Gladiator Security Forum > Huntbar and Search Assistant- My Search

Aivanther

May 13 2004, 03:29 AM

I've run spyboy and adaware a couple of times, tried removing programs, and both don't come back. from the places I've checked, I don't even have the program that huntbar describes itself as in remove programs ('Internet 404', 'MSIETS' and/or 'Tools for Internet Explorer' ). And when I try to remove search assistant I get a white window with "res://C:\PROGRA~1\MyWay\SrchAstt\1.bin\mysrchas.dll/101" at the top, and nothing happens.

Here my 'HijackThis' log:

Logfile of HijackThis v1.97.7
Scan saved at 10:22:40 PM, on 5/12/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\WINDOWS\runservice.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\System32\devldr32.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Java\j2re1.4.2_01\bin\jusched.exe
C:\Program Files\Creative\SBLive\Creative Diagnostics 2.0\DIAGENT.EXE
C:\Program Files\ISP50\bin\bartshel.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\PROGRA~1\ISP50\bin\ppshared.exe
C:\Program Files\Common files\WinTools\WToolsA.exe
C:\Program Files\Common files\WinTools\WSup.exe
C:\WINDOWS\system32\winlogon.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common files\WinTools\WToolsS.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.websearch.com/ie.aspx?tb_id=50032
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mail.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=50032
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=50032
R3 - URLSearchHook: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll
O1 - Hosts: K;K;;;˜;˜; ; ;P7;P7;°;°;¸;¸;À;À;È;È;Ð;Ð;Ø;Ø;à;à;è;è;ð;ð;ø;ø; ˆ;;;˜;˜; ; ;¨;¨;°;°;¸;¸;À;À;È;È;Ð;Ð;Ø;Ø;à;à;è;è;ð;ð;ø;ø;
O1 - Hosts: ;˜;˜; ; ;¨;¨;°;°;¸;¸;À;À;È;È;Ð;Ð;Ø;Ø;à;à;è;è;ð;ð;ø;ø;
O1 - Hosts: individual
O1 - Hosts: K;¨?;;;˜;˜; ; ;P7;P7;°;°;¸;¸;À;À;È;È;Ð;Ð;Ø;Ø;à;à;è;è;ð;ð;ø;ø; ˆ;;;˜;˜; ; ;¨;¨;°;°;¸;¸;À;À;È;È;Ð;Ð;Ø;Ø;à;à;è;è;ð;ð;ø;ø;
O1 - Hosts: ;˜;˜; ; ;¨;¨;°;°;¸;¸;À;À;È;È;Ð;Ð;Ø;Ø;à;à;c;c;ð;ð;ø;ø;
O1 - Hosts: 207.36.196.189 search.netscape.com
O1 - Hosts: Spybot - Search & Destroy
O1 - Hosts: 207.36.196.189 search.netscape.com
O1 - Hosts: 207.36.196.189 auto.search.msn.com
O1 - Hosts: 207.36.196.189 ieautosearch
O2 - BHO: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: (no name) - {339BB23F-A864-48C0-A59F-29EA915965EC} - (no file)
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_01\bin\jusched.exe
O4 - HKLM\..\Run: [P2P Networking] C:\WINDOWS\System32\P2P Networking\P2P Networking.exe /AUTOSTART
O4 - HKLM\..\Run: [DIAGENT] C:\Program Files\Creative\SBLive\Creative Diagnostics 2.0\DIAGENT.EXE startup
O4 - HKLM\..\Run: [AHQInit] C:\Program Files\Creative\SBLive\Program\AHQInit.exe
O4 - HKLM\..\Run: [Bart Station] C:\Program Files\ISP50\hta\station.sbrt
O4 - HKLM\..\Run: [PPCRunonce] C:\WINDOWS\System32\PPCRunOnce.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [WinTools] C:\Program Files\Common files\WinTools\WToolsA.exe
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
O8 - Extra context menu item: Si&milar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: ICQ Pro (HKLM)
O9 - Extra 'Tools' menuitem: ICQ (HKLM)
O9 - Extra button: AIM (HKLM)
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeupdate/content/opuc.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/0894d6727988df...ip/RdxIE601.cab
O16 - DPF: {68BCE50A-DC9B-4519-A118-6FDA19DB450D} (Info Class) - http://www.blizzard.com/support/includes/cabs/si.cab
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installengine.com/engine/isetup.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...7877.3942013889
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab
O16 - DPF: {DDFFA75A-E81D-4454-89FC-B9FD0631E726} - http://www.bundleware.com/activeX/DS3/DS3.cab

Thank's a lot, this is really starting to get under my skin...

CalamityJane

May 13 2004, 06:50 PM

Please go offline, close all browsers and any open Windows, making sure that only HijackThis is open. Scan and when it finishes, put an x in the boxes next to these items, then press *fix checked*

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.websearch.com/ie.aspx?tb_id=50032

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=50032

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=50032

R3 - URLSearchHook: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll

O1 - Hosts: K;K;;;˜;˜; ; ;P7;P7;°;°;¸;¸;À;À;È;È
;Ð;Ð;Ø;Ø;à;à;è;è;ð;ð;ø;ø; ˆ;;;˜;˜; ; ;¨;¨;°;°;¸;¸;À;À;È;È;Ð
;Ð;Ø;Ø;à;à;è;è;ð;ð;ø;ø;

O1 - Hosts: ;˜;˜; ; ;¨;¨;°;°;¸;¸;À;À;È;È;Ð;Ð;Ø
;Ø;à;à;è;è;ð;ð;ø;ø;

O1 - Hosts: individual

O1 - Hosts: K;¨? ;;;˜;˜; ; ;P7;P7;°;°;¸;¸;À;À;È;È;Ð;
Ð;Ø;Ø;à;à;è;è;ð;ð;ø;ø; ˆ;;;˜;˜; ; ;¨;¨;°;°;¸;¸;À;À;È;È;Ð
;Ð;Ø;Ø;à;à;è;è;ð;ð;ø;ø;

O1 - Hosts: ;˜;˜; ; ;¨;¨;°;°;¸;¸;À;À;È;È;Ð;Ð;Ø
;Ø;à;à;c;c;ð;ð;ø;ø;

O1 - Hosts: 207.36.196.189 search.netscape.com

O1 - Hosts: Spybot - Search & Destroy

O1 - Hosts: 207.36.196.189 search.netscape.com

O1 - Hosts: 207.36.196.189 auto.search.msn.com

O1 - Hosts: 207.36.196.189 ieautosearch

O2 - BHO: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll

O3 - Toolbar: (no name) - {339BB23F-A864-48C0-A59F-29EA915965EC} - (no file)

O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe

O4 - HKLM\..\Run: [P2P Networking] C:\WINDOWS\System32\P2P Networking\P2P Networking.exe /AUTOSTART

O4 - HKLM\..\Run: [WinTools] C:\Program Files\Common files\WinTools\WToolsA.exe

O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/0894d6727988df...ip/RdxIE601.cab

O16 - DPF: {DDFFA75A-E81D-4454-89FC-B9FD0631E726} - http://www.bundleware.com/activeX/DS3/DS3.cab
..........................................................
Reboot your PC and delete the following Folder:

C:\Program Files\Common files\WinTools <---delete folder and it's contents

Next, please do a search on your PC for a file named: hosts (you want the one with no extension)

It is located in the etc folder listed: c:\windows\system32\drivers\etc

Please open it up - Windows will popup a dialogue box saying it can't open it....and "what do you want to do"?. Put a dot in the *select the program from a list* option then *Ok*. A box will popup with a list of Open with program to choose from. Select *Notepad* Copy and paste the contents back here please.

Scan once more with HijackThis and post a new log with that Hosts file info please :)

Edit to add: Also, it is generally recommended that you uninstall the P2P Networking. P2P Networking is a totally useless Kazaa add-on, and it's been reported to be responsible for serious system slowdowns. You can uninstall P2P Networking through Add/Remove Programs. If/when asked whether you also want to remove Altnet components, say 'Yes'. Then remove the P2P Networking folder in C:\Windows\System32, if still there.

If you are still using Kazaa is it also recommended your get rid of it and get something spywarefree. It comes bundled with spyware and parasites and there are better alternative programs that don't come with all the other malware on it.

Aivanther

May 13 2004, 08:43 PM

Bah, second time I had to type all this...power went out all the sudden...stupid maintenace guys. :mad:

Anywho:
When I try to delete the folder C:\Program Files\Common fils\WinTools, I get this error message:

QUOTE

Cannot delete WSup.exe: It is being used by another person or program.

Close any programs that might be using the file and try again.

Heres the hosts, thing:

QUOTE

# lines or following the machine name denoted by a '#' symbol.
#
# For example:
#
# 102.54.94.97 rhino.acme.com # source server
# 38.25.63.10 x.acme.com # x client host

127.0.0.1 localhost
127.0.0.1 www.igetnet.com
127.0.0.1 code.ignphrases.com
127.0.0.1 clear-search.com
127.0.0.1 r1.clrsch.com
127.0.0.1 sds.clrsch.com
127.0.0.1 status.clrsch.com
127.0.0.1 www.clrsch.com
127.0.0.1 clr-sch.com
127.0.0.1 sds-qckads.com
127.0.0.1 status.qckads.com
127.0.0.1 status.qckads.com
127.0.0.1 status.qckads.com

HijackThis log:

QUOTE

Logfile of HijackThis v1.97.7
Scan saved at 3:32:59 PM, on 5/13/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\WINDOWS\runservice.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\System32\devldr32.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Java\j2re1.4.2_01\bin\jusched.exe
C:\Program Files\Creative\SBLive\Creative Diagnostics 2.0\DIAGENT.EXE
C:\Program Files\ISP50\bin\bartshel.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common files\WinTools\WToolsA.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\PROGRA~1\ISP50\bin\ppshared.exe
C:\Program Files\Common files\WinTools\WToolsS.exe
C:\Program Files\Common files\WinTools\WSup.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mail.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=50032
R3 - URLSearchHook: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_01\bin\jusched.exe
O4 - HKLM\..\Run: [DIAGENT] C:\Program Files\Creative\SBLive\Creative Diagnostics 2.0\DIAGENT.EXE startup
O4 - HKLM\..\Run: [AHQInit] C:\Program Files\Creative\SBLive\Program\AHQInit.exe
O4 - HKLM\..\Run: [Bart Station] C:\Program Files\ISP50\hta\station.sbrt
O4 - HKLM\..\Run: [PPCRunonce] C:\WINDOWS\System32\PPCRunOnce.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [WinTools] C:\Program Files\Common files\WinTools\WToolsA.exe
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
O8 - Extra context menu item: Si&milar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: ICQ Pro (HKLM)
O9 - Extra 'Tools' menuitem: ICQ (HKLM)
O9 - Extra button: AIM (HKLM)
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeupdate/content/opuc.cab
O16 - DPF: {68BCE50A-DC9B-4519-A118-6FDA19DB450D} (Info Class) - http://www.blizzard.com/support/includes/cabs/si.cab
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installengine.com/engine/isetup.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...7877.3942013889
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab

Also, I recently installed SpywareGuard, and I keep getting these messages:

QUOTE

Warning!Your IE Search bar has been changed!
Your internet explorer current user search bar has been changed from
<none>
to
http://www.websearch.com/ie.aspx?tb_id=50032

I click on restor old value, then I get

QUOTE

Your IE Search Assistant has been changed!
Your Internet Explorer local machine search assistant has been changed
<none>
to
http://www.websearch.com/ie.aspx?tb_id=50032

again, I hit restore old value.

Also, P2P Networking, I thought I had unisntalled, and could find either in the Add/Remove list or in the system32 folder. My brother downloaded Kazaa on my pc and was using it...we had words, and it's been long gone from my pc. :thumb:

CalamityJane

May 13 2004, 08:57 PM

Ok - thanks.

The remaining hosts files entries are ok - I just wanted to make sure.

Glad you got the P2P networking uninstalled - that entry we fixed may have just been a leftover in the registry.

SpywareGuard is alerting you because the hijacker is still on your PC (it's a prevention tool - can't remove the existing infections.)

However, I guess we will need to do this fix in safe mode.

Please follow these steps, print out a copy of this instruction so you have it to follow it while doing the fixes.

Make sure your PC is configured to show hidden files
How to Show Hidden Files
http://www.xtra.co.nz/help/0,,4155-1916458,00.html

Reboot your PC into SAFE MODE

How to start the computer in Safe mode
http://service1.symantec.com/SUPPORT/tsgen...src=sec_doc_nam

Scan with HijackThis and when it finishes, put an x in the boxes next to these items, then press *fix checked*

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=50032

R3 - URLSearchHook: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll

O2 - BHO: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll

O4 - HKLM\..\Run: [WinTools] C:\Program Files\Common files\WinTools\WToolsA.exe

While still in SAFE MODE, delete the following files and/or folders named in bold

C:\Program Files\Common fils\WinTools <--- delete folder while in SAFE MODE

Now reboot the PC normally and post a new HijackThis log to see if we got it all :)

Aivanther

May 13 2004, 09:41 PM

This line:
R3 - URLSearchHook: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll

Didn't appear in the safe mode run, so I re-ran once I rebooted in normal mode after I did all the other steps, took care of it, and then rebooted again.

Anywho, here's the log:

QUOTE

Logfile of HijackThis v1.97.7
Scan saved at 4:39:15 PM, on 5/13/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\WINDOWS\runservice.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\System32\devldr32.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Java\j2re1.4.2_01\bin\jusched.exe
C:\Program Files\Creative\SBLive\Creative Diagnostics 2.0\DIAGENT.EXE
C:\Program Files\ISP50\bin\bartshel.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\WINDOWS\System32\msiexec.exe
C:\PROGRA~1\ISP50\bin\ppshared.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mail.yahoo.com/
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_01\bin\jusched.exe
O4 - HKLM\..\Run: [DIAGENT] C:\Program Files\Creative\SBLive\Creative Diagnostics 2.0\DIAGENT.EXE startup
O4 - HKLM\..\Run: [AHQInit] C:\Program Files\Creative\SBLive\Program\AHQInit.exe
O4 - HKLM\..\Run: [Bart Station] C:\Program Files\ISP50\hta\station.sbrt
O4 - HKLM\..\Run: [PPCRunonce] C:\WINDOWS\System32\PPCRunOnce.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
O8 - Extra context menu item: Si&milar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: ICQ Pro (HKLM)
O9 - Extra 'Tools' menuitem: ICQ (HKLM)
O9 - Extra button: AIM (HKLM)
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeupdate/content/opuc.cab
O16 - DPF: {68BCE50A-DC9B-4519-A118-6FDA19DB450D} (Info Class) - http://www.blizzard.com/support/includes/cabs/si.cab
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installengine.com/engine/isetup.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...7877.3942013889
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab

CalamityJane

May 13 2004, 10:11 PM

Your log looks clean now. As long as you were able to remove the Wintools folder, it should be all gone then :thumb:

Now that your PC is clean, make sure all programs are running properly and then you'll need to reset your restore point in Windows XP.......why?

One of the best features of Windows ME or XP is the System Restore option, however if a virus infects a computer with this operating system the virus can be backed up in the System Restore folder. Therefore, clearing the restore points is necessary after a virus removal.

To reset your restore points, please note that you will need to log into your computer with an account which has full administrator access. You will know if the account has administrator access because you will be able to see the System Restore tab. If the tab is missing, you are logged in under a limited account.

(winXP)

1. Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.

2. Reboot.

3. Turn ON System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK.

How to Turn On and Turn Off System Restore in Windows XP
http://support.microsoft.com/default.aspx?...kb;en-us;310405

Next, we highly recommend you get some extra protection to prevent future infections. Here are some things you can do and some free programs to help :).

How to Stop Hijackers & Spyware Infections, And other malware too!
http://forum.gladiator-antivirus.com/index...?showtopic=9857

And please be sure to visit Windows Update - get ALL the critical security updates recommended for your operating system and IE. The first defense against infection is a properly patched OS.
http://v4.windowsupdate.microsoft.com/en/default.asp

Aivanther

May 14 2004, 01:13 AM

Thank you so much :wub:

I already installed most of those things while I was waiting for an initial reply...and just got the IE-SPYAD, which completes it, I guess.

And I always run windows update at least once a week. I have neough problems without having a majorly vulnerable OS. ;)

Again, thank you thank you thank you. :w00t: :wub:

BTW, this is a very interesting board...I may lurk here more...

CalamityJane

May 14 2004, 07:32 PM

You're very welcome - we're glad we could help

Aivanther

May 16 2004, 10:00 PM

Bah! I ran spybot this afternoon, and Huntbar is still there. Search Assistant is gone, and I don't get spontaneous opening of webpages like I did before, but Spybot still finds HuntBar (and still can't remove it).

QUOTE

Logfile of HijackThis v1.97.7
Scan saved at 4:58:18 PM, on 5/16/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\WINDOWS\runservice.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\System32\devldr32.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\Creative\SBLive\Creative Diagnostics 2.0\DIAGENT.EXE
C:\Program Files\ISP50\bin\bartshel.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\WINDOWS\System32\msiexec.exe
C:\PROGRA~1\ISP50\bin\ppshared.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mail.yahoo.com/
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [DIAGENT] C:\Program Files\Creative\SBLive\Creative Diagnostics 2.0\DIAGENT.EXE startup
O4 - HKLM\..\Run: [AHQInit] C:\Program Files\Creative\SBLive\Program\AHQInit.exe
O4 - HKLM\..\Run: [Bart Station] C:\Program Files\ISP50\hta\station.sbrt
O4 - HKLM\..\Run: [PPCRunonce] C:\WINDOWS\System32\PPCRunOnce.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
O8 - Extra context menu item: Si&milar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: ICQ Pro (HKLM)
O9 - Extra 'Tools' menuitem: ICQ (HKLM)
O9 - Extra button: AIM (HKLM)
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeupdate/content/opuc.cab
O16 - DPF: {68BCE50A-DC9B-4519-A118-6FDA19DB450D} (Info Class) - http://www.blizzard.com/support/includes/cabs/si.cab
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installengine.com/engine/isetup.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...7877.3942013889
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab

Not sure if it matters or not, but I use PeoplePC (i.e. I have no money but have to have isp).

CalamityJane

May 16 2004, 11:59 PM

What I need to see is the Spybot report. However, there is a new version of Spybot now (Ver 1.3) Do you have that?

If not, uninstall the old one and download the new one here.

Download Spybot Search and Destroy Ver 1.3
http://www.safer-networking.org/

Check for updates (I don't think there are any yet) but do that anyway. Then *check for problems* I would like a copy of the log to see exactly what it is finding. Sometimes you have to reboot after you have cleaned and then run it again and keep doing that until it gets rid of everything (no bad items found).

Same with Adaware (they had update today too). If you don't have Adaware, download it here:

Download Adaware (get the free edition)
http://www.lavasoft.de/software/adaware/

If you DO have it already, just get today's update and scan with it as well. If it finds anything, I would like to see that log too.

CalamityJane

May 17 2004, 12:37 AM

This is unrelated to Huntbar but on another item we removed earlier - I just want to make sure there aren't any leftovers of it and want you to use this tool and let me know if any files are found.

Download and install VX2.BetterInternet Finder from:
http://download.broadbandmedic.com/

Or here:

http://www.downloads.subratam.org/VX2Finder.exe

Press 'Click to Find VX2.BetterInternet'.

If any files are found please post a copy here :)

Aivanther

May 17 2004, 03:47 AM

From VX2.BetterInternet:

QUOTE

Log for VX2.BetterInternet File Finder

Files Found---
C:\WINDOWS\System32\6ao4svc.dll
C:\WINDOWS\System32\6co4svc.dll
C:\WINDOWS\System32\6do4svc.dll
C:\WINDOWS\System32\6go4svc.dll
C:\WINDOWS\System32\6ho4svc.dll
C:\WINDOWS\System32\6wo4svc.dll
C:\WINDOWS\System32\asaamon.dll
C:\WINDOWS\System32\ayledit.dll
C:\WINDOWS\System32\azaamon.dll

Guardian Key--- is called: GuardianCHNUN
Asynchronous 000
DllName C:\WINDOWS\system32\asaamon.dll
Impersonate 000
Logon WinLogon
Logoff WinLogoff
Version 124
ID {4C505162-DBCE-442E-B4CE-CB5F8B4C8A91}
IDex DS3

User Agent String---
{4C505162-DBCE-442E-B4CE-CB5F8B4C8A91}

Adaware Log (this IBIS thing, I noticed, has come up a couple of times in the past week)

QUOTE

Lavasoft Ad-aware Personal Build 6.181
Logfile created on :Sunday, May 16, 2004 10:33:47 PM
Created with Ad-aware Personal, free for private use.
Using reference-file :01R304 16.05.2004
______________________________________________________

Ad-aware Settings
=========================
Set : Activate in-depth scan (Recommended)
Set : Safe mode (always request confirmation)
Set : Scan active processes
Set : Scan registry
Set : Deep scan registry
Set : Scan my IE Favorites for banned URLs
Set : Scan my Hosts file

5-16-2004 10:33:47 PM - Scan started. (Smart mode)

Listing running processes
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

#:1 [smss.exe]
FilePath : \SystemRoot\System32\
ThreadCreationTime : 5-16-2004 9:50:53 PM
BasePriority : Normal

#:2 [winlogon.exe]
FilePath : \??\C:\WINDOWS\system32\
ThreadCreationTime : 5-16-2004 9:51:01 PM
BasePriority : High

#:3 [services.exe]
FilePath : C:\WINDOWS\system32\
ThreadCreationTime : 5-16-2004 9:51:03 PM
BasePriority : Normal
FileSize : 99 KB
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
CompanyName : Microsoft Corporation
FileDescription : Services and Controller app
InternalName : services.exe
OriginalFilename : services.exe
ProductName : Microsoft
Created on : 8/18/2001 12:00:00 PM
Last accessed : 5/17/2004 3:33:47 AM
Last modified : 8/18/2001 12:00:00 PM

#:4 [lsass.exe]
FilePath : C:\WINDOWS\system32\
ThreadCreationTime : 5-16-2004 9:51:03 PM
BasePriority : Normal
FileSize : 11 KB
FileVersion : 5.1.2600.1106 (xpsp1.020828-1920)
ProductVersion : 5.1.2600.1106
CompanyName : Microsoft Corporation
FileDescription : LSA Shell (Export Version)
InternalName : lsass.exe
OriginalFilename : lsass.exe
ProductName : Microsoft
Created on : 8/18/2001 12:00:00 PM
Last accessed : 5/17/2004 3:33:47 AM
Last modified : 8/29/2002 10:41:26 AM

#:5 [svchost.exe]
FilePath : C:\WINDOWS\system32\
ThreadCreationTime : 5-16-2004 9:51:04 PM
BasePriority : Normal
FileSize : 12 KB
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
OriginalFilename : svchost.exe
ProductName : Microsoft
Created on : 8/18/2001 12:00:00 PM
Last accessed : 5/17/2004 3:33:47 AM
Last modified : 8/18/2001 12:00:00 PM

#:6 [svchost.exe]
FilePath : C:\WINDOWS\System32\
ThreadCreationTime : 5-16-2004 9:51:04 PM
BasePriority : Normal
FileSize : 12 KB
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
OriginalFilename : svchost.exe
ProductName : Microsoft
Created on : 8/18/2001 12:00:00 PM
Last accessed : 5/17/2004 3:33:47 AM
Last modified : 8/18/2001 12:00:00 PM

#:7 [ccsetmgr.exe]
FilePath : C:\Program Files\Common Files\Symantec Shared\
ThreadCreationTime : 5-16-2004 9:51:08 PM
BasePriority : Normal
FileSize : 229 KB
FileVersion : 2.1.0.610
ProductVersion : 2.1.0.610
Copyright : Copyright © 2000-2003 Symantec Corporation. All rights reserved.
CompanyName : Symantec Corporation
FileDescription : Common Client Settings Manager Service
InternalName : ccSetMgr
OriginalFilename : ccSetMgr.exe
ProductName : Common Client
Created on : 11/30/2003 3:01:53 AM
Last accessed : 5/17/2004 3:33:47 AM
Last modified : 11/10/2003 7:30:12 PM

#:8 [ccevtmgr.exe]
FilePath : C:\Program Files\Common Files\Symantec Shared\
ThreadCreationTime : 5-16-2004 9:51:08 PM
BasePriority : Normal
FileSize : 249 KB
FileVersion : 2.1.0.610
ProductVersion : 2.1.0.610
Copyright : Copyright © 2000-2003 Symantec Corporation. All rights reserved.
CompanyName : Symantec Corporation
FileDescription : Common Client Event Manager Service
InternalName : ccEvtMgr
OriginalFilename : ccEvtMgr.exe
ProductName : Common Client
Created on : 11/30/2003 3:01:52 AM
Last accessed : 5/17/2004 3:33:47 AM
Last modified : 11/10/2003 7:30:04 PM

#:9 [spoolsv.exe]
FilePath : C:\WINDOWS\system32\
ThreadCreationTime : 5-16-2004 9:51:09 PM
BasePriority : Normal
FileSize : 50 KB
FileVersion : 5.1.2600.0 (XPClient.010817-1148)
ProductVersion : 5.1.2600.0
CompanyName : Microsoft Corporation
FileDescription : Spooler SubSystem App
InternalName : spoolsv.exe
OriginalFilename : spoolsv.exe
ProductName : Microsoft
Created on : 8/18/2001 12:00:00 PM
Last accessed : 5/17/2004 3:33:47 AM
Last modified : 8/18/2001 12:00:00 PM

#:10 [ctsvccda.exe]
FilePath : C:\WINDOWS\System32\
ThreadCreationTime : 5-16-2004 9:51:09 PM
BasePriority : Normal
FileSize : 43 KB
FileVersion : 1.0.1.0
ProductVersion : 1.0.0.0
Copyright : Copyright © Creative Technology Ltd., 1999. All rights reserved.
CompanyName : Creative Technology Ltd
FileDescription : Creative Service for CDROM Access
InternalName : CTsvcCDAEXE
OriginalFilename : CTsvcCDA.EXE
ProductName : Creative Service for CDROM Access
Created on : 1/4/2004 11:20:36 PM
Last accessed : 5/17/2004 3:33:47 AM
Last modified : 12/13/1999 7:01:00 AM

#:11 [runservice.exe]
FilePath : C:\WINDOWS\
ThreadCreationTime : 5-16-2004 9:51:09 PM
BasePriority : Normal
FileSize : 2 KB
Created on : 9/13/2003 12:42:02 AM
Last accessed : 5/17/2004 3:33:47 AM
Last modified : 9/13/2003 12:42:02 AM

#:12 [navapsvc.exe]
FilePath : C:\Program Files\Norton AntiVirus\
ThreadCreationTime : 5-16-2004 9:51:09 PM
BasePriority : Normal
FileSize : 154 KB
FileVersion : 10.00.13
ProductVersion : 10.00.13
Copyright : Norton AntiVirus 2004 for Windows 98/ME/2000/XP Copyright © 2003 Symantec Corporation. All rights reserved.
CompanyName : Symantec Corporation
FileDescription : Norton AntiVirus Auto-Protect Service
InternalName : NAVAPSVC
OriginalFilename : NAVAPSVC.EXE
ProductName : Norton AntiVirus
Created on : 12/12/2003 11:32:20 PM
Last accessed : 5/17/2004 3:33:47 AM
Last modified : 12/5/2003 12:22:28 AM

#:13 [nvsvc32.exe]
FilePath : C:\WINDOWS\System32\
ThreadCreationTime : 5-16-2004 9:51:10 PM
BasePriority : Normal
FileSize : 80 KB
FileVersion : 6.14.10.5216
ProductVersion : 6.14.10.5216
Copyright : © NVIDIA Corporation. All rights reserved.
CompanyName : NVIDIA Corporation
FileDescription : NVIDIA Driver Helper Service, Version 52.16
InternalName : NVSVC
OriginalFilename : nvsvc32.exe
ProductName : NVIDIA Driver Helper Service, Version 52.16
Created on : 10/6/2003 8:16:00 PM
Last accessed : 5/17/2004 3:33:48 AM
Last modified : 10/6/2003 8:16:00 PM

#:14 [savscan.exe]
FilePath : C:\Program Files\Norton AntiVirus\
ThreadCreationTime : 5-16-2004 9:51:10 PM
BasePriority : Normal
FileSize : 189 KB
FileVersion : 9.2.1.14
ProductVersion : 9.2
Copyright : Copyright © 2003 Symantec Corporation
CompanyName : Symantec Corporation
FileDescription : Symantec AntiVirus Scanner
InternalName : SAVSCAN
OriginalFilename : SAVSCAN.EXE
ProductName : Symantec AntiVirus AutoProtect
Created on : 12/12/2003 11:32:22 PM
Last accessed : 5/17/2004 3:33:48 AM
Last modified : 12/5/2003 12:22:30 AM

#:15 [symlcsvc.exe]
FilePath : C:\Program Files\Common Files\Symantec Shared\CCPD-LC\
ThreadCreationTime : 5-16-2004 9:51:10 PM
BasePriority : Normal
FileSize : 572 KB
FileVersion : 1, 8, 48, 77
ProductVersion : 1, 8, 48, 77
Copyright : Copyright © 2003
CompanyName : Symantec Corporation
FileDescription : Symantec Core Component
InternalName : symlcsvc
OriginalFilename : symlcsvc.exe
ProductName : Symantec Core Component
Created on : 10/13/2003 8:18:33 PM
Last accessed : 5/17/2004 3:33:48 AM
Last modified : 10/13/2003 8:18:32 PM

#:16 [mspmspsv.exe]
FilePath : C:\WINDOWS\System32\
ThreadCreationTime : 5-16-2004 9:51:11 PM
BasePriority : Normal
FileSize : 52 KB
FileVersion : 7.00.00.1954
ProductVersion : 7.00.00.1954
Copyright : Copyright © Microsoft Corp. 1981-2000
CompanyName : Microsoft Corporation
FileDescription : WMDM PMSP Service
InternalName : MSPMSPSV.EXE
OriginalFilename : MSPMSPSV.EXE
ProductName : Microsoft ® DRM
Created on : 6/26/2000 12:44:20 PM
Last accessed : 5/17/2004 3:33:48 AM
Last modified : 6/26/2000 12:44:20 PM

#:17 [rundll32.exe]
FilePath : C:\WINDOWS\system32\
ThreadCreationTime : 5-16-2004 9:51:13 PM
BasePriority : Normal
FileSize : 31 KB
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
CompanyName : Microsoft Corporation
FileDescription : Run a DLL as an App
InternalName : rundll
OriginalFilename : RUNDLL.EXE
ProductName : Microsoft
Created on : 8/18/2001 12:00:00 PM
Last accessed : 5/17/2004 3:31:41 AM
Last modified : 8/18/2001 12:00:00 PM

#:18 [devldr32.exe]
FilePath : C:\WINDOWS\System32\
ThreadCreationTime : 5-16-2004 9:51:15 PM
BasePriority : Normal
FileSize : 25 KB
FileVersion : 1, 0, 0, 22
ProductVersion : 1, 0, 0, 22
Copyright : Copyright
CompanyName : Creative Technology Ltd.
FileDescription : DevLdr32
InternalName : DevLdr
OriginalFilename : DevLdr32.exe
ProductName : Creative Ring3 NT Inteface
Created on : 1/4/2004 11:14:04 PM
Last accessed : 5/17/2004 3:33:48 AM
Last modified : 8/31/2001 1:44:30 PM

#:19 [explorer.exe]
FilePath : C:\WINDOWS\
ThreadCreationTime : 5-16-2004 9:51:17 PM
BasePriority : Normal
FileSize : 980 KB
FileVersion : 6.00.2800.1106 (xpsp1.020828-1920)
ProductVersion : 6.00.2800.1106
CompanyName : Microsoft Corporation
FileDescription : Windows Explorer
InternalName : explorer
OriginalFilename : EXPLORER.EXE
ProductName : Microsoft
Created on : 9/13/2003 4:34:38 PM
Last accessed : 5/17/2004 3:33:48 AM
Last modified : 8/29/2002 10:41:24 AM

#:20 [ccapp.exe]
FilePath : C:\Program Files\Common Files\Symantec Shared\
ThreadCreationTime : 5-16-2004 9:51:20 PM
BasePriority : Normal
FileSize : 69 KB
FileVersion : 2.1.0.610
ProductVersion : 2.1.0.610
Copyright : Copyright © 2000-2003 Symantec Corporation. All rights reserved.
CompanyName : Symantec Corporation
FileDescription : Common Client User Session
InternalName : ccApp
OriginalFilename : ccApp.exe
ProductName : Common Client
Created on : 11/30/2003 3:01:52 AM
Last accessed : 5/17/2004 3:33:48 AM
Last modified : 11/10/2003 7:30:02 PM

#:21 [jusched.exe]
FilePath : C:\Program Files\Java\j2re1.4.2_03\bin\
ThreadCreationTime : 5-16-2004 9:51:20 PM
BasePriority : Normal
FileSize : 32 KB
Created on : 11/19/2003 10:48:18 PM
Last accessed : 5/17/2004 3:33:48 AM
Last modified : 11/19/2003 10:48:14 PM

#:22 [diagent.exe]
FilePath : C:\Program Files\Creative\SBLive\Creative Diagnostics 2.0\
ThreadCreationTime : 5-16-2004 9:51:21 PM
BasePriority : Normal
FileSize : 168 KB
FileVersion : 1.0.10.0
ProductVersion : 1.00.10
Copyright : Copyright © 2001 Creative Technology Ltd
CompanyName : Creative Technology Ltd
FileDescription : Creative Diagnostics Agent
InternalName : Creative Diagnostics Agent
OriginalFilename : diagent.exe
ProductName : Creative Diagnostics Agent
Created on : 9/7/2003 6:38:58 PM
Last accessed : 5/17/2004 3:33:48 AM
Last modified : 8/30/2001 7:00:00 AM

#:23 [bartshel.exe]
FilePath : C:\Program Files\ISP50\bin\
ThreadCreationTime : 5-16-2004 9:51:21 PM
BasePriority : Normal
FileSize : 132 KB
FileVersion : 5, 6, 0, 61
ProductVersion : 5, 0, 0, 0
Copyright : Copyright
CompanyName : PeoplePC
FileDescription : PeoplePal Module
InternalName : PeoplePal
OriginalFilename : BartShel.exe
ProductName : BartShell Module
Created on : 3/2/2004 7:19:24 PM
Last accessed : 5/17/2004 3:33:48 AM
Last modified : 3/2/2004 7:19:24 PM

#:24 [realsched.exe]
FilePath : C:\Program Files\Common Files\Real\Update_OB\
ThreadCreationTime : 5-16-2004 9:51:22 PM
BasePriority : Normal
FileSize : 172 KB
FileVersion : 0.1.0.2879
ProductVersion : 0.1.0.2879
Copyright : Copyright
CompanyName : RealNetworks, Inc.
FileDescription : RealNetworks Scheduler
InternalName : schedapp
OriginalFilename : realsched.exe
ProductName : RealPlayer (32-bit)
Created on : 2/8/2004 4:05:21 AM
Last accessed : 5/17/2004 3:33:50 AM
Last modified : 2/8/2004 4:05:21 AM

#:25 [sgmain.exe]
FilePath : C:\Program Files\SpywareGuard\
ThreadCreationTime : 5-16-2004 9:51:23 PM
BasePriority : Normal
FileSize : 352 KB
FileVersion : 2.02.0001
ProductVersion : 2.02.0001
Copyright : Copyright © 2002-2003 Javacool Software LLC
FileDescription : SpywareGuard
InternalName : sgmain
OriginalFilename : sgmain.exe
ProductName : SpywareGuard
Created on : 8/30/2003 12:05:35 AM
Last accessed : 5/17/2004 3:33:50 AM
Last modified : 8/30/2003 12:05:35 AM

#:26 [ppshared.exe]
FilePath : C:\PROGRA~1\ISP50\bin\
ThreadCreationTime : 5-16-2004 9:51:24 PM
BasePriority : Normal
FileSize : 89 KB
FileVersion : 5, 5, 3, 21
ProductVersion : 5, 0, 0, 0
Copyright : Copyright 2003
CompanyName : PeoplePC
FileDescription : PPShared Module
InternalName : PPShared
OriginalFilename : PPShared.EXE
ProductName : PPShared Module
Created on : 11/25/2003 4:37:38 PM
Last accessed : 5/17/2004 3:33:50 AM
Last modified : 11/25/2003 4:37:38 PM

#:27 [sgbhp.exe]
FilePath : C:\Program Files\SpywareGuard\
ThreadCreationTime : 5-16-2004 9:51:44 PM
BasePriority : Normal
FileSize : 228 KB
FileVersion : 2.02.0001
ProductVersion : 2.02.0001
Copyright : Copyright © 2002-2003 Javacool Software LLC.
FileDescription : SG Browser Hijacking Protection
InternalName : sgbhp
OriginalFilename : sgbhp.exe
ProductName : SG Browser Hijacking Protection
Created on : 8/29/2003 4:14:56 PM
Last accessed : 5/17/2004 3:33:50 AM
Last modified : 8/29/2003 4:14:56 PM

#:28 [winlogon.exe]
FilePath : \??\C:\WINDOWS\system32\
ThreadCreationTime : 5-16-2004 10:19:56 PM
BasePriority : High

#:29 [iexplore.exe]
FilePath : C:\Program Files\Internet Explorer\
ThreadCreationTime : 5-17-2004 3:23:46 AM
BasePriority : Normal
FileSize : 89 KB
FileVersion : 6.00.2800.1106 (xpsp1.020828-1920)
ProductVersion : 6.00.2800.1106
CompanyName : Microsoft Corporation
FileDescription : Internet Explorer
InternalName : iexplore
OriginalFilename : IEXPLORE.EXE
ProductName : Microsoft
Created on : 9/13/2003 4:35:10 PM
Last accessed : 5/17/2004 3:23:54 AM
Last modified : 8/29/2002 10:41:26 AM

#:30 [msmsgs.exe]
FilePath : C:\Program Files\Messenger\
ThreadCreationTime : 5-17-2004 3:32:37 AM
BasePriority : Normal
FileSize : 1476 KB
FileVersion : 4.7.0041
ProductVersion : Version 4.7
Copyright : Copyright © Microsoft Corporation 1997-2001
CompanyName : Microsoft Corporation
FileDescription : Messenger
InternalName : msmsgs
OriginalFilename : msmsgs.exe
ProductName : Messenger
Created on : 9/13/2003 4:37:52 PM
Last accessed : 5/17/2004 3:22:00 AM
Last modified : 8/29/2002 10:41:26 AM

#:31 [ad-aware.exe]
FilePath : C:\Program Files\Lavasoft\Ad-aware 6\
ThreadCreationTime : 5-17-2004 3:33:19 AM
BasePriority : Normal
FileSize : 668 KB
FileVersion : 6.0.1.181
ProductVersion : 6.0.0.0
Copyright : Copyright
CompanyName : Lavasoft Sweden
FileDescription : Ad-aware 6 core application
InternalName : Ad-aware.exe
OriginalFilename : Ad-aware.exe
ProductName : Lavasoft Ad-aware Plus
Created on : 12/13/2003 1:07:51 AM
Last accessed : 5/17/2004 3:33:19 AM
Last modified : 7/13/2003 4:00:20 AM

Memory scan result :
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
New objects : 0
Objects found so far: 0

Started registry scan
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

IBIS Toolbar Object recognized!
Type : RegKey
Data :
Rootkey : HKEY_LOCAL_MACHINE
Object : Software\BTIEIN

Registry scan result :
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
New objects : 1
Objects found so far: 1

Started deep registry scan
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

Deep registry scan result :
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
New objects : 0
Objects found so far: 1

¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

Deep scanning and examining files (C:)
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

Scanning Hosts file(C:\WINDOWS\System32\drivers\etc\hosts)
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

Hosts file scan result:
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
13 entries scanned.
New objects :0
Objects found so far: 1

Performing conditional scans..
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

IBIS Toolbar Object recognized!
Type : Folder
Object : c:\program files\Toolbar

IBIS Toolbar Object recognized!
Type : File
Data : temp
Object : c:\program files\toolbar\

Created on : 5/8/2004 11:07:39 PM
Last accessed : 5/10/2004 3:00:39 PM
Last modified : 5/8/2004 11:07:39 PM

Conditional scan result:
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
New objects : 2
Objects found so far: 3

10:36:02 PM Scan complete

Summary of this scan
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
Total scanning time :00:02:15:31
Objects scanned :46136
Objects identified :3
Objects ignored :0
New objects :3

Um, I can't figure out how to create a log with Spybot...but the new version found a lot of new things it didn't find 8 hours ago.

Aivanther

May 17 2004, 03:50 AM

Oops, found out it does it automatically :lol:

QUOTE

--- Report generated: 2004-05-16 22:45 ---

Cache: Cache (4028) (Cache, nothing done)

Alexa Related: What's related link (Replace file, nothing done)
C:\WINDOWS\Web\related.htm

Commission Junction: Tracking cookie (Internet Explorer: Alex Barrett) (Cookie, nothing done)

Common Dialogs: History (56 files) (Registry key, nothing done)
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU

Cookie: Cookie (374) (Cookie, nothing done)

CoolWWWSearch: Tracking cookie (Internet Explorer: Alex Barrett) (Cookie, nothing done)

FreeScratchAndWin: Tracking cookie (Internet Explorer: Alex Barrett) (Cookie, nothing done)

HitBox: Tracking cookie (Internet Explorer: Alex Barrett) (Cookie, nothing done)

HitBox: Tracking cookie (Internet Explorer: Alex Barrett) (Cookie, nothing done)

HitBox: Tracking cookie (Internet Explorer: Alex Barrett) (Cookie, nothing done)

HitBox: Tracking cookie (Internet Explorer: Alex Barrett) (Cookie, nothing done)

HitBox: Tracking cookie (Internet Explorer: Alex Barrett) (Cookie, nothing done)

HuntBar: Global settings (Registry key, nothing done)
HKEY_LOCAL_MACHINE\Software\BTIEIN

LinkSynergy: Tracking cookie (Internet Explorer: Alex Barrett) (Cookie, nothing done)

Log: Shutdown: System32\wbem\logs\wmiprov.log (Backup file, nothing done)
C:\WINDOWS\System32\wbem\logs\wmiprov.log

Log: Activity: imsins.log (Backup file, nothing done)
C:\WINDOWS\imsins.log

Log: Activity: OEWABLog.txt (Backup file, nothing done)
C:\WINDOWS\OEWABLog.txt

Log: Activity: SchedLgU.Txt (Backup file, nothing done)
C:\WINDOWS\SchedLgU.Txt

Log: Install: comsetup.log (Backup file, nothing done)
C:\WINDOWS\comsetup.log

Log: Install: Directx.log (Backup file, nothing done)
C:\WINDOWS\Directx.log

Log: Install: DtcInstall.log (Backup file, nothing done)
C:\WINDOWS\DtcInstall.log

Log: Install: ocgen.log (Backup file, nothing done)
C:\WINDOWS\ocgen.log

Log: Install: setupact.log (Backup file, nothing done)
C:\WINDOWS\setupact.log

Log: Install: setupapi.log (Backup file, nothing done)
C:\WINDOWS\setupapi.log

Log: Install: setuplog.txt (Backup file, nothing done)
C:\WINDOWS\setuplog.txt

Log: Install: svcpack.log (Backup file, nothing done)
C:\WINDOWS\svcpack.log

Log: Install: wmsetup.log (Backup file, nothing done)
C:\WINDOWS\wmsetup.log

Log: Shutdown: System32\wbem\logs\mofcomp.log (Backup file, nothing done)
C:\WINDOWS\System32\wbem\logs\mofcomp.log

Log: Shutdown: System32\wbem\logs\setup.log (Backup file, nothing done)
C:\WINDOWS\System32\wbem\logs\setup.log

Log: Shutdown: System32\wbem\logs\wbemcore.log (Backup file, nothing done)
C:\WINDOWS\System32\wbem\logs\wbemcore.log

Log: Shutdown: System32\wbem\logs\wbemess.lo_ (Backup file, nothing done)
C:\WINDOWS\System32\wbem\logs\wbemess.lo_

Log: Shutdown: System32\wbem\logs\wbemess.log (Backup file, nothing done)
C:\WINDOWS\System32\wbem\logs\wbemess.log

Log: Shutdown: System32\wbem\logs\wbemprox.log (Backup file, nothing done)
C:\WINDOWS\System32\wbem\logs\wbemprox.log

Log: Shutdown: System32\wbem\logs\wbemsnmp.log (Backup file, nothing done)
C:\WINDOWS\System32\wbem\logs\wbemsnmp.log

Log: Shutdown: System32\wbem\logs\winmgmt.log (Backup file, nothing done)
C:\WINDOWS\System32\wbem\logs\winmgmt.log

Log: Shutdown: System32\wbem\logs\wmiadap.log (Backup file, nothing done)
C:\WINDOWS\System32\wbem\logs\wmiadap.log

-- The nicest hobby on Earth ;) --Tracker: Tracking cookie (Internet Explorer: Alex Barrett) (Cookie, nothing done)

-- The nicest hobby on Earth ;) --Tracker: Tracking cookie (Internet Explorer: Alex Barrett) (Cookie, nothing done)

-- The nicest hobby on Earth ;) --Tracker: Tracking cookie (Internet Explorer: Alex Barrett) (Cookie, nothing done)

-- The nicest hobby on Earth ;) --Tracker: Tracking cookie (Internet Explorer: Alex Barrett) (Cookie, nothing done)

-- The nicest hobby on Earth ;) --Tracker: Tracking cookie (Internet Explorer: Alex Barrett) (Cookie, nothing done)

WebTrends live: Tracking cookie (Internet Explorer: Alex Barrett) (Cookie, nothing done)

WebTrends live: Tracking cookie (Internet Explorer: Alex Barrett) (Cookie, nothing done)

WebTrends live: Tracking cookie (Internet Explorer: Alex Barrett) (Cookie, nothing done)

--- Spybot - Search && Destroy version: 1.3 ---
2004-05-12 Includes\Cookies.sbi
2004-05-12 Includes\Dialer.sbi
2004-05-12 Includes\Hijackers.sbi
2004-05-12 Includes\Keyloggers.sbi
2004-05-12 Includes\LSP.sbi
2004-05-12 Includes\Malware.sbi
2004-05-12 Includes\Revision.sbi
2004-05-12 Includes\Security.sbi
2004-05-12 Includes\Spybots.sbi
2004-05-12 Includes\Tracks.uti
2004-05-12 Includes\Trojans.sbi

Here's the fix log:

QUOTE

--- Report generated: 2004-05-16 22:50 ---

Cache: Cache (4028) (Cache, nothing done)

Alexa Related: What's related link (Replace file, fixed)
C:\WINDOWS\Web\related.htm

Commission Junction: Tracking cookie (Internet Explorer: Alex Barrett) (Cookie, fixed)

Common Dialogs: History (56 files) (Registry key, nothing done)
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU

Cookie: Cookie (374) (Cookie, nothing done)

CoolWWWSearch: Tracking cookie (Internet Explorer: Alex Barrett) (Cookie, fixed)

FreeScratchAndWin: Tracking cookie (Internet Explorer: Alex Barrett) (Cookie, fixed)

HitBox: Tracking cookie (Internet Explorer: Alex Barrett) (Cookie, fixed)

HitBox: Tracking cookie (Internet Explorer: Alex Barrett) (Cookie, fixed)

HitBox: Tracking cookie (Internet Explorer: Alex Barrett) (Cookie, fixed)

HitBox: Tracking cookie (Internet Explorer: Alex Barrett) (Cookie, fixed)

HitBox: Tracking cookie (Internet Explorer: Alex Barrett) (Cookie, fixed)

HuntBar: Global settings (Registry key, fixing failed)
HKEY_LOCAL_MACHINE\Software\BTIEIN

LinkSynergy: Tracking cookie (Internet Explorer: Alex Barrett) (Cookie, fixed)

Log: Shutdown: System32\wbem\logs\wmiprov.log (Backup file, nothing done)
C:\WINDOWS\System32\wbem\logs\wmiprov.log

Log: Activity: imsins.log (Backup file, nothing done)
C:\WINDOWS\imsins.log

Log: Activity: OEWABLog.txt (Backup file, nothing done)
C:\WINDOWS\OEWABLog.txt

Log: Activity: SchedLgU.Txt (Backup file, nothing done)
C:\WINDOWS\SchedLgU.Txt

Log: Install: comsetup.log (Backup file, nothing done)
C:\WINDOWS\comsetup.log

Log: Install: Directx.log (Backup file, nothing done)
C:\WINDOWS\Directx.log

Log: Install: DtcInstall.log (Backup file, nothing done)
C:\WINDOWS\DtcInstall.log

Log: Install: ocgen.log (Backup file, nothing done)
C:\WINDOWS\ocgen.log

Log: Install: setupact.log (Backup file, nothing done)
C:\WINDOWS\setupact.log

Log: Install: setupapi.log (Backup file, nothing done)
C:\WINDOWS\setupapi.log

Log: Install: setuplog.txt (Backup file, nothing done)
C:\WINDOWS\setuplog.txt

Log: Install: svcpack.log (Backup file, nothing done)
C:\WINDOWS\svcpack.log

Log: Install: wmsetup.log (Backup file, nothing done)
C:\WINDOWS\wmsetup.log

Log: Shutdown: System32\wbem\logs\mofcomp.log (Backup file, nothing done)
C:\WINDOWS\System32\wbem\logs\mofcomp.log

Log: Shutdown: System32\wbem\logs\setup.log (Backup file, nothing done)
C:\WINDOWS\System32\wbem\logs\setup.log

Log: Shutdown: System32\wbem\logs\wbemcore.log (Backup file, nothing done)
C:\WINDOWS\System32\wbem\logs\wbemcore.log

Log: Shutdown: System32\wbem\logs\wbemess.lo_ (Backup file, nothing done)
C:\WINDOWS\System32\wbem\logs\wbemess.lo_

Log: Shutdown: System32\wbem\logs\wbemess.log (Backup file, nothing done)
C:\WINDOWS\System32\wbem\logs\wbemess.log

Log: Shutdown: System32\wbem\logs\wbemprox.log (Backup file, nothing done)
C:\WINDOWS\System32\wbem\logs\wbemprox.log

Log: Shutdown: System32\wbem\logs\wbemsnmp.log (Backup file, nothing done)
C:\WINDOWS\System32\wbem\logs\wbemsnmp.log

Log: Shutdown: System32\wbem\logs\winmgmt.log (Backup file, nothing done)
C:\WINDOWS\System32\wbem\logs\winmgmt.log

Log: Shutdown: System32\wbem\logs\wmiadap.log (Backup file, nothing done)
C:\WINDOWS\System32\wbem\logs\wmiadap.log

-- The nicest hobby on Earth ;) --Tracker: Tracking cookie (Internet Explorer: Alex Barrett) (Cookie, fixed)

-- The nicest hobby on Earth ;) --Tracker: Tracking cookie (Internet Explorer: Alex Barrett) (Cookie, fixed)

-- The nicest hobby on Earth ;) --Tracker: Tracking cookie (Internet Explorer: Alex Barrett) (Cookie, fixed)

-- The nicest hobby on Earth ;) --Tracker: Tracking cookie (Internet Explorer: Alex Barrett) (Cookie, fixed)

-- The nicest hobby on Earth ;) --Tracker: Tracking cookie (Internet Explorer: Alex Barrett) (Cookie, fixed)

WebTrends live: Tracking cookie (Internet Explorer: Alex Barrett) (Cookie, fixed)

WebTrends live: Tracking cookie (Internet Explorer: Alex Barrett) (Cookie, fixed)

WebTrends live: Tracking cookie (Internet Explorer: Alex Barrett) (Cookie, fixed)

--- Spybot - Search && Destroy version: 1.3 ---
2004-05-12 Includes\Cookies.sbi
2004-05-12 Includes\Dialer.sbi
2004-05-12 Includes\Hijackers.sbi
2004-05-12 Includes\Keyloggers.sbi
2004-05-12 Includes\LSP.sbi
2004-05-12 Includes\Malware.sbi
2004-05-12 Includes\Revision.sbi
2004-05-12 Includes\Security.sbi
2004-05-12 Includes\Spybots.sbi
2004-05-12 Includes\Tracks.uti
2004-05-12 Includes\Trojans.sbi

edit: I'm a bit disturbed to see something called "-- The nicest hobby on Earth ;) --Tracker' on my pc...should I be talking to my roommates about what they're looking up on my computer, or is there a way I could have had it other than porn being viewed on my pc?

CalamityJane

May 17 2004, 11:55 AM

We're dealing with two problems here, neither of which is showing in your HijackThis log.

1. One is the remnants of Huntbar and the other is this difficult new coolwebsearch variant that has hidden files imbedded in your system (those files seen in the Vx2finder). There is a new version of Vx2finder this morning. Please delete the one you have and download this new version:

http://tools.zerosrealm.com/VX2Finder.exe

2. Huntbar remnants are the IBIS toolbar items found by both Adaware and Spybot. I'm not sure why the Spybot fix is not working. However, did you also remove the items found in Adware? Namely, these:

IBIS Toolbar Object recognized!
Type : RegKey
Data :
Rootkey : HKEY_LOCAL_MACHINE
Object : Software\BTIEIN

Registry scan result :
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
New objects : 1
Objects found so far: 1
..........................................
IBIS Toolbar Object recognized!
Type : Folder
Object : c:\program files\Toolbar

IBIS Toolbar Object recognized!
Type : File
Data : temp
Object : c:\program files\toolbar\

Created on : 5/8/2004 11:07:39 PM
Last accessed : 5/10/2004 3:00:39 PM
Last modified : 5/8/2004 11:07:39 PM
...................................................................
Did you Reboot after removing those items found and scan again? You may need to scan with Adware and Spybot in safe mode.

Afterwards
You can look for these items to make sure they are gone:

c:\program files\toolbar <--delete this folder if found (you may need to be in safe mode)

In your registry, look for this item (if found)
IBIS Toolbar Object recognized!
Type : RegKey
Data :
Rootkey : HKEY_LOCAL_MACHINE
Object : Software\BTIEIN <----This is Huntbar

I would like to get rid of the Huntbar items first. Then the Vx2, I would like to see a new log of what the new tool reports after you download and run the new one. This is a very new fix and I want to wait a bit before actually trying to fix it. Just post the log from the "find".

This is what is probably putting those cookies on your PC (the Coolwebsearch redirects your searches to porn pages).

Aivanther

May 17 2004, 05:45 PM

QUOTE (CalamityJane @ May 17 2004, 05:55 AM)

IBIS Toolbar Object recognized!
Type : RegKey
Data :
Rootkey : HKEY_LOCAL_MACHINE
Object : Software\BTIEIN

Registry scan result :
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
New objects : 1
Objects found so far: 1
..........................................
IBIS Toolbar Object recognized!
Type : Folder
Object : c:\program files\Toolbar

IBIS Toolbar Object recognized!
Type : File
Data : temp
Object : c:\program files\toolbar\

Created on : 5/8/2004 11:07:39 PM
Last accessed : 5/10/2004 3:00:39 PM
Last modified : 5/8/2004 11:07:39 PM
...................................................................

The first one is the one spybot won't/can't remove, even in safe mode.

The second and third are what keeps re-appearing in Adaware, even after deletion.

QUOTE

Afterwards
You can look for these items to make sure they are gone:

c:\program files\toolbar <--delete this folder if found (you may need to be in safe mode)

It wouldn't let me delete this, even in safe mode. Nor was spybot able to delete the huntbar in safemode, either time (booted twice to safe mode).

And I don't know how to find/open my registry, so I couldn't check it myself.

Here's the new vx2 log:

QUOTE

Log for VX2.BetterInternet File Finder

Files Found---
C:\WINDOWS\System32\6ao4svc.dll
C:\WINDOWS\System32\6co4svc.dll
C:\WINDOWS\System32\6do4svc.dll
C:\WINDOWS\System32\6go4svc.dll
C:\WINDOWS\System32\6ho4svc.dll
C:\WINDOWS\System32\6io4svc.dll
C:\WINDOWS\System32\6po4svc.dll
C:\WINDOWS\System32\6ro4svc.dll
C:\WINDOWS\System32\6wo4svc.dll
C:\WINDOWS\System32\6xo4svc.dll
C:\WINDOWS\System32\6zo4svc.dll
C:\WINDOWS\System32\asaamon.dll
C:\WINDOWS\System32\ayledit.dll
C:\WINDOWS\System32\azaamon.dll

Guardian Key--- is called: GuardianIMPGF
Asynchronous 000
DllName C:\WINDOWS\system32\asaamon.dll
Impersonate 000
Logon WinLogon
Logoff WinLogoff
Version 124
ID {4C505162-DBCE-442E-B4CE-CB5F8B4C8A91}
IDex DS3

User Agent String---
{4C505162-DBCE-442E-B4CE-CB5F8B4C8A91}

Aivanther

May 17 2004, 05:51 PM

Oh yeah, Adaware and Spybot logs:

Spybot:

QUOTE

--- Report generated: 2004-05-17 12:24 ---

Cache: Cache (4450) (Cache, nothing done)

Common Dialogs: History (57 files) (Registry key, nothing done)
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU

Cookie: Cookie (357) (Cookie, nothing done)

HuntBar: Global settings (Registry key, fixing failed)
HKEY_LOCAL_MACHINE\Software\BTIEIN

Log: Shutdown: System32\wbem\logs\wmiprov.log (Backup file, nothing done)
C:\WINDOWS\System32\wbem\logs\wmiprov.log

Log: Activity: imsins.log (Backup file, nothing done)
C:\WINDOWS\imsins.log

Log: Activity: OEWABLog.txt (Backup file, nothing done)
C:\WINDOWS\OEWABLog.txt

Log: Activity: SchedLgU.Txt (Backup file, nothing done)
C:\WINDOWS\SchedLgU.Txt

Log: Install: comsetup.log (Backup file, nothing done)
C:\WINDOWS\comsetup.log

Log: Install: Directx.log (Backup file, nothing done)
C:\WINDOWS\Directx.log

Log: Install: DtcInstall.log (Backup file, nothing done)
C:\WINDOWS\DtcInstall.log

Log: Install: ocgen.log (Backup file, nothing done)
C:\WINDOWS\ocgen.log

Log: Install: setupact.log (Backup file, nothing done)
C:\WINDOWS\setupact.log

Log: Install: setupapi.log (Backup file, nothing done)
C:\WINDOWS\setupapi.log

Log: Install: setuplog.txt (Backup file, nothing done)
C:\WINDOWS\setuplog.txt

Log: Install: svcpack.log (Backup file, nothing done)
C:\WINDOWS\svcpack.log

Log: Install: wmsetup.log (Backup file, nothing done)
C:\WINDOWS\wmsetup.log

Log: Shutdown: System32\wbem\logs\mofcomp.log (Backup file, nothing done)
C:\WINDOWS\System32\wbem\logs\mofcomp.log

Log: Shutdown: System32\wbem\logs\setup.log (Backup file, nothing done)
C:\WINDOWS\System32\wbem\logs\setup.log

Log: Shutdown: System32\wbem\logs\wbemcore.log (Backup file, nothing done)
C:\WINDOWS\System32\wbem\logs\wbemcore.log

Log: Shutdown: System32\wbem\logs\wbemess.lo_ (Backup file, nothing done)
C:\WINDOWS\System32\wbem\logs\wbemess.lo_

Log: Shutdown: System32\wbem\logs\wbemess.log (Backup file, nothing done)
C:\WINDOWS\System32\wbem\logs\wbemess.log

Log: Shutdown: System32\wbem\logs\wbemprox.log (Backup file, nothing done)
C:\WINDOWS\System32\wbem\logs\wbemprox.log

Log: Shutdown: System32\wbem\logs\wbemsnmp.log (Backup file, nothing done)
C:\WINDOWS\System32\wbem\logs\wbemsnmp.log

Log: Shutdown: System32\wbem\logs\winmgmt.log (Backup file, nothing done)
C:\WINDOWS\System32\wbem\logs\winmgmt.log

Log: Shutdown: System32\wbem\logs\wmiadap.log (Backup file, nothing done)
C:\WINDOWS\System32\wbem\logs\wmiadap.log

--- Spybot - Search && Destroy version: 1.3 ---
2004-05-12 Includes\Cookies.sbi
2004-05-12 Includes\Dialer.sbi
2004-05-12 Includes\Hijackers.sbi
2004-05-12 Includes\Keyloggers.sbi
2004-05-12 Includes\LSP.sbi
2004-05-12 Includes\Malware.sbi
2004-05-12 Includes\Revision.sbi
2004-05-12 Includes\Security.sbi
2004-05-12 Includes\Spybots.sbi
2004-05-12 Includes\Tracks.uti
2004-05-12 Includes\Trojans.sbi

Adaware:

QUOTE

Lavasoft Ad-aware Personal Build 6.181
Logfile created on :Monday, May 17, 2004 12:46:43 PM
Created with Ad-aware Personal, free for private use.
Using reference-file :01R304 16.05.2004
______________________________________________________

Ad-aware Settings
=========================
Set : Activate in-depth scan (Recommended)
Set : Safe mode (always request confirmation)
Set : Scan active processes
Set : Scan registry
Set : Deep scan registry
Set : Scan my IE Favorites for banned URLs
Set : Scan my Hosts file

5-17-2004 12:46:43 PM - Scan started. (Smart mode)

Listing running processes
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

#:1 [smss.exe]
FilePath : \SystemRoot\System32\
ThreadCreationTime : 5-17-2004 5:38:24 PM
BasePriority : Normal

#:2 [winlogon.exe]
FilePath : \??\C:\WINDOWS\system32\
ThreadCreationTime : 5-17-2004 5:38:27 PM
BasePriority : High

#:3 [services.exe]
FilePath : C:\WINDOWS\system32\
ThreadCreationTime : 5-17-2004 5:38:28 PM
BasePriority : Normal
FileSize : 99 KB
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
CompanyName : Microsoft Corporation
FileDescription : Services and Controller app
InternalName : services.exe
OriginalFilename : services.exe
ProductName : Microsoft
Created on : 8/18/2001 12:00:00 PM
Last accessed : 5/17/2004 5:02:12 PM
Last modified : 8/18/2001 12:00:00 PM

#:4 [lsass.exe]
FilePath : C:\WINDOWS\system32\
ThreadCreationTime : 5-17-2004 5:38:28 PM
BasePriority : Normal
FileSize : 11 KB
FileVersion : 5.1.2600.1106 (xpsp1.020828-1920)
ProductVersion : 5.1.2600.1106
CompanyName : Microsoft Corporation
FileDescription : LSA Shell (Export Version)
InternalName : lsass.exe
OriginalFilename : lsass.exe
ProductName : Microsoft
Created on : 8/18/2001 12:00:00 PM
Last accessed : 5/17/2004 5:02:12 PM
Last modified : 8/29/2002 10:41:26 AM

#:5 [svchost.exe]
FilePath : C:\WINDOWS\system32\
ThreadCreationTime : 5-17-2004 5:38:29 PM
BasePriority : Normal
FileSize : 12 KB
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
OriginalFilename : svchost.exe
ProductName : Microsoft
Created on : 8/18/2001 12:00:00 PM
Last accessed : 5/17/2004 5:02:12 PM
Last modified : 8/18/2001 12:00:00 PM

#:6 [svchost.exe]
FilePath : C:\WINDOWS\System32\
ThreadCreationTime : 5-17-2004 5:38:29 PM
BasePriority : Normal
FileSize : 12 KB
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
OriginalFilename : svchost.exe
ProductName : Microsoft
Created on : 8/18/2001 12:00:00 PM
Last accessed : 5/17/2004 5:02:12 PM
Last modified : 8/18/2001 12:00:00 PM

#:7 [ccsetmgr.exe]
FilePath : C:\Program Files\Common Files\Symantec Shared\
ThreadCreationTime : 5-17-2004 5:38:32 PM
BasePriority : Normal
FileSize : 229 KB
FileVersion : 2.1.0.610
ProductVersion : 2.1.0.610
Copyright : Copyright © 2000-2003 Symantec Corporation. All rights reserved.
CompanyName : Symantec Corporation
FileDescription : Common Client Settings Manager Service
InternalName : ccSetMgr
OriginalFilename : ccSetMgr.exe
ProductName : Common Client
Created on : 11/30/2003 3:01:53 AM
Last accessed : 5/17/2004 4:50:31 PM
Last modified : 11/10/2003 7:30:12 PM

#:8 [ccevtmgr.exe]
FilePath : C:\Program Files\Common Files\Symantec Shared\
ThreadCreationTime : 5-17-2004 5:38:32 PM
BasePriority : Normal
FileSize : 249 KB
FileVersion : 2.1.0.610
ProductVersion : 2.1.0.610
Copyright : Copyright © 2000-2003 Symantec Corporation. All rights reserved.
CompanyName : Symantec Corporation
FileDescription : Common Client Event Manager Service
InternalName : ccEvtMgr
OriginalFilename : ccEvtMgr.exe
ProductName : Common Client
Created on : 11/30/2003 3:01:52 AM
Last accessed : 5/17/2004 4:50:33 PM
Last modified : 11/10/2003 7:30:04 PM

#:9 [spoolsv.exe]
FilePath : C:\WINDOWS\system32\
ThreadCreationTime : 5-17-2004 5:38:33 PM
BasePriority : Normal
FileSize : 50 KB
FileVersion : 5.1.2600.0 (XPClient.010817-1148)
ProductVersion : 5.1.2600.0
CompanyName : Microsoft Corporation
FileDescription : Spooler SubSystem App
InternalName : spoolsv.exe
OriginalFilename : spoolsv.exe
ProductName : Microsoft
Created on : 8/18/2001 12:00:00 PM
Last accessed : 5/17/2004 5:02:12 PM
Last modified : 8/18/2001 12:00:00 PM

#:10 [ctsvccda.exe]
FilePath : C:\WINDOWS\System32\
ThreadCreationTime : 5-17-2004 5:38:33 PM
BasePriority : Normal
FileSize : 43 KB
FileVersion : 1.0.1.0
ProductVersion : 1.0.0.0
Copyright : Copyright © Creative Technology Ltd., 1999. All rights reserved.
CompanyName : Creative Technology Ltd
FileDescription : Creative Service for CDROM Access
InternalName : CTsvcCDAEXE
OriginalFilename : CTsvcCDA.EXE
ProductName : Creative Service for CDROM Access
Created on : 1/4/2004 11:20:36 PM
Last accessed : 5/17/2004 5:02:12 PM
Last modified : 12/13/1999 7:01:00 AM

#:11 [runservice.exe]
FilePath : C:\WINDOWS\
ThreadCreationTime : 5-17-2004 5:38:33 PM
BasePriority : Normal
FileSize : 2 KB
Created on : 9/13/2003 12:42:02 AM
Last accessed : 5/17/2004 5:02:12 PM
Last modified : 9/13/2003 12:42:02 AM

#:12 [navapsvc.exe]
FilePath : C:\Program Files\Norton AntiVirus\
ThreadCreationTime : 5-17-2004 5:38:33 PM
BasePriority : Normal
FileSize : 154 KB
FileVersion : 10.00.13
ProductVersion : 10.00.13
Copyright : Norton AntiVirus 2004 for Windows 98/ME/2000/XP Copyright © 2003 Symantec Corporation. All rights reserved.
CompanyName : Symantec Corporation
FileDescription : Norton AntiVirus Auto-Protect Service
InternalName : NAVAPSVC
OriginalFilename : NAVAPSVC.EXE
ProductName : Norton AntiVirus
Created on : 12/12/2003 11:32:20 PM
Last accessed : 5/17/2004 4:50:36 PM
Last modified : 12/5/2003 12:22:28 AM

#:13 [nvsvc32.exe]
FilePath : C:\WINDOWS\System32\
ThreadCreationTime : 5-17-2004 5:38:33 PM
BasePriority : Normal
FileSize : 80 KB
FileVersion : 6.14.10.5216
ProductVersion : 6.14.10.5216
Copyright : © NVIDIA Corporation. All rights reserved.
CompanyName : NVIDIA Corporation
FileDescription : NVIDIA Driver Helper Service, Version 52.16
InternalName : NVSVC
OriginalFilename : nvsvc32.exe
ProductName : NVIDIA Driver Helper Service, Version 52.16
Created on : 10/6/2003 8:16:00 PM
Last accessed : 5/17/2004 5:02:12 PM
Last modified : 10/6/2003 8:16:00 PM

#:14 [savscan.exe]
FilePath : C:\Program Files\Norton AntiVirus\
ThreadCreationTime : 5-17-2004 5:38:34 PM
BasePriority : Normal
FileSize : 189 KB
FileVersion : 9.2.1.14
ProductVersion : 9.2
Copyright : Copyright © 2003 Symantec Corporation
CompanyName : Symantec Corporation
FileDescription : Symantec AntiVirus Scanner
InternalName : SAVSCAN
OriginalFilename : SAVSCAN.EXE
ProductName : Symantec AntiVirus AutoProtect
Created on : 12/12/2003 11:32:22 PM
Last accessed : 5/17/2004 5:02:12 PM
Last modified : 12/5/2003 12:22:30 AM

#:15 [symlcsvc.exe]
FilePath : C:\Program Files\Common Files\Symantec Shared\CCPD-LC\
ThreadCreationTime : 5-17-2004 5:38:34 PM
BasePriority : Normal
FileSize : 572 KB
FileVersion : 1, 8, 48, 77
ProductVersion : 1, 8, 48, 77
Copyright : Copyright © 2003
CompanyName : Symantec Corporation
FileDescription : Symantec Core Component
InternalName : symlcsvc
OriginalFilename : symlcsvc.exe
ProductName : Symantec Core Component
Created on : 10/13/2003 8:18:33 PM
Last accessed : 5/17/2004 5:02:12 PM
Last modified : 10/13/2003 8:18:32 PM

#:16 [mspmspsv.exe]
FilePath : C:\WINDOWS\System32\
ThreadCreationTime : 5-17-2004 5:38:34 PM
BasePriority : Normal
FileSize : 52 KB
FileVersