem: &HotWhois - {CF4DA62E-8A85-4C89-8232-F555BC352B0B} - C:\Program Files\HotWhois\awie.exe
O9 - Extra button: (no name) - {BC8FABCD-8649-4eef-89DB-C012144ADFB1} - C:\Program Files\Picture Ace Lite\PictureAceLite.exe (HKCU)
O9 - Extra 'Tools' menuitem: Picture Ace Lite - {BC8FABCD-8649-4eef-89DB-C012144ADFB1} - C:\Program Files\Picture Ace Lite\PictureAceLite.exe (HKCU)
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/kws/kavwebscan_unicode.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by106fd.bay106.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/controls/msnchat45.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - AppInit_DLLs: MsgPlusLoader.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Proxy Service (ccPxySvc) - Symantec Corporation - C:\Program Files\Norton Personal Firewall\ccPxySvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Ipswitch WS_FTP Service (iFtpSvc) - Ipswitch, Inc.  10 Maguire Road - Suite 220 Lexington MA. - C:\iFtpSvc\iFtpSvc.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Norton Personal Firewall Accounts Manager (NISUM) - Symantec Corporation - C:\Program Files\Norton Personal Firewall\NISUM.EXE
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
Logged

 
sUBs
Global Moderator
Hero Member
*****

Karma: +0/-0
Offline Offline

Posts: 278


Bookmark and Share

View Profile
« Reply #3 on: September 24, 2005, 04:29:04 PM »

Do not worry about files in System Restore's cache. We wll deal with that when we finish the disinfection.

Please delete these files:

C:\WINDOWS\system32\wudupdate.exe
E:\Website Stuff\backup-6.4.2004_10-57-59_llama1.tar.gz


Please tell me if MSAS is still nags you about EliteBar.
Logged

 
justllama
Jr. Member
**

Karma: +0/-0
Offline Offline

Gender: Female
Posts: 12


Bookmark and Share

View Profile
« Reply #4 on: September 25, 2005, 02:58:11 PM »

Removed those two items and rebooted.

Still getting the message...
Logged

 
sUBs
Global Moderator
Hero Member
*****

Karma: +0/-0
Offline Offline

Posts: 278


Bookmark and Share

View Profile
« Reply #5 on: September 25, 2005, 03:38:12 PM »

Please post the exact message as relayed by MSAS.
Logged

 
justllama
Jr. Member
**

Karma: +0/-0
Offline Offline

Gender: Female
Posts: 12


Bookmark and Share

View Profile
« Reply #6 on: September 25, 2005, 06:03:04 PM »

Warning, SearchMiracle.EliteBar Browser Plug-in is trying to

Microsoft AntiSpyware has detected the threat SearchMiracle.EliteBar trying to install a Internet Explorer Web rowser on your computer. If you would like to allow SearchMiracle.EliteBar to install the Internet Explorer Web rowser click the 'Allow' button below.

Name: SearchMiracle.EliteBar
Type: Browser Plug-in
Threat Level: High
Author: Enternet Media Inc.

Description: SearchMiracle.EliteBar adds a search redirection toolbar to Internet Explorer called Elite Bar.

Advise: High-risk items have a large potential for adverse effect, such as loss of computer control, and should be removed unless knowingly installed.

About Browser Plug-in: A browser plug-in is an application that can be installed within a user's web browser. Plug-ins can come in the form of a toolbar that is included in your web browser or a search or navigation feature to extra task buttons on the browser. Although most plug-ins are designed to perform necessary functions, many plug-ins are harmful to you computer because they have complete access to your web browser and can modify, spy and redirect any task you perform.
Logged

 
sUBs
Global Moderator
Hero Member
*****

Karma: +0/-0
Offline Offline

Posts: 278


Bookmark and Share

View Profile
« Reply #7 on: September 25, 2005, 07:42:41 PM »

Yes. That would appear to be EliteBar. Strange that Kaspersky & HJT doesnt detect it. Let's try this fix before we try some deep scans.

Download & save to Desktop - LQFix.zip

Ewido Security Suite
  • Install Ewido Security Suite
  • When installing, under "Additional Options" uncheck..
    • Install background guard
    • Install scan via context menu
  • Double-click the icon on Desktop to launch Ewido
You will need to update Ewido to the latest definition files.
  • On the left hand side of the main screen click update.
  • Then click on Start Update.
The update will start and a progress bar will show the updates being installed.
If you are having problems with the updater, you can use this link to manually update Ewido
When you have finished updating, EXIT Ewido.



Next, please reboot your computer in SafeMode by doing the following:
1. Restart your computer
2. After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3. Instead of Windows loading as normal, a menu should appear
4. Select the first option, to run Windows in Safe Mode.


From within Lqfix.zip, doubble click & run LQFix.bat


Run Ewido with it's updated definitions:(...it's important that all windows must be closed)
  • Click Scanner
  • Click Complete System Scan to begin scanning.
  • Click OK when prompted to clean files
With the first file it prompts to clean, select the option:
  • "Perform action on all infections"
  • Choose clean and click OK.
Once finished, click the Save report button & save the report to your desktop

** Ewido scan would require at least an hour. I suggest that you go grab a cup of coffee & do something else while you wait for it to complete.


