|
|
|
Poss cws??
|
|
|
spunky
Newbie
|
21. August 2006 @ 14:55 |
Link to this message
|
Spybot report says i have CWS. I ran Cwshredder and it says it fixed. Next on boot up Spybot says I got it again. Could someone look at this mess..
Logfile of HijackThis v1.99.1
Scan saved at 7:34:48 AM, on 8/21/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINNEW\System32\smss.exe
C:\WINNEW\system32\csrss.exe
C:\WINNEW\system32\winlogon.exe
C:\WINNEW\system32\services.exe
C:\WINNEW\system32\lsass.exe
C:\WINNEW\system32\svchost.exe
C:\WINNEW\system32\spoolsv.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\isafe.exe
C:\WINNEW\System32\svchost.exe
C:\Program Files\iolo\System Mechanic 6\IoloSGCtrl.exe
C:\Program Files\Microsoft SQL Server\MSSQL$COSSNET8082\Binn\sqlservr.exe
C:\Program Files\Microsoft SQL Server\MSSQL$COSSNET8083\Binn\sqlservr.exe
C:\WINNEW\system32\MSTask.exe
C:\WINNEW\system32\stisvc.exe
C:\WINNEW\system32\ZoneLabs\vsmon.exe
C:\WINNEW\System32\WBEM\WinMgmt.exe
C:\WINNEW\system32\mspmspsv.exe
C:\WINNEW\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINNEW\System32\svchost.exe
C:\WINNEW\Explorer.EXE
C:\PROGRAM FILES\DELL\DELL LASER MFP 1600N\PSU\ScanToPc.exe
C:\Program Files\DELL\Dell Laser MFP 1600n\PaperPort\pptd40nt.exe
C:\PROGRA~1\CA\ETRUST~1\ETRUST~3\VetTray.exe
C:\PROGRA~1\CA\ETRUST~1\ETRUST~2\ca.exe
C:\Program Files\Google\Gmail Notifier\gnotify.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\iolo\System Mechanic 6\SystemGuardAlerter.exe
D:\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\iolo\System Mechanic 6\SMSystemAnalyzer.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\TARISS\MainMenu\MainMenu.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe
C:\Program Files\iolo\System Mechanic 6\SMTrayNotify.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\HJT\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://start.earthlink.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.earthlink.net/partner/more/msie/button/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.earthlink.net/partner/more/msie/button/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.earthlink.net/partner/more/msie/button/search.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://eagent.farmersinsurance.com/siteminderagent/forms/login.fcc?TYPE=33554433&REALMOID=06-61e35b5c-d164-11d6-8916-00d0b77e517a&GUID=&SMAUTHREASON=0&TARGET=$SM$https://eagent.farmersinsurance.com/PLA/eAgent/Ade/ade?req_page=home (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Adobe 7\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareGuardDLBLOCK.CBrowserHelper - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNEW\system32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn3\ycomp5_6_0_0.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [P3000x_S2P] C:\PROGRAM FILES\DELL\DELL LASER MFP 1600N\PSU\ScanToPc.exe
O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\DELL\Dell Laser MFP 1600n\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [VetTray] C:\PROGRA~1\CA\ETRUST~1\ETRUST~3\VetTray.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~1\CA\ETRUST~1\ETRUST~2\ca.exe
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\gnotify.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [SystemGuardAlerter] SystemGuardAlerter.exe
O4 - HKLM\..\Run: [SpybotSnD] "D:\Spybot - Search & Destroy\SpybotSD.exe" /autocheck /autofix
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKLM\..\Run: [QOELOADER] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Anti-Spam\QSP-2.1.212.0\QOELoader.exe"
O4 - HKLM\..\Run: [MSConfig] C:\WINNT\msconfig.exe /auto
O4 - HKCU\..\Run: [SpybotSD TeaTimer] D:\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [SMSystemAnalyzer] "C:\Program Files\iolo\System Mechanic 6\SMSystemAnalyzer.exe"
O4 - HKCU\..\Run: [ATnotes.exe] C:\Program Files\ATnotes\ATnotes.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Startup: TexasMainMenu.lnk = C:\Program Files\TARISS\MainMenu\MainMenu.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: eFax DllCmd 3.5.lnk = C:\Program Files\eFax Messenger 3.5\J2GDllCmd.exe
O4 - Global Startup: eFax Tray Menu 3.5.lnk = C:\Program Files\eFax Messenger 3.5\J2GTray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra button: eBay - Homepage - {EF79EAC5-3452-4E02-B8BD-BA4C89F1AC7A} - C:\Program Files\IrfanView\Ebay\Ebay.htm
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted IP range: http://127.0.0.1
O16 - DPF: {0335A685-ED24-4F7B-A08E-3BD15D84E668} - http://dl.filekicker.com/send/file/128985-NZIL/PhPSetup.cab
O16 - DPF: {1663ed61-23eb-11d2-b92f-008048fdd814} (MeadCo ScriptX Advanced) - https://eagent.farmersinsurance.com/PLA/eAgent/eAutoE/commonActiveX/smsx.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {354D91A8-E3C9-491F-BB89-0FB27DEEED86} (ImgXTwain6.ImgXTwain) - https://eagent.farmersinsurance.com/PLA/eAgent/scv/commonActiveX/ImgXTwain61.cab
O16 - DPF: {45EEDB84-57BC-4FBD-8065-7AB8E971B545} (ImgXDialog6.ImgXDialog) - https://eagent.farmersinsurance.com/PLA/eAgent/scv/commonActiveX/ImgXDialog61.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/...
O16 - DPF: {7E8DC73D-69CD-4F67-99B1-8DC6E42F6246} (Atalasoft ImgXCtrl6.ImgXCtrl (CAB)) - https://eagent.farmersinsurance.com/PLA/eAgent/scv/commonActiveX/ImgX61.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - http://download.games.yahoo.com/games/popcap/zuma/popcaploader_v6.cab
O23 - Service: CA ISafe (CAISafe) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\isafe.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNEW\System32\dmadmin.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: iolo System Guard (IOLO_SRV) - Unknown owner - C:\Program Files\iolo\System Mechanic 6\IoloSGCtrl.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINNEW\system32\ZoneLabs\vsmon.exe
scan stopped three times, with error reports saying unexpected procedure call failed inigetstring etc.
Any help appreciated.
Spunky
Sir you are drunk !! Madam you are ugly,,,tommorow i will be sober!!
|
|
Advertisement
|
 |
|
|
Senior Member
|
22. August 2006 @ 01:01 |
Link to this message
|
Hmm...
Run a scan only with HijackThis, fix these:
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
Try ridding it one more time. Then post an Ewdio log if it still remains.
|
|
spunky
Newbie
|
22. August 2006 @ 08:22 |
Link to this message
|
Thankyou Niob
I did what you suggested. Ran Cwshredder again and it said it could not find anything. I deleted the 2 entries you suggessted. Here is the report for both;
CWShredder Report:
**** Run Keys ****
RUN: [Synchronization Manager] mobsync.exe /logon
RUN: [P3000x_S2P] C:\PROGRAM FILES\DELL\DELL LASER MFP 1600N\PSU\ScanToPc.exe
RUN: [PaperPort PTD] C:\Program Files\DELL\Dell Laser MFP 1600n\PaperPort\pptd40nt.exe
RUN: [VetTray] C:\PROGRA~1\CA\ETRUST~1\ETRUST~3\VetTray.exe
RUN: [Zone Labs Client] C:\PROGRA~1\CA\ETRUST~1\ETRUST~2\ca.exe
RUN: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\gnotify.exe
RUN: []
RUN: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
RUN: [SystemGuardAlerter] SystemGuardAlerter.exe
RUN: [SpybotSnD] "D:\Spybot - Search & Destroy\SpybotSD.exe" /autocheck /autofix
RUN: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
RUN: [QOELOADER] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Anti-Spam\QSP-2.1.212.0\QOELoader.exe"
RUN: [SMSystemAnalyzer] "C:\Program Files\iolo\System Mechanic 6\SMSystemAnalyzer.exe"
RUN: [ATnotes.exe] C:\Program Files\ATnotes\ATnotes.exe
RUN: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
**** Browser Helper Objects ****
BHO: [AcroIEHlprObj Class] D:\Adobe 7\ActiveX\AcroIEHelper.dll
BHO: [SpywareGuardDLBLOCK.CBrowserHelper] C:\Program Files\SpywareGuard\dlprotect.dll
**** IE Toolbars ****
TOOLBAR: [&Radio] C:\WINNEW\system32\msdxm.ocx
TOOLBAR: [Yahoo! Toolbar] C:\Program Files\Yahoo!\Companion\Installs\cpn3\ycomp5_6_0_0.dll
**** IE Extensions ****
IEExt: [Yahoo! Services]
IEExt: [Yahoo! Messenger] C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
IEExt: [eBay - Homepage] C:\Program Files\IrfanView\Ebay\Ebay.htm
**** Hosts File Entries ****
HOSTS: 127.0.0.1 localhost
HOSTS: 127.0.0.1 localhost
**** IE Settings ****
Default Page: http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
Default Search: http://home.microsoft.com/search/search.asp
Local Page: C:\WINNEW\SYSTEM32\blank.htm
Search Bar: http://www.earthlink.net/partner/more/msie/button/search.html
Search Page: http://www.earthlink.net/partner/more/msie/button/search.html
**** IE Context Menu (Right click) ****
**** Layered Service Providers ****
LSP: CA ISafe LSP over [MSAFD Tcpip [TCP/IP]]
LSP: MSAFD Tcpip [TCP/IP]
LSP: MSAFD Tcpip [UDP/IP]
LSP: RSVP UDP Service Provider
LSP: RSVP TCP Service Provider
LSP: MSAFD NetBIOS [\Device\NetBT_Tcpip_{ACD05D8C-EE08-4135-9577-1F5F46627C46}] SEQPACKET 3
LSP: MSAFD NetBIOS [\Device\NetBT_Tcpip_{ACD05D8C-EE08-4135-9577-1F5F46627C46}] DATAGRAM 3
LSP: MSAFD NetBIOS [\Device\NetBT_Tcpip_{FEB83C1A-DE12-4BBD-8C30-8129FF594A6D}] SEQPACKET 0
LSP: MSAFD NetBIOS [\Device\NetBT_Tcpip_{FEB83C1A-DE12-4BBD-8C30-8129FF594A6D}] DATAGRAM 0
LSP: MSAFD NetBIOS [\Device\NetBT_Tcpip_{0F69F4E4-DB50-4A60-A6FD-D1B3669BAFB3}] SEQPACKET 1
LSP: MSAFD NetBIOS [\Device\NetBT_Tcpip_{0F69F4E4-DB50-4A60-A6FD-D1B3669BAFB3}] DATAGRAM 1
LSP: MSAFD NetBIOS [\Device\NetBT_Tcpip_{00B1F1AB-880F-42EF-9C13-BBE11A3EC234}] SEQPACKET 2
LSP: MSAFD NetBIOS [\Device\NetBT_Tcpip_{00B1F1AB-880F-42EF-9C13-BBE11A3EC234}] DATAGRAM 2
**** Blocked Control Panel Items ****
BLOCKED: [ncpa.cpl] No
BLOCKED: [odbccp32.cpl] No
**** Downloaded Program Files ****
DirectAnimation Java Classes [file://C:\WINNEW\Java\classes\dajava.cab]
Microsoft XML Parser for Java [file://C:\WINNEW\Java\classes\xmldso.cab]
{0335A685-ED24-4F7B-A08E-3BD15D84E668} [http://dl.filekicker.com/send/file/128985-NZIL/PhPSetup.cab]
{1663ed61-23eb-11d2-b92f-008048fdd814} [https://eagent.farmersinsurance.com/PLA/eAgent/eAutoE/commonActiveX/smsx.cab]
{17492023-C23A-453E-A040-C7C580BBF700} [http://go.microsoft.com/fwlink/?linkid=39204] C:\WINNEW\system32\LegitCheckControl.DLL
{354D91A8-E3C9-491F-BB89-0FB27DEEED86} [https://eagent.farmersinsurance.com/PLA/eAgent/scv/commonActiveX/ImgXTwain61.cab]
{3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} [http://office.microsoft.com/officeupdate/content/opuc3.cab]
{45EEDB84-57BC-4FBD-8065-7AB8E971B545} [https://eagent.farmersinsurance.com/PLA/eAgent/scv/commonActiveX/ImgXDialog61.cab]
{6E32070A-766D-4EE6-879C-DC1FA91D2FC3} [http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/...
{7E8DC73D-69CD-4F67-99B1-8DC6E42F6246} [https://eagent.farmersinsurance.com/PLA/eAgent/scv/commonActiveX/ImgX61.cab] C:\WINNEW\system32\OLEAUT32.DLL C:\WINNEW\system32\OLEPRO32.DLL C:\WINNEW\system32\ASYCFILT.DLL C:\WINNEW\system32\STDOLE2.TLB C:\WINNEW\system32\COMCAT.DLL C:\WINNEW\system32\AtalaImaging.dll C:\WINNEW\system32\ImgX61.dll C:\WINNEW\Downloaded Program Files\ImgXCAB61.ocx
{9F1C11AA-197B-4942-BA54-47A8489BB47F} [http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?3...
{D27CDB6E-AE6D-11CF-96B8-444553540000} [http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab]
{DF780F87-FF2B-4DF8-92D0-73DB16A1543A} [http://download.games.yahoo.com/games/popcap/zuma/popcaploader_v6.cab]
**** Windows Services ****
[Alerter] %SystemRoot%\System32\services.exe
[AppMgmt] %SystemRoot%\system32\services.exe
[aspnet_state] %SystemRoot%\Microsoft.NET\Framework\v1.1.4322\aspnet_state.exe
[BITS] %SystemRoot%\System32\svchost.exe -k BITSgroup
[Browser] %SystemRoot%\System32\services.exe
[CAISafe] C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\isafe.exe
[cisvc] C:\WINNEW\System32\cisvc.exe
[ClipSrv] %SystemRoot%\system32\clipsrv.exe
[Dhcp] %SystemRoot%\System32\services.exe
[dmadmin] %SystemRoot%\System32\dmadmin.exe /com
[dmserver] %SystemRoot%\System32\services.exe
[Dnscache] %SystemRoot%\System32\services.exe
[Eventlog] %SystemRoot%\system32\services.exe
[EventSystem] C:\WINNEW\System32\svchost.exe -k netsvcs
[ewido anti-spyware 4.0 guard] C:\Program Files\ewido anti-spyware 4.0\guard.exe
[Fax] %systemroot%\system32\faxsvc.exe
[IOLO_SRV] C:\Program Files\iolo\System Mechanic 6\IoloSGCtrl.exe
[lanmanserver] %SystemRoot%\System32\services.exe
[lanmanworkstation] %SystemRoot%\System32\services.exe
[LmHosts] %SystemRoot%\System32\services.exe
[Messenger] %SystemRoot%\System32\services.exe
[mnmsrvc] C:\WINNEW\System32\mnmsrvc.exe
[MSDTC] C:\WINNEW\System32\msdtc.exe
[MSIServer] C:\WINNEW\system32\msiexec.exe /V
[MSSQL$COSSNET8082] C:\Program Files\Microsoft SQL Server\MSSQL$COSSNET8082\Binn\sqlservr.exe -sCOSSNET8082
[MSSQL$COSSNET8083] C:\Program Files\Microsoft SQL Server\MSSQL$COSSNET8083\Binn\sqlservr.exe -sCOSSNET8083
[MSSQLServerADHelper] C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqladhlp.exe
[NetDDE] %SystemRoot%\system32\netdde.exe
[NetDDEdsdm] %SystemRoot%\system32\netdde.exe
[Netlogon] %SystemRoot%\System32\lsass.exe
[Netman] %SystemRoot%\System32\svchost.exe -k netsvcs
[NtLmSsp] %SystemRoot%\System32\lsass.exe
[NtmsSvc] %SystemRoot%\System32\svchost.exe -k netsvcs
[PlugPlay] %SystemRoot%\system32\services.exe
[PolicyAgent] %SystemRoot%\System32\lsass.exe
[ProtectedStorage] %SystemRoot%\system32\services.exe
[RasAuto] %SystemRoot%\System32\svchost.exe -k netsvcs
[RasMan] %SystemRoot%\System32\svchost.exe -k netsvcs
[RemoteAccess] %SystemRoot%\System32\svchost.exe -k netsvcs
[RemoteRegistry] %SystemRoot%\system32\regsvc.exe
[RpcLocator] %SystemRoot%\System32\locator.exe
[RpcSs] %SystemRoot%\system32\svchost -k rpcss
[RSVP] %SystemRoot%\System32\rsvp.exe -s
[SamSs] %SystemRoot%\system32\lsass.exe
[SCardDrv] %SystemRoot%\System32\SCardSvr.exe
[SCardSvr] %SystemRoot%\System32\SCardSvr.exe
[Schedule] %SystemRoot%\system32\MSTask.exe
[seclogon] %SystemRoot%\system32\services.exe
[SENS] %SystemRoot%\system32\svchost.exe -k netsvcs
[SharedAccess] %SystemRoot%\System32\svchost.exe -k netsvcs
[Spooler] %SystemRoot%\system32\spoolsv.exe
[SQLAgent$COSSNET8082] C:\Program Files\Microsoft SQL Server\MSSQL$COSSNET8082\Binn\sqlagent.EXE -i COSSNET8082
[SQLAgent$COSSNET8083] C:\Program Files\Microsoft SQL Server\MSSQL$COSSNET8083\Binn\sqlagent.EXE -i COSSNET8083
[StiSvc] %systemroot%\system32\stisvc.exe
[SysmonLog] %SystemRoot%\system32\smlogsvc.exe
[TapiSrv] %SystemRoot%\System32\svchost.exe -k netsvcs
[TlntSvr] %SystemRoot%\system32\tlntsvr.exe
[TrkWks] %SystemRoot%\system32\services.exe
[UPS] %SystemRoot%\System32\ups.exe
[UtilMan] %SystemRoot%\System32\UtilMan.exe
[VETMSGNT] C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe
[vsmon] C:\WINNEW\system32\ZoneLabs\vsmon.exe -service
[W32Time] %SystemRoot%\System32\services.exe
[WinDefend] "C:\Program Files\Windows Defender\MsMpEng.exe"
[WinMgmt] %SystemRoot%\System32\WBEM\WinMgmt.exe
[WMDM PMSP Service] C:\WINNEW\system32\mspmspsv.exe
[WmdmPmSN] %SystemRoot%\System32\svchost.exe -k netsvcs
[Wmi] %SystemRoot%\system32\Services.exe
[wuauserv] %systemroot%\system32\svchost.exe -k wugroup
[WZCSVC] %SystemRoot%\System32\svchost.exe -k netsvcs
**** Custom IE Search Items ****
SEARCH: [SearchAssistant] http://home.microsoft.com/search/search.asp
SEARCH: [CustomizeSearch] http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm
SEARCH: [CustomSearch] http://us.rd.yahoo.com/customize/ie/defaults/cs/msgr8/*http://www...
**** Complete IE Options ****
IEOPT: [NoUpdateCheck]
IEOPT: [NoJITSetup]
IEOPT: [Show_ChannelBand] no
IEOPT: [Anchor Underline] yes
IEOPT: [Cache_Update_Frequency] Once_Per_Session
IEOPT: [Display Inline Images] yes
IEOPT: [Do404Search]
IEOPT: [Save_Session_History_On_Exit] no
IEOPT: [Show_FullURL] no
IEOPT: [Show_StatusBar] yes
IEOPT: [Show_ToolBar] yes
IEOPT: [Show_URLinStatusBar] yes
IEOPT: [Show_URLToolBar] yes
IEOPT: [Start Page] https://eagent.farmersinsurance.com/siteminderagent/forms/login.fcc?TYPE=33554433&REALMOID=06-61e35b5c-d164-11d6-8916-00d0b77e517a&GUID=&SMAUTHREASON=0&TARGET=$SM$https%3a%2f%2feagent%2efarmersinsurance%2ecom%2fPLA%2feAgent%2fAde%2fade%3freq_page%3dhome
IEOPT: [Use_DlgBox_Colors] yes
IEOPT: [Q261272] yes
IEOPT: [FullScreen] no
IEOPT: [Disable Script Debugger] yes
IEOPT: [Window_Placement] ,
IEOPT: [Error Dlg Displayed On Every Error] no
IEOPT: [Error Dlg Details Pane Open] no
IEOPT: [NotifyDownloadComplete] yes
IEOPT: [AddToFavoritesExpanded]
IEOPT: [Print_Background] no
IEOPT: [FormSuggest PW Ask] no
IEOPT: [Use FormSuggest] yes
IEOPT: [ShowedCheckBrowser] Yes
IEOPT: [Check_Associations] no
IEOPT: [AutoSearch]
IEOPT: [Expand Alt Text] no
IEOPT: [Move System Caret] no
IEOPT: [NscSingleExpand]
IEOPT: [NoWebJITSetup]
IEOPT: [Page_Transitions]
IEOPT: [FavIntelliMenus] no
IEOPT: [Enable Browser Extensions] yes
IEOPT: [Force Offscreen Composition]
IEOPT: [AllowWindowReuse]
IEOPT: [Friendly http errors] yes
IEOPT: [ShowGoButton] yes
IEOPT: [SmoothScroll]
IEOPT: [Enable AutoImageResize] yes
IEOPT: [Enable_MyPics_Hoverbar] yes
IEOPT: [Play_Animations] yes
IEOPT: [Play_Background_Sounds] yes
IEOPT: [Display Inline Videos] yes
IEOPT: [Show image placeholders]
IEOPT: [Default_Search_URL] http://www.earthlink.net/partner/more/msie/button/search.html
IEOPT: [Search Page] http://www.earthlink.net/partner/more/msie/button/search.html
IEOPT: [Default_Page_URL] http://start.earthlink.net
IEOPT: [Search Bar] http://www.earthlink.net/partner/more/msie/button/search.html
IEOPT: [Use Custom Search URL]
IEOPT: [Local Page] C:\WINNEW\SYSTEM32\blank.htm
IEOPT: [Default_Page_URL] http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
IEOPT: [Default_Search_URL] http://home.microsoft.com/search/search.asp
IEOPT: [Search Page] http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
IEOPT: [Enable_Disk_Cache] yes
IEOPT: [Cache_Percent_of_Disk]
IEOPT: [Delete_Temp_Files_On_Exit] yes
IEOPT: [Anchor_Visitation_Horizon]
IEOPT: [Use_Async_DNS] yes
IEOPT: [Placeholder_Width]
IEOPT: [Placeholder_Height]
IEOPT: [Start Page] http://www.yahoo.com/
IEOPT: [CompanyName] Microsoft Corporation
IEOPT: [Custom_Key] MICROSO
IEOPT: [Wizard_Version] 6.00.2800.1106
IEOPT: [FullScreen] no
IEOPT: [Local Page] C:\WINNEW\SYSTEM32\blank.htm
end
=============================================
Logfile of HijackThis v1.99.1
Scan saved at 10:49:35 AM, on 8/22/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINNEW\System32\smss.exe
C:\WINNEW\system32\csrss.exe
C:\WINNEW\system32\winlogon.exe
C:\WINNEW\system32\services.exe
C:\WINNEW\system32\lsass.exe
C:\WINNEW\system32\svchost.exe
C:\WINNEW\system32\spoolsv.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\isafe.exe
C:\WINNEW\System32\svchost.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\iolo\System Mechanic 6\IoloSGCtrl.exe
C:\Program Files\Microsoft SQL Server\MSSQL$COSSNET8082\Binn\sqlservr.exe
C:\Program Files\Microsoft SQL Server\MSSQL$COSSNET8083\Binn\sqlservr.exe
C:\WINNEW\Explorer.EXE
C:\WINNEW\system32\MSTask.exe
C:\WINNEW\system32\stisvc.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe
C:\WINNEW\system32\ZoneLabs\vsmon.exe
C:\WINNEW\System32\WBEM\WinMgmt.exe
C:\WINNEW\system32\mspmspsv.exe
C:\WINNEW\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\PROGRAM FILES\DELL\DELL LASER MFP 1600N\PSU\ScanToPc.exe
C:\Program Files\DELL\Dell Laser MFP 1600n\PaperPort\pptd40nt.exe
C:\PROGRA~1\CA\ETRUST~1\ETRUST~3\VetTray.exe
C:\PROGRA~1\CA\ETRUST~1\ETRUST~2\ca.exe
C:\Program Files\Google\Gmail Notifier\gnotify.exe
C:\Program Files\iolo\System Mechanic 6\SystemGuardAlerter.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Anti-Spam\QSP-2.1.212.0\QOELoader.exe
C:\Program Files\iolo\System Mechanic 6\SMSystemAnalyzer.exe
C:\Program Files\eFax Messenger 3.5\J2GDllCmd.exe
C:\Program Files\eFax Messenger 3.5\J2GTray.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\TARISS\MainMenu\MainMenu.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE
D:\Adobe 7\Reader\AcroRd32.exe
C:\HJT\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://start.earthlink.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.earthlink.net/partner/more/msie/button/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.earthlink.net/partner/more/msie/button/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.earthlink.net/partner/more/msie/button/search.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://eagent.farmersinsurance.com/siteminderagent/forms/login.fcc?TYPE=33554433&REALMOID=06-61e35b5c-d164-11d6-8916-00d0b77e517a&GUID=&SMAUTHREASON=0&TARGET=$SM$https://eagent.farmersinsurance.com/PLA/eAgent/Ade/ade?req_page=home (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Adobe 7\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareGuardDLBLOCK.CBrowserHelper - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNEW\system32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn3\ycomp5_6_0_0.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [P3000x_S2P] C:\PROGRAM FILES\DELL\DELL LASER MFP 1600N\PSU\ScanToPc.exe
O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\DELL\Dell Laser MFP 1600n\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [VetTray] C:\PROGRA~1\CA\ETRUST~1\ETRUST~3\VetTray.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~1\CA\ETRUST~1\ETRUST~2\ca.exe
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\gnotify.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [SystemGuardAlerter] SystemGuardAlerter.exe
O4 - HKLM\..\Run: [SpybotSnD] "D:\Spybot - Search & Destroy\SpybotSD.exe" /autocheck /autofix
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKLM\..\Run: [QOELOADER] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Anti-Spam\QSP-2.1.212.0\QOELoader.exe"
O4 - HKCU\..\Run: [SMSystemAnalyzer] "C:\Program Files\iolo\System Mechanic 6\SMSystemAnalyzer.exe"
O4 - HKCU\..\Run: [ATnotes.exe] C:\Program Files\ATnotes\ATnotes.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Startup: TexasMainMenu.lnk = C:\Program Files\TARISS\MainMenu\MainMenu.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: eFax DllCmd 3.5.lnk = C:\Program Files\eFax Messenger 3.5\J2GDllCmd.exe
O4 - Global Startup: eFax Tray Menu 3.5.lnk = C:\Program Files\eFax Messenger 3.5\J2GTray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra button: eBay - Homepage - {EF79EAC5-3452-4E02-B8BD-BA4C89F1AC7A} - C:\Program Files\IrfanView\Ebay\Ebay.htm
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted IP range: http://127.0.0.1
O16 - DPF: {0335A685-ED24-4F7B-A08E-3BD15D84E668} - http://dl.filekicker.com/send/file/128985-NZIL/PhPSetup.cab
O16 - DPF: {1663ed61-23eb-11d2-b92f-008048fdd814} (MeadCo ScriptX Advanced) - https://eagent.farmersinsurance.com/PLA/eAgent/eAutoE/commonActiveX/smsx.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {354D91A8-E3C9-491F-BB89-0FB27DEEED86} (ImgXTwain6.ImgXTwain) - https://eagent.farmersinsurance.com/PLA/eAgent/scv/commonActiveX/ImgXTwain61.cab
O16 - DPF: {45EEDB84-57BC-4FBD-8065-7AB8E971B545} (ImgXDialog6.ImgXDialog) - https://eagent.farmersinsurance.com/PLA/eAgent/scv/commonActiveX/ImgXDialog61.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/...
O16 - DPF: {7E8DC73D-69CD-4F67-99B1-8DC6E42F6246} (Atalasoft ImgXCtrl6.ImgXCtrl (CAB)) - https://eagent.farmersinsurance.com/PLA/eAgent/scv/commonActiveX/ImgX61.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - http://download.games.yahoo.com/games/popcap/zuma/popcaploader_v6.cab
O23 - Service: CA ISafe (CAISafe) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\isafe.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNEW\System32\dmadmin.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: iolo System Guard (IOLO_SRV) - Unknown owner - C:\Program Files\iolo\System Mechanic 6\IoloSGCtrl.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINNEW\system32\ZoneLabs\vsmon.exe
For your info
When I came in this am I ran Spybot as usual and ewido and it said I have cws again and it deleted it. This was befor I read your email.Maybe I shouldn't do that till we get a fix??
Thanks for the assistance
Spunky
Sir you are drunk !! Madam you are ugly,,,tommorow i will be sober!!
|
|
spunky
Newbie
|
22. August 2006 @ 08:28 |
Link to this message
|
|
Niobis;
I have to leave my office and will not be back till late, but I do want to try and get rid of this annoyance.I will follow any new instructions as soon as I can.
Spunky
Sir you are drunk !! Madam you are ugly,,,tommorow i will be sober!!
|
|
spunky
Newbie
|
22. August 2006 @ 08:35 |
Link to this message
|
|
here's the Ewido report ewido anti-spyware - Scan Report
---------------------------------------------------------
+ Created at: 8:11:58 PM 8/21/2006
+ Scan result:
D:\Backups\DVD2\DVD-2\Program Files\AWS\WeatherBug\MiniBugTransporter.dll -> Adware.Aws : No action taken.
C:\Documents and Settings\Administrator.FARMERS-HLMCHHR\My Documents\Blondes\Downloads\Spyware Blaster\Uninstall Newdot~1.dll\uninstall4_50.exe -> Adware.NewDotNet : No action taken.
D:\DownLoads\Spyware Blaster\Uninstall Newdot~1.dll\uninstall4_50.exe -> Adware.NewDotNet : No action taken.
C:\Downloads\password recovery\pspv.exe -> Not-A-Virus.PSWTool.Win32.PassViewer.e : No action taken.
C:\Downloads\password recovery\pspv132.zip/pspv.exe -> Not-A-Virus.PSWTool.Win32.PassViewer.e : No action taken.
D:\Backups\pwdump3.zip/LsaExt.dll -> Not-A-Virus.PSWTool.Win32.PWDump.3 : No action taken.
D:\Backups\pwdump3.zip/PwDump3.exe -> Not-A-Virus.PSWTool.Win32.PWDump.3 : No action taken.
D:\Backups\pwdump3.zip/pwservice.exe -> Not-A-Virus.PSWTool.Win32.PWDump3 : No action taken.
D:\Backups\DVD2\DVD-2\Downloads\4-24-04\rockxp.exe/RAS.exe -> Not-A-Virus.PSWTool.Win32.RAS.a : No action taken.
D:\Backups\DVD2\DVD-2\Downloads\4-24-04\rockxp.exe/xpkey.exe -> Not-A-Virus.PSWTool.Win32.RAS.a : No action taken.
:mozilla.92:D:\Backups\DVD1\DVD-1\Documents and Settings\Carl Martin\Application Data\Mozilla\Profiles\Default User\gkoqoz0o.slt\cookies.txt -> TrackingCookie.2o7 : No action taken.
:mozilla.93:D:\Backups\DVD1\DVD-1\Documents and Settings\Carl Martin\Application Data\Mozilla\Profiles\Default User\gkoqoz0o.slt\cookies.txt -> TrackingCookie.2o7 : No action taken.
:mozilla.94:D:\Backups\DVD1\DVD-1\Documents and Settings\Carl Martin\Application Data\Mozilla\Profiles\Default User\gkoqoz0o.slt\cookies.txt -> TrackingCookie.2o7 : No action taken.
:mozilla.95:D:\Backups\DVD1\DVD-1\Documents and Settings\Carl Martin\Application Data\Mozilla\Profiles\Default User\gkoqoz0o.slt\cookies.txt -> TrackingCookie.2o7 : No action taken.
:mozilla.96:D:\Backups\DVD1\DVD-1\Documents and Settings\Carl Martin\Application Data\Mozilla\Profiles\Default User\gkoqoz0o.slt\cookies.txt -> TrackingCookie.2o7 : No action taken.
:mozilla.197:D:\Backups\DVD1\DVD-1\Documents and Settings\Carl Martin\Application Data\Mozilla\Profiles\Default User\gkoqoz0o.slt\cookies.txt -> TrackingCookie.Adserver : No action taken.
:mozilla.198:D:\Backups\DVD1\DVD-1\Documents and Settings\Carl Martin\Application Data\Mozilla\Profiles\Default User\gkoqoz0o.slt\cookies.txt -> TrackingCookie.Adserver : No action taken.
:mozilla.116:D:\Backups\DVD1\DVD-1\Documents and Settings\Carl Martin\Application Data\Mozilla\Profiles\Default User\gkoqoz0o.slt\cookies.txt -> TrackingCookie.Centrport : No action taken.
:mozilla.120:D:\Backups\DVD1\DVD-1\Documents and Settings\Carl Martin\Application Data\Mozilla\Profiles\Default User\gkoqoz0o.slt\cookies.txt -> TrackingCookie.Com : No action taken.
:mozilla.121:D:\Backups\DVD1\DVD-1\Documents and Settings\Carl Martin\Application Data\Mozilla\Profiles\Default User\gkoqoz0o.slt\cookies.txt -> TrackingCookie.Com : No action taken.
:mozilla.6:D:\Backups\DVD1\DVD-1\Documents and Settings\Carl Martin\Application Data\Mozilla\Profiles\Default User\gkoqoz0o.slt\cookies.txt -> TrackingCookie.Doubleclick : No action taken.
:mozilla.196:D:\Backups\DVD1\DVD-1\Documents and Settings\Carl Martin\Application Data\Mozilla\Profiles\Default User\gkoqoz0o.slt\cookies.txt -> TrackingCookie.Esomniture : No action taken.
:mozilla.89:D:\Backups\DVD1\DVD-1\Documents and Settings\Carl Martin\Application Data\Mozilla\Profiles\Default User\gkoqoz0o.slt\cookies.txt -> TrackingCookie.Esomniture : No action taken.
:mozilla.132:D:\Backups\DVD1\DVD-1\Documents and Settings\Carl Martin\Application Data\Mozilla\Profiles\Default User\gkoqoz0o.slt\cookies.txt -> TrackingCookie.Fastclick : No action taken.
:mozilla.46:D:\Backups\DVD1\DVD-1\Documents and Settings\Carl Martin\Application Data\Mozilla\Profiles\Default User\gkoqoz0o.slt\cookies.txt -> TrackingCookie.Porngraph : No action taken.
:mozilla.47:D:\Backups\DVD1\DVD-1\Documents and Settings\Carl Martin\Application Data\Mozilla\Profiles\Default User\gkoqoz0o.slt\cookies.txt -> TrackingCookie.Porngraph : No action taken.
:mozilla.48:D:\Backups\DVD1\DVD-1\Documents and Settings\Carl Martin\Application Data\Mozilla\Profiles\Default User\gkoqoz0o.slt\cookies.txt -> TrackingCookie.Porngraph : No action taken.
:mozilla.49:D:\Backups\DVD1\DVD-1\Documents and Settings\Carl Martin\Application Data\Mozilla\Profiles\Default User\gkoqoz0o.slt\cookies.txt -> TrackingCookie.Porngraph : No action taken.
:mozilla.50:D:\Backups\DVD1\DVD-1\Documents and Settings\Carl Martin\Application Data\Mozilla\Profiles\Default User\gkoqoz0o.slt\cookies.txt -> TrackingCookie.Porngraph : No action taken.
:mozilla.175:D:\Backups\DVD1\DVD-1\Documents and Settings\Carl Martin\Application Data\Mozilla\Profiles\Default User\gkoqoz0o.slt\cookies.txt -> TrackingCookie.Pro-market : No action taken.
:mozilla.176:D:\Backups\DVD1\DVD-1\Documents and Settings\Carl Martin\Application Data\Mozilla\Profiles\Default User\gkoqoz0o.slt\cookies.txt -> TrackingCookie.Pro-market : No action taken.
:mozilla.177:D:\Backups\DVD1\DVD-1\Documents and Settings\Carl Martin\Application Data\Mozilla\Profiles\Default User\gkoqoz0o.slt\cookies.txt -> TrackingCookie.Questionmarket : No action taken.
:mozilla.179:D:\Backups\DVD1\DVD-1\Documents and Settings\Carl Martin\Application Data\Mozilla\Profiles\Default User\gkoqoz0o.slt\cookies.txt -> TrackingCookie.Revenue : No action taken.
:mozilla.125:D:\Backups\DVD1\DVD-1\Documents and Settings\Carl Martin\Application Data\Mozilla\Profiles\Default User\gkoqoz0o.slt\cookies.txt -> TrackingCookie.Ru4 : No action taken.
:mozilla.181:D:\Backups\DVD1\DVD-1\Documents and Settings\Carl Martin\Application Data\Mozilla\Profiles\Default User\gkoqoz0o.slt\cookies.txt -> TrackingCookie.Specificpop : No action taken.
:mozilla.203:D:\Backups\DVD1\DVD-1\Documents and Settings\Carl Martin\Application Data\Mozilla\Profiles\Default User\gkoqoz0o.slt\cookies.txt -> TrackingCookie.Specificpop : No action taken.
:mozilla.204:D:\Backups\DVD1\DVD-1\Documents and Settings\Carl Martin\Application Data\Mozilla\Profiles\Default User\gkoqoz0o.slt\cookies.txt -> TrackingCookie.Specificpop : No action taken.
:mozilla.188:D:\Backups\DVD1\DVD-1\Documents and Settings\Carl Martin\Application Data\Mozilla\Profiles\Default User\gkoqoz0o.slt\cookies.txt -> TrackingCookie.Tribalfusion : No action taken.
:mozilla.10:D:\Backups\DVD1\DVD-1\Documents and Settings\Carl Martin\Application Data\Mozilla\Profiles\Default User\gkoqoz0o.slt\cookies.txt -> TrackingCookie.V61 : No action taken.
:mozilla.57:D:\Backups\DVD1\DVD-1\Documents and Settings\Carl Martin\Application Data\Mozilla\Profiles\Default User\gkoqoz0o.slt\cookies.txt -> TrackingCookie.Zedo : No action taken.
:mozilla.58:D:\Backups\DVD1\DVD-1\Documents and Settings\Carl Martin\Application Data\Mozilla\Profiles\Default User\gkoqoz0o.slt\cookies.txt -> TrackingCookie.Zedo : No action taken.
::Report end
==============================================================
done in safe mode
Sir you are drunk !! Madam you are ugly,,,tommorow i will be sober!!
|
Senior Member
|
22. August 2006 @ 12:47 |
Link to this message
|
You said CWShredder found nothing...? Is Spybot still finding it?
After removing CWS you may also have to restore your Internet Explorer settings to return your computer to its operating state before the CWS variant hijacked your browser. To do this:
Open up Internet Explorer.
Select "Tools > Internet Options" from the Internet Explorer menu.
Choose the "Programs" tab.
Select the "Reset Web Settings" button. After choosing this button the "The Reset Web Settings" dialog box will appear.
Scroll down and make sure that "Also reset my home page" box is checked.
Select "Yes" and click "OK".
Also, even though it has nothing to do with CWS, you should delete the tracking cookies found by Ewido.
Then, run a scan with HijackThis and fix this one:
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
Let me know if Spybot is still finding it, if so you've got a bad variant of this POS and I'll look more into it for you.
|
|
maca1
Senior Member
|
23. August 2006 @ 05:31 |
Link to this message
|
|
rescan with ewido, set everything to quarantine and make sure you click apply all actions.
|
|
spunky
Newbie
|
23. August 2006 @ 18:28 |
Link to this message
|
Hi Maca:
Sorry it has taken so long to get back with you, It has been a busy day which has kept me away from the system.
Yes Spy bot still finds cws. I did try to see if I could print that report, but all I could do was a screen capture. The first line states
Coolwwwsearch.bootconf: IE start page ( registry change nothing done)
Hke_Userss-1-5-21-1085031214-861567501-1417001333-500\software\microsoft\interner explorer\main\start-page=about:blank.
It also says repaired again after I click fix.
Ewido
ewido anti-spyware - Scan Report
---------------------------------------------------------
+ Created at: 8:08:41 PM 8/23/2006
+ Scan result:
C:\Downloads\password recovery\pspv.exe -> Not-A-Virus.PSWTool.Win32.PassViewer.e : Cleaned.
C:\Downloads\password recovery\pspv132.zip/pspv.exe -> Not-A-Virus.PSWTool.Win32.PassViewer.e : Cleaned.
D:\Backups\pwdump3.zip/LsaExt.dll -> Not-A-Virus.PSWTool.Win32.PWDump.3 : Cleaned.
D:\Backups\pwdump3.zip/PwDump3.exe -> Not-A-Virus.PSWTool.Win32.PWDump.3 : Cleaned.
D:\Backups\pwdump3.zip/pwservice.exe -> Not-A-Virus.PSWTool.Win32.PWDump3 : Cleaned.
D:\Backups\DVD2\DVD-2\Downloads\4-24-04\rockxp.exe/RAS.exe -> Not-A-Virus.PSWTool.Win32.RAS.a : Cleaned.
D:\Backups\DVD2\DVD-2\Downloads\4-24-04\rockxp.exe/xpkey.exe -> Not-A-Virus.PSWTool.Win32.RAS.a : Cleaned.
::Report end
I asked the software to delete the 4 errors and then I got a notice that one error is still on the D drive and after I send this message I will go to delete it. The d drive error message is:
D:\Backups\pwdump3.zip/pwservice.exe
HjT
Logfile of HijackThis v1.99.1
Scan saved at 5:34:27 PM, on 8/23/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINNEW\System32\smss.exe
C:\WINNEW\system32\csrss.exe
C:\WINNEW\system32\winlogon.exe
C:\WINNEW\system32\services.exe
C:\WINNEW\system32\lsass.exe
C:\WINNEW\system32\svchost.exe
C:\WINNEW\system32\spoolsv.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\isafe.exe
C:\WINNEW\System32\svchost.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\iolo\System Mechanic 6\IoloSGCtrl.exe
C:\Program Files\Microsoft SQL Server\MSSQL$COSSNET8082\Binn\sqlservr.exe
C:\Program Files\Microsoft SQL Server\MSSQL$COSSNET8083\Binn\sqlservr.exe
C:\WINNEW\Explorer.EXE
C:\WINNEW\system32\MSTask.exe
C:\WINNEW\system32\stisvc.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe
C:\WINNEW\system32\ZoneLabs\vsmon.exe
C:\WINNEW\System32\WBEM\WinMgmt.exe
C:\WINNEW\system32\mspmspsv.exe
C:\WINNEW\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\PROGRAM FILES\DELL\DELL LASER MFP 1600N\PSU\ScanToPc.exe
C:\Program Files\DELL\Dell Laser MFP 1600n\PaperPort\pptd40nt.exe
C:\PROGRA~1\CA\ETRUST~1\ETRUST~3\VetTray.exe
C:\PROGRA~1\CA\ETRUST~1\ETRUST~2\ca.exe
C:\Program Files\Google\Gmail Notifier\gnotify.exe
C:\Program Files\iolo\System Mechanic 6\SystemGuardAlerter.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Anti-Spam\QSP-2.1.212.0\QOELoader.exe
C:\Program Files\iolo\System Mechanic 6\SMSystemAnalyzer.exe
C:\Program Files\eFax Messenger 3.5\J2GDllCmd.exe
C:\Program Files\eFax Messenger 3.5\J2GTray.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\TARISS\MainMenu\MainMenu.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE
D:\Adobe 7\Reader\AcroRd32.exe
C:\WINNEW\explorer.exe
C:\HJT\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://start.earthlink.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.earthlink.net/partner/more/msie/button/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.earthlink.net/partner/more/msie/button/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.earthlink.net/partner/more/msie/button/search.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://eagent.farmersinsurance.com/siteminderagent/forms/login.fcc?TYPE=33554433&REALMOID=06-61e35b5c-d164-11d6-8916-00d0b77e517a&GUID=&SMAUTHREASON=0&TARGET=$SM$https://eagent.farmersinsurance.com/PLA/eAgent/Ade/ade?req_page=home (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Adobe 7\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareGuardDLBLOCK.CBrowserHelper - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNEW\system32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn3\ycomp5_6_0_0.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [P3000x_S2P] C:\PROGRAM FILES\DELL\DELL LASER MFP 1600N\PSU\ScanToPc.exe
O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\DELL\Dell Laser MFP 1600n\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [VetTray] C:\PROGRA~1\CA\ETRUST~1\ETRUST~3\VetTray.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~1\CA\ETRUST~1\ETRUST~2\ca.exe
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\gnotify.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [SystemGuardAlerter] SystemGuardAlerter.exe
O4 - HKLM\..\Run: [SpybotSnD] "D:\Spybot - Search & Destroy\SpybotSD.exe" /autocheck /autofix
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKLM\..\Run: [QOELOADER] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Anti-Spam\QSP-2.1.212.0\QOELoader.exe"
O4 - HKCU\..\Run: [SMSystemAnalyzer] "C:\Program Files\iolo\System Mechanic 6\SMSystemAnalyzer.exe"
O4 - HKCU\..\Run: [ATnotes.exe] C:\Program Files\ATnotes\ATnotes.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Startup: TexasMainMenu.lnk = C:\Program Files\TARISS\MainMenu\MainMenu.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: eFax DllCmd 3.5.lnk = C:\Program Files\eFax Messenger 3.5\J2GDllCmd.exe
O4 - Global Startup: eFax Tray Menu 3.5.lnk = C:\Program Files\eFax Messenger 3.5\J2GTray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra button: eBay - Homepage - {EF79EAC5-3452-4E02-B8BD-BA4C89F1AC7A} - C:\Program Files\IrfanView\Ebay\Ebay.htm
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted IP range: http://127.0.0.1
O16 - DPF: {0335A685-ED24-4F7B-A08E-3BD15D84E668} - http://dl.filekicker.com/send/file/128985-NZIL/PhPSetup.cab
O16 - DPF: {1663ed61-23eb-11d2-b92f-008048fdd814} (MeadCo ScriptX Advanced) - https://eagent.farmersinsurance.com/PLA/eAgent/eAutoE/commonActiveX/smsx.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {354D91A8-E3C9-491F-BB89-0FB27DEEED86} (ImgXTwain6.ImgXTwain) - https://eagent.farmersinsurance.com/PLA/eAgent/scv/commonActiveX/ImgXTwain61.cab
O16 - DPF: {45EEDB84-57BC-4FBD-8065-7AB8E971B545} (ImgXDialog6.ImgXDialog) - https://eagent.farmersinsurance.com/PLA/eAgent/scv/commonActiveX/ImgXDialog61.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/...
O16 - DPF: {7E8DC73D-69CD-4F67-99B1-8DC6E42F6246} (Atalasoft ImgXCtrl6.ImgXCtrl (CAB)) - https://eagent.farmersinsurance.com/PLA/eAgent/scv/commonActiveX/ImgX61.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - http://download.games.yahoo.com/games/popcap/zuma/popcaploader_v6.cab
O23 - Service: CA ISafe (CAISafe) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\isafe.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNEW\System32\dmadmin.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: iolo System Guard (IOLO_SRV) - Unknown owner - C:\Program Files\iolo\System Mechanic 6\IoloSGCtrl.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINNEW\system32\ZoneLabs\vsmon.exe
I'll check the system in the moening and let you know.
Thanks for all your help. It musy be as frustrating for you as it is for me
Sir you are drunk !! Madam you are ugly,,,tommorow i will be sober!!
|
|
spunky
Newbie
|
24. August 2006 @ 14:00 |
Link to this message
|
|
I still got a message that I still had cws. I downloaded a trial of Spysweeper and ran it. It found a bunch of stuff and cleaned it.I also found something called Elitegroups but couldn't remove it?? Said I had to buy I also ran CCleaner a friend said to try. So far I don't see CWS anymore. I will run a new HJT/Ewido/spysweeper tonight when I have more time. Is spysweeper really that good? and should I purchase?
Thanks for all the help
Sir you are drunk !! Madam you are ugly,,,tommorow i will be sober!!
|
Senior Member
|
24. August 2006 @ 19:45 |
Link to this message
|
|
SpySweeper is a great program. It's worth what you pay. I've seen it as low as $9.99.
|
|
spunky
Newbie
|
24. August 2006 @ 20:41 |
Link to this message
|
|
Your opinion is enough for me I just bought the license. I will send logs in the am as soon as I catch up on all my paper work.
Again Many thanks for your assistance.
Spunky
Sir you are drunk !! Madam you are ugly,,,tommorow i will be sober!!
|
|
Advertisement
|
|
|
Senior Member
|
24. August 2006 @ 20:48 |
Link to this message
|
|
Your welcome! :D
Any more problems, post back.
Good luck!
|
|