Reboot & download SilentRunners.vbs - Right click & choose Save As...  SilentRunners.vbs

Before proceeding, disable any anti-virus or anti-spyware programs that may block/disable scripts
Double-click SilentRunners.vbs to run it. This will take a few minutes.
When it's done, you'll receive the prompt "All Done!". It will create a file called "Startup Programs". Post ALL its contents here in your next reply.


In your next post, please include these reports:

Ewido
Silent Runner
HJT log


Let me know if the problem still persist


Logged

 
justllama
Jr. Member
**

Karma: +0/-0
Offline Offline

Gender: Female
Posts: 12


Bookmark and Share

View Profile
« Reply #8 on: September 25, 2005, 10:11:06 PM »

---------------------------------------------------------
 ewido security suite - Scan report
---------------------------------------------------------

 + Created on:         4:55:45 PM, 9/25/2005
 + Report-Checksum:      2D1DFB4A

 + Scan result:

   HKLM\SOFTWARE\Classes\CLSID\{2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} -> Spyware.MiniBug : Cleaned with backup
   HKU\S-1-5-21-682003330-842925246-725345543-1004\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{7C559105-9ECF-42B8-B3F7-832E75EDD959} -> Spyware.ISTBar : Cleaned with backup
   C:\Documents and Settings\Emily\Cookies\emily@2o7[2].txt -> Spyware.Cookie.2o7 : Cleaned with backup
   C:\Documents and Settings\Emily\Cookies\emily@ad.yieldmanager[2].txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
   C:\Documents and Settings\Emily\Cookies\emily@adopt.specificclick[2].txt -> Spyware.Cookie.Specificclick : Cleaned with backup
   C:\Documents and Settings\Emily\Cookies\emily@ads.addynamix[2].txt -> Spyware.Cookie.Addynamix : Cleaned with backup
   C:\Documents and Settings\Emily\Cookies\emily@ads.pointroll[1].txt -> Spyware.Cookie.Pointroll : Cleaned with backup
   C:\Documents and Settings\Emily\Cookies\emily@advertising[2].txt -> Spyware.Cookie.Advertising : Cleaned with backup
   C:\Documents and Settings\Emily\Cookies\emily@as-us.falkag[1].txt -> Spyware.Cookie.Falkag : Cleaned with backup
   C:\Documents and Settings\Emily\Cookies\emily@atdmt[2].txt -> Spyware.Cookie.Atdmt : Cleaned with backup
   C:\Documents and Settings\Emily\Cookies\emily@bluestreak[2].txt -> Spyware.Cookie.Bluestreak : Cleaned with backup
   C:\Documents and Settings\Emily\Cookies\emily@bs.serving-sys[1].txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
   C:\Documents and Settings\Emily\Cookies\emily@casalemedia[1].txt -> Spyware.Cookie.Casalemedia : Cleaned with backup
   C:\Documents and Settings\Emily\Cookies\emily@centrport[1].txt -> Spyware.Cookie.Centrport : Cleaned with backup
   C:\Documents and Settings\Emily\Cookies\emily@citi.bridgetrack[1].txt -> Spyware.Cookie.Bridgetrack : Cleaned with backup
   C:\Documents and Settings\Emily\Cookies\emily@com[2].txt -> Spyware.Cookie.Com : Cleaned with backup
   C:\Documents and Settings\Emily\Cookies\emily@doubleclick[2].txt -> Spyware.Cookie.Doubleclick : Cleaned with backup
   C:\Documents and Settings\Emily\Cookies\emily@edge.ru4[2].txt -> Spyware.Cookie.Ru4 : Cleaned with backup
   C:\Documents and Settings\Emily\Cookies\emily@ehg-dig.hitbox[2].txt -> Spyware.Cookie.Hitbox : Cleaned with backup
   C:\Documents and Settings\Emily\Cookies\emily@fastclick[2].txt -> Spyware.Cookie.Fastclick : Cleaned with backup
   C:\Documents and Settings\Emily\Cookies\emily@hitbox[2].txt -> Spyware.Cookie.Hitbox : Cleaned with backup
   C:\Documents and Settings\Emily\Cookies\emily@image.masterstats[1].txt -> Spyware.Cookie.Masterstats : Cleaned with backup
   C:\Documents and Settings\Emily\Cookies\emily@isg13.casalemedia[1].txt -> Spyware.Cookie.Casalemedia : Cleaned with backup
   C:\Documents and Settings\Emily\Cookies\emily@mediaplex[2].txt -> Spyware.Cookie.Mediaplex : Cleaned with backup
   C:\Documents and Settings\Emily\Cookies\emily@overture[2].txt -> Spyware.Cookie.Overture : Cleaned with backup
   C:\Documents and Settings\Emily\Cookies\emily@perf.overture[1].txt -> Spyware.Cookie.Overture : Cleaned with backup
   C:\Documents and Settings\Emily\Cookies\emily@questionmarket[1].txt -> Spyware.Cookie.Questionmarket : Cleaned with backup
   C:\Documents and Settings\Emily\Cookies\emily@sales.liveperson[2].txt -> Spyware.Cookie.Liveperson : Cleaned with backup
   C:\Documents and Settings\Emily\Cookies\emily@servedby.advertising[1].txt -> Spyware.Cookie.Advertising : Cleaned with backup
   C:\Documents and Settings\Emily\Cookies\emily@server.iad.liveperson[1].txt -> Spyware.Cookie.Liveperson : Cleaned with backup
   C:\Documents and Settings\Emily\Cookies\emily@serving-sys[2].txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
   C:\Documents and Settings\Emily\Cookies\emily@spylog[2].txt -> Spyware.Cookie.Spylog : Cleaned with backup
   C:\Documents and Settings\Emily\Cookies\emily@tradedoubler[1].txt -> Spyware.Cookie.Tradedoubler : Cleaned with backup
   C:\Documents and Settings\Emily\Cookies\emily@trafficmp[1].txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
   C:\Documents and Settings\Emily\Cookies\emily@tribalfusion[1].txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
   C:\Documents and Settings\Emily\Cookies\emily@valueclick[1].txt -> Spyware.Cookie.Valueclick : Cleaned with backup
   C:\Documents and Settings\Emily\Cookies\emily@z1.adserver[1].txt -> Spyware.Cookie.Adserver : Cleaned with backup
   C:\Documents and Settings\Gamers & Lamers\Cookies\gamers & lamers@as-us.falkag[2].txt -> Spyware.Cookie.Falkag : Cleaned with backup
   C:\Documents and Settings\Gamers & Lamers\Cookies\gamers & lamers@atdmt[2].txt -> Spyware.Cookie.Atdmt : Cleaned with backup
   C:\Documents and Settings\Gamers & Lamers\Cookies\gamers & lamers@com[2].txt -> Spyware.Cookie.Com : Cleaned with backup
   C:\Documents and Settings\Gamers & Lamers\Cookies\gamers & lamers@doubleclick[1].txt -> Spyware.Cookie.Doubleclick : Cleaned with backup
   C:\Documents and Settings\Gamers & Lamers\Cookies\gamers & lamers@ehg-spafinder.hitbox[1].txt -> Spyware.Cookie.Hitbox : Cleaned with backup
   C:\Documents and Settings\Gamers & Lamers\Cookies\gamers & lamers@fastclick[1].txt -> Spyware.Cookie.Fastclick : Cleaned with backup
   C:\Documents and Settings\Gamers & Lamers\Cookies\gamers & lamers@hitbox[2].txt -> Spyware.Cookie.Hitbox : Cleaned with backup
   C:\Documents and Settings\Gamers & Lamers\Cookies\gamers & lamers@mediaplex[2].txt -> Spyware.Cookie.Mediaplex : Cleaned with backup
   C:\Documents and Settings\Gamers & Lamers\Cookies\gamers & lamers@overture[1].txt -> Spyware.Cookie.Overture : Cleaned with backup
   C:\Documents and Settings\Gamers & Lamers\Cookies\gamers & lamers@statse.webtrendslive[2].txt -> Spyware.Cookie.Webtrendslive : Cleaned with backup
   C:\Documents and Settings\Gamers & Lamers\Cookies\gamers & lamers@targetnet[2].txt -> Spyware.Cookie.Targetnet : Cleaned with backup
   C:\Documents and Settings\Gamers & Lamers\Cookies\gamers & lamers@tribalfusion[1].txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
   C:\Documents and Settings\Gamers & Lamers\Cookies\gamers & lamers@z1.adserver[1].txt -> Spyware.Cookie.Adserver : Cleaned with backup
   C:\Documents and Settings\Shannon\Cookies\shannon@ad.yieldmanager[2].txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
   C:\Documents and Settings\Shannon\Cookies\shannon@ads.pointroll[2].txt -> Spyware.Cookie.Pointroll : Cleaned with backup
   C:\Documents and Settings\Shannon\Cookies\shannon@advertising[2].txt -> Spyware.Cookie.Advertising : Cleaned with backup
   C:\Documents and Settings\Shannon\Cookies\shannon@atdmt[2].txt -> Spyware.Cookie.Atdmt : Cleaned with backup
   C:\Documents and Settings\Shannon\Cookies\shannon@casalemedia[2].txt -> Spyware.Cookie.Casalemedia : Cleaned with backup
   C:\Documents and Settings\Shannon\Cookies\shannon@citi.bridgetrack[1].txt -> Spyware.Cookie.Bridgetrack : Cleaned with backup
   C:\Documents and Settings\Shannon\Cookies\shannon@cnn.122.2o7[2].txt -> Spyware.Cookie.2o7 : Cleaned with backup
   C:\Documents and Settings\Shannon\Cookies\shannon@doubleclick[1].txt -> Spyware.Cookie.Doubleclick : Cleaned with backup
   C:\Documents and Settings\Shannon\Cookies\shannon@fastclick[2].txt -> Spyware.Cookie.Fastclick : Cleaned with backup
   C:\Documents and Settings\Shannon\Cookies\shannon@questionmarket[1].txt -> Spyware.Cookie.Questionmarket : Cleaned with backup
   C:\Documents and Settings\Shannon\Cookies\shannon@servedby.advertising[2].txt -> Spyware.Cookie.Advertising : Cleaned with backup
   C:\Documents and Settings\Shannon\Cookies\shannon@statcounter[2].txt -> Spyware.Cookie.Statcounter : Cleaned with backup
   C:\Documents and Settings\Shannon\Cookies\shannon@www.burstbeacon[1].txt -> Spyware.Cookie.Burstbeacon : Cleaned with backup
   C:\Documents and Settings\Sims 2\Cookies\sims 2@advertising[1].txt -> Spyware.Cookie.Advertising : Cleaned with backup
   C:\Documents and Settings\Sims 2\Cookies\sims 2@atdmt[1].txt -> Spyware.Cookie.Atdmt : Cleaned with backup
   C:\Documents and Settings\Sims 2\Cookies\sims 2@casalemedia[2].txt -> Spyware.Cookie.Casalemedia : Cleaned with backup
   C:\Documents and Settings\Sims 2\Cookies\sims 2@fastclick[2].txt -> Spyware.Cookie.Fastclick : Cleaned with backup
   C:\Documents and Settings\Sims 2\Cookies\sims 2@mediaplex[1].txt -> Spyware.Cookie.Mediaplex : Cleaned with backup
   C:\Documents and Settings\Sims 2\Cookies\sims 2@servedby.advertising[1].txt -> Spyware.Cookie.Advertising : Cleaned with backup
   C:\Documents and Settings\Sims 2\Cookies\sims 2@statcounter[1].txt -> Spyware.Cookie.Statcounter : Cleaned with backup
   C:\Documents and Settings\Sims 2\Cookies\sims 2@tribalfusion[1].txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
   C:\Program Files\Microsoft AntiSpyware\Quarantine\30FD3550-E693-42A2-951F-0089A8\916BD2F4-D926-439F-BAE3-271EE1 -> Spyware.Background : Cleaned with backup
   C:\Program Files\Microsoft AntiSpyware\Quarantine\654AB659-8582-4936-861A-8D0722\F9B33FFA-35A9-4915-B746-8BCC5A -> Spyware.180Solutions : Cleaned with backup
   C:\WINDOWS\system32\shell32.exe -> Spyware.WinAD : Cleaned with backup
   D:\Set Ups\Games\specialfriends\Cracks\bigmoney1.11\BigMoney1_11_patch.exe -> Trojan.FraggleRock.155 : Cleaned with backup
   D:\Set Ups\Games\specialfriends\Cracks\mummymaze1_1\MummyMaze1_1_patch.exe -> Trojan.FraggleRock.155 : Cleaned with backup
   D:\Set Ups\Games\specialfriends\Cracks\noah's ark1_1\NoahsArk1_1_patch.exe -> Trojan.FraggleRock.155 : Cleaned with backup
   D:\Set Ups\Games\specialfriends.rar/Cracks\bigmoney1.11\BigMoney1_11_patch.exe -> Trojan.FraggleRock.155 : Cleaned with backup
   D:\Set Ups\Games\specialfriends.rar/Cracks\mummymaze1_1\MummyMaze1_1_patch.exe -> Trojan.FraggleRock.155 : Cleaned with backup
   D:\Set Ups\Games\specialfriends.rar/Cracks\noah's ark1_1\NoahsArk1_1_patch.exe -> Trojan.FraggleRock.155 : Cleaned with backup


::Report End




"Silent Runners.vbs", revision 40.1, http://www.silentrunners.org/
Operating System: Windows XP SP2
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"Yahoo! Pager" = ""C:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet" ["Yahoo! Inc.]
"IE New Window Maximizer" = "C:\Program Files\IE New Window Maximizer\iemaximizer.exe" ["jiiSoft]
"PopUpStopperFreeEdition" = ""C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"" ["Panicware, Inc.]
"msnmsgr" = ""C:\Program Files\MSN Messenger\msnmsgr.exe" /background" [MS]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"gcasServ" = ""C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"" [MS]
"ccApp" = "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" ["Symantec Corporation]
"ccRegVfy" = "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe" ["Symantec Corporation]
"DAEMON Tools-1033" = ""C:\Program Files\D-Tools\daemon.exe"  -lang 1033" ["DAEMON'S HOME]
"NeroCheck" = "C:\WINDOWS\system32\\NeroCheck.exe" ["Ahead Software Gmbh]
"LXSUPMON" = "C:\WINDOWS\system32\LXSUPMON.EXE RUN" ["Lexmark International Inc.]
"QuickTime Task" = ""C:\Program Files\QuickTime\qttask.exe" -atboottime" ["Apple Computer, Inc.]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = "AcroIEHlprObj Class" [from CLSID]
  -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated]
{5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897}\(Default) = "UberButton Class" [from CLSID]
  -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Yahoo!\Common\yiesrvc.dll" ["Yahoo!]
{65D886A2-7CA7-479B-BB95-14D1EFB7946A}\(Default) = "YahooTaggedBM Class" [from CLSID]
  -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Yahoo!\Common\YIeTagBm.dll" ["Yahoo! Inc.]
{AA58ED58-01DD-4d91-8333-CF10577473F7}\(Default) = "Google Toolbar Helper" [from CLSID]
  -> {CLSID}\InProcServer32\(Default) = "c:\program files\google\googletoolbar2.dll" ["Google Inc.]
{BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0}\(Default) = "MSN Search Toolbar Helper" [from CLSID]
  -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\MSN Toolbar Suite\TB\02.05.0000.1082\en-us\msntb.dll" [MS]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Display Panning CPL Extension"
  -> {CLSID}\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
  -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc.]
"{1CDB2949-8F65-4355-8456-263E7C208A5D}" = "Desktop Explorer"
  -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\nvshell.dll" ["NVIDIA Corporation]
"{1E9B04FB-F9E5-4718-997B-B8DA88302A47}" = "Desktop Explorer Menu"
  -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\nvshell.dll" ["NVIDIA Corporation]
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"
  -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
"{13E7F612-F261-4391-BEA2-39DF4F3FA311}" = "Windows Desktop Search"
  -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\MSN Toolbar Suite\EXT\02.05.0000.1082\en-us\msnlExt.dll" [MS]
"{97090E2F-3062-4459-855B-014F0D3CDBB1}" = "MSN Deskbar"
  -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\MSN Toolbar Suite\DB\02.05.0000.1082\en-us\deskbar.dll" [MS]
"{5464D816-CF16-4784-B9F3-75C0DB52B499}" = "Yahoo! Mail"
  -> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\Yahoo!\Common\ymmapi.dll" ["Yahoo! Inc.]
"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"
  -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office10\msohev.dll" [MS]
"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}" = "Shell Extensions for RealOne Player"
  -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Real\RealPlayer\rpshell.dll" ["RealNetworks, Inc.]
"{CBCE08BC-8102-4B51-8FAB-622C7BE0A37B}" = "SwfFileUploaderMenu"
  -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\NETGUI\Photobucket Uploader\UpWzMenu.dll" [null data]
"{B9E1D2CB-CCFF-4AA6-9579-D7A4754030EF}" = "iTunes"
  -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\iTunes\iTunesMiniPlayer.dll" ["Apple Computer, Inc.]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\
INFECTION WARNING! "{9EF34FF2-3396-4527-9D27-04C8C1C67806}" = "Microsoft AntiSpyware Service Hook"
  -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Microsoft AntiSpyware\shellextension.dll" [MS]
INFECTION WARNING! "{54D9498B-CF93-414F-8984-8CE7FDE0D391}" = "ewido shell guard"
  -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\ewido\security suite\shellhook.dll" ["TODO: <Firmenname>]

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\
INFECTION WARNING! "AppInit_DLLs" = "MsgPlusLoader.dll" ["Patchou]

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
SwfFileUploaderMenu\(Default) = "{CBCE08BC-8102-4B51-8FAB-622C7BE0A37B}"
  -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\NETGUI\Photobucket Uploader\UpWzMenu.dll" [null data]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
  -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
WS_FTP\(Default) = "{797F3885-5429-11D4-8823-0050DA59922B}"
  -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Ipswitch\WS_FTP Pro\wsftpsi.dll" ["Ipswitch, Inc. 10 Maguire Road - Suite 220 Lexington, MA 02421]
Yahoo! Mail\(Default) = "{5464D816-CF16-4784-B9F3-75C0DB52B499}"
  -> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\Yahoo!\Common\ymmapi.dll" ["Yahoo! Inc.]

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
  -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
  -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
WS_FTP\(Default) = "{797F3885-5429-11D4-8823-0050DA59922B}"
  -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Ipswitch\WS_FTP Pro\wsftpsi.dll" ["Ipswitch, Inc. 10 Maguire Road - Suite 220 Lexington, MA 02421]


Active Desktop and Wallpaper:
-----------------------------

Active Desktop is disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\Documents and Settings\Shannon\Local Settings\Application Data\Microsoft\Wallpaper1.bmp"


Enabled Screen Saver:
---------------------

HKCU\Control Panel\Desktop\
"SCRNSAVE.EXE" = "C:\WINDOWS\System32\logon.scr" [MS]


Startup items in "Shannon" & "All Users" startup folders:
---------------------------------------------------------

C:\Documents and Settings\Shannon\Start Menu\Programs\Startup
INFECTION WARNING! "PowerReg Scheduler V3.exe" ["Leader Technologies]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
"Adobe Reader Speed Launch" -> shortcut to: "C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe" ["Adobe Systems Incorporated]


Enabled Scheduled Tasks:
------------------------

"Symantec NetDetect" -> launches: "C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE" ["Symantec Corporation]


Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 11
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05


Toolbars, Explorer Bars, Extensions:
------------------------------------

Toolbars

HKCU\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\
"{BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0}" = "MSN Search Toolbar" [from CLSID]
  -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\MSN Toolbar Suite\TB\02.05.0000.1082\en-us\msntb.dll" [MS]

"{2318C2B1-4965-11D4-9B18-009027A5CD4F}" = "&Google" [from CLSID]
  -> {CLSID}\InProcServer32\(Default) = "c:\program files\google\googletoolbar2.dll" ["Google Inc.]

HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\
"{2318C2B1-4965-11D4-9B18-009027A5CD4F}" = "&Google" [from CLSID]
  -> {CLSID}\InProcServer32\(Default) = "c:\program files\google\googletoolbar2.dll" ["Google Inc.]

"{BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0}" = "MSN Search Toolbar" [from CLSID]
  -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\MSN Toolbar Suite\TB\02.05.0000.1082\en-us\msntb.dll" [MS]

"{EF99BD32-C1FB-11D2-892F-0090271D4F88}" = "Yahoo! Toolbar" [from CLSID]
  -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll" ["Yahoo! Inc.]

HKLM\Software\Microsoft\Internet Explorer\Toolbar\
"{BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0}" = "MSN Search Toolbar" [from CLSID]
  -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\MSN Toolbar Suite\TB\02.05.0000.1082\en-us\msntb.dll" [MS]

"{EF99BD32-C1FB-11D2-892F-0090271D4F88}" = "Yahoo! Toolbar" [from CLSID]
  -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll" ["Yahoo! Inc.]

"{2318C2B1-4965-11D4-9B18-009027A5CD4F}" = "&Google" [from CLSID]
  -> {CLSID}\InProcServer32\(Default) = "c:\program files\google\googletoolbar2.dll" ["Google Inc.]

Explorer Bars

HKCU\Software\Microsoft\Internet Explorer\Explorer Bars\
{4528BBE0-4E08-11D5-AD55-00010333D0AD}\ = "&Yahoo! Messenger" [from CLSID]
  -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Yahoo!\Messenger\yhexbmesus.dll" ["Yahoo! Inc.]

HKLM\Software\Microsoft\Internet Explorer\Explorer Bars\
{4528BBE0-4E08-11D5-AD55-00010333D0AD}\ = "&Yahoo! Messenger" [from CLSID]
  -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Yahoo!\Messenger\yhexbmesus.dll" ["Yahoo! Inc.]

Extensions (Tools menu items, main toolbar menu buttons)

HKCU\Software\Microsoft\Internet Explorer\Extensions\
{BC8FABCD-8649-4EEF-89DB-C012144ADFB1}\
"MenuText" = "Picture Ace Lite"
"Exec" = "C:\Program Files\Picture Ace Lite\PictureAceLite.exe" ["UnH Solutions]

HKLM\Software\Microsoft\Internet Explorer\Extensions\
{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\
"MenuText" = "Sun Java Console"
"CLSIDExtension" = "{CAFEEFAC-0015-0000-0002-ABCDEFFEDCBC}"
  -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll" ["Sun Microsystems, Inc.]

{5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897}\
"ButtonText" = "Yahoo! Services"
"CLSIDExtension" = "{5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897}"
  -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Yahoo!\Common\yiesrvc.dll" ["Yahoo!]

{CF4DA62E-8A85-4C89-8232-F555BC352B0B}\
"ButtonText" = "HotWhois"
"MenuText" = "&HotWhois"
"Exec" = "C:\Program Files\HotWhois\awie.exe" ["TialSoft software]


Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

ewido security suite control, ewido security suite control, "C:\Program Files\ewido\security suite\ewidoctrl.exe" ["ewido networks]
Ipswitch WS_FTP Service, iFtpSvc, "C:\iFtpSvc\iFtpSvc.exe" ["Ipswitch, Inc.  10 Maguire Road - Suite 220 Lexington MA.]
LexBce Server, LexBceS, "C:\WINDOWS\system32\LEXBCES.EXE" ["Lexmark International, Inc.]
Norton Personal Firewall Accounts Manager, NISUM, ""C:\Program Files\Norton Personal Firewall\NISUM.EXE"" ["Symantec Corporation]
NVIDIA Driver Helper Service, NVSvc, "C:\WINDOWS\System32\nvsvc32.exe" ["NVIDIA Corporation]
Symantec Event Manager, ccEvtMgr, ""C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"" ["Symantec Corporation]
Symantec Proxy Service, ccPxySvc, ""C:\Program Files\Norton Personal Firewall\ccPxySvc.exe"" ["Symantec Corporation]


----------
+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
  launch it from a command prompt or a shortcut with the -all parameter.
+ To search all directories of local fixed drives for DESKTOP.INI
  DLL launch points and all Registry CLSIDs for dormant Explorer Bars,
  use the -supp parameter or answer "No" at the first message box.
---------- (total run time: 22 seconds, including 5 seconds for message boxes)




Logfile of HijackThis v1.99.1
Scan saved at 5:10:30 PM, on 9/25/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton Personal Firewall\NISUM.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\D-Tools\daemon.exe
C:\WINDOWS\system32\LXSUPMON.EXE
C:\Program Files\Yahoo!\Messenger\ypager.exe
C:\Program Files\IE New Window Maximizer\iemaximizer.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Norton Personal Firewall\ccPxySvc.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\iFtpSvc\iFtpSvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program Files\Yahoo!\Common\YIeTagBm.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: MSN Search Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar Suite\TB\02.05.0000.1082\en-us\msntb.dll
O3 - Toolbar: MSN Search Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar Suite\TB\02.05.0000.1082\en-us\msntb.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe
O4 - HKLM\..\Run: [ccRegVfy] C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe"  -lang 1033
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\\NeroCheck.exe
O4 - HKLM\..\Run: [LXSUPMON] C:\WINDOWS\system32\LXSUPMON.EXE RUN
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet
O4 - HKCU\..\Run: [IE New Window Maximizer] C:\Program Files\IE New Window Maximizer\iemaximizer.exe
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &MSN Search - res://C:\Program Files\MSN Toolbar Suite\TB\02.05.0000.1082\en-us\msntb.dll/search.htm
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Open in new background tab - res://C:\Program Files\MSN Toolbar Suite\TAB\02.05.0000.1082\en-us\msntabres.dll/229?d67ebd008a5c4318a89d17ec165dd58
O8 - Extra context menu item: Open in new foreground tab - res://C:\Program Files\MSN Toolbar Suite\TAB\02.05.0000.1082\en-us\msntabres.dll/230?d67ebd008a5c4318a89d17ec165dd58
O8 - Extra context menu item: Save Image - res://C:\Program Files\Picture Ace Lite\PictureAceLite.exe/130
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: HotWhois - {CF4DA62E-8A85-4C89-8232-F555BC352B0B} - C:\Program Files\HotWhois\awie.exe
O9 - Extra 'Tools' menuitem: &HotWhois - {CF4DA62E-8A85-4C89-8232-F555BC352B0B} - C:\Program Files\HotWhois\awie.exe
O9 - Extra button: (no name) - {BC8FABCD-8649-4eef-89DB-C012144ADFB1} - C:\Program Files\Picture Ace Lite\PictureAceLite.exe (HKCU)
O9 - Extra 'Tools' menuitem: Picture Ace Lite - {BC8FABCD-8649-4eef-89DB-C012144ADFB1} - C:\Program Files\Picture Ace Lite\PictureAceLite.exe (HKCU)
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/kws/kavwebscan_unicode.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by106fd.bay106.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/controls/msnchat45.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - AppInit_DLLs: MsgPlusLoader.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Proxy Service (ccPxySvc) - Symantec Corporation - C:\Program Files\Norton Personal Firewall\ccPxySvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Ipswitch WS_FTP Service (iFtpSvc) - Ipswitch, Inc.  10 Maguire Road - Suite 220 Lexington MA. - C:\iFtpSvc\iFtpSvc.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Norton Personal Firewall Accounts Manager (NISUM) - Symantec Corporation - C:\Program Files\Norton Personal Firewall\NISUM.EXE
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
Logged

 
sUBs
Global Moderator
Hero Member
*****

Karma: +0/-0
Offline Offline

Posts: 278


Bookmark and Share

View Profile
« Reply #9 on: September 25, 2005, 10:18:24 PM »

There is nothing in these logs that indicate the presence of Elitebar.
If MSAS still nags you about Elitebar, allow it to install the BHO. Then post a new HJT log.
« Last Edit: September 25, 2005, 10:20:08 PM by sUBs » Logged

 
justllama
Jr. Member
**

Karma: +0/-0
Offline Offline

Gender: Female
Posts: 12


Bookmark and Share

View Profile
« Reply #10 on: September 25, 2005, 10:21:19 PM »

It seems to be gone!  

I cannot thank you enough...this thing was driving me insane!
Logged

 
sUBs
Global Moderator
Hero Member
*****

Karma: +0/-0
Offline Offline

Posts: 278


Bookmark and Share

View Profile
« Reply #11 on: September 25, 2005, 10:23:52 PM »


Now that your system is clean, please follow these simple steps in order to keep your computer clean and secure:
  1. Clear & reset System Restore's cache

    1. click Start >> Run - type SYSDM.CPL & press Enter
    2. Select the System Restore Tab
    3. Tick on the checkbox - Turn off System Restore on all drives
    4. Click Apply
    5. Then untick the same checkbox & click OK  


  2. DISABLE THE VIEWING OF SYSTEM FILES

  3. From Windows Explorer, go to Tools>Folder Options> View tab.
    • Enable - Show hidden files and folder
    • Disable - Hide file extensions for known types
    • Disable - Hide protected operating system files
    Click Yes to confirm & then click OK

  4. Make your Internet Explorer more secure -  This can be done by following these simple instructions:

    1. From within Internet Explorer click on the Tools menu and then click on Options.
    2. Click once on the Security tab
    3. Click once on the Internet icon so it becomes highlighted.
    4. Click once on the Custom Level button.
      • Change the Download signed ActiveX controls to Prompt
        Change the Download unsigned ActiveX controls to Disable
        Change the Initialize and script ActiveX controls not marked as safe to Disable
        Change the Installation of desktop items to Prompt
        Change the Launching programs and files in an IFRAME to Prompt
        Change the Navigate sub-frames across different domains to Prompt
    5. When all these settings have been made, click on the OK button.
    6. If it prompts you as to whether or not you want to save the settings, press the Yes button.
    7. Next press the Apply button and then the OK to exit the Internet Properties page.


  5. Use an AntiVirus Software - It is very important that your computer has an anti-virus software running on your machine.  This alone can save you a lot of trouble with malware in the future.

    See this link for a listing of some online & their stand-alone antivirus programs:
    Virus, Spyware, and Malware Protection and Removal Resources


  6. Update your AntiVirus Software - It is imperative that you update your Antivirus software at least once a week (Even more if you wish).  If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.


  7. Use a Firewall - I can not stress how important it is that you use a Firewall on your computer.  Without a firewall your computer is succeptible to being hacked and taken over.  I am very serious about this and see it happen almost every day with my clients.  Simply using a Firewall in its default configuration can lower your risk greatly.

    For a tutorial on Firewalls and a listing of some available ones see the link below:
    Understanding and Using Firewalls


  8. Visit Microsoft's Windows Update Site Frequently - It is important that you visit windowsupdate.com regularly.  This will ensure your computer has always the latest security updates available installed on your computer.  If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.


  9. Install Spybot - Search and Destroy - Install and download Spybot - Search and Destroy with its TeaTimer option.  This will provide realtime spyware & hijacker protection on your computer alongside your virus protection.  You should also scan your computer with program on a regular basis just as you would an antivirus software.

    A tutorial on installing & using this product can be found here:
    Using Spybot - Search & Destroy to remove Spyware , Malware, and Hijackers


  10. Install Ad-Aware - Install and download Ad-Aware. ou should also scan your computer with program on a regular basis just as you would an antivirus software in conjunction with Spybot.

    A tutorial on installing & using this product can be found here:
    Using Ad-aware to remove Spyware, Malware,  & Hijackers from Your Computer

  11. Install SpywareBlaster - SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.

    A tutorial on installing & using this product can be found here:
    Using SpywareBlaster to protect your computer from Spyware and Malware


  12. Update all these programs regularly - Make sure you update all the programs I have listed regularly.  Without regular updates you WILL NOT be protected when new malicious programs are released.


  13. Winpatrol -  Download and install the free version of Winpatrol.

    A tutorial for this product is located here  Using Winpatrol to protect your computer from malicious software


  14. IE/Spyad - IE/Spyad places over 4000 websites and domains in the IE Restricted list which will severely impair attempts to infect your system.  It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites.


  15. MVPS Hosts file - The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc.  Basically, this prevents your coputer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer


  16. Trillian or Miranda-IM - These are Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program!  (AOL, Yahoo, ICQ, IRC, MSN)


  17. Weather Watcher - Free taskbar weather program that is free, malware free, and resource light.


  18. Firefox - Use this alternate browser. Whilst Internet Explorer is not a bad browser, almost every exploit crafted is targeted to take advantage of an IE weakness.


  19. Sun's Java - It's much more secure than Microsoft's Java Virtual Machine.


  20. Google Toolbar - Get the free google toolbar to help stop pop up windows.

To find out more information about how you got infected in the first place and some great guidelines to follow to prevent future infections you can read this article by Tony Klein

Follow this list and your potential for being infected again will reduce dramatically. Your system will be optimised against future threats.

It's okay to delete the Hijack This folder in a couple weeks if everything is working okay.
Have a safe & happy computing day.  

Please come back in 1-2 days to respond to this thread one more time so we can mark this thread as resolved.
Logged

 
justllama
Jr. Member
**

Karma: +0/-0
Offline Offline

Gender: Female
Posts: 12


Bookmark and Share

View Profile
« Reply #12 on: September 25, 2005, 10:25:22 PM »

Looks like I've got some work to do!  I have some of those programs installed...back in a few days!
Logged

 
justllama
Jr. Member
**

Karma: +0/-0
Offline Offline

Gender: Female
Posts: 12


Bookmark and Share

View Profile
« Reply #13 on: September 26, 2005, 05:10:42 AM »

It's back.  I rebooted just a few minutes ago and I got the same message as before.

My daughter played a game from CD (on the Gamers and Lamers login) and I played SIMS (on the SIMS login).
Logged

 
sUBs
Global Moderator
Hero Member
*****

Karma: +0/-0
Offline Offline

Posts: 278


Bookmark and Share

View Profile
« Reply #14 on: September 26, 2005, 05:14:27 AM »

If you have not allowed it to installed as a BHO, please do so now. Then post a HJT log. I have yet to see any signs of Elitum from your log. I'm more inclined that something is amiss with MSAS.
Logged

 
Pages: [1] 2  All Go Up Print 
 
Jump to:  

Powered by MySQL Powered by PHP

Powered by SMF 1.1.21 | SMF © 2015, Simple Machines

Valid XHTML 1.0! Valid CSS!

Disclaimer
This site is NOT responsible for any damage that the information on this site may cause to your system. Everything you try, whether inspired by the response given from this site or not, is entirely at your own risk. All product names and company names used herein are for identification purpose only and may be trademarks or registered trademarks of their respective owners. We are in no way affiliated or representing any of the companies on this site unless specified.
Back to Top
Stop Spam Harvesters, Join Project Honey Pot Fight Back Against Spammers! Get Firefox! Get Thunderbird! View Sylvain Amyots profile on LinkedIn
Back to Top
Google visited last this page November 29, 2018, 08:02:12 AM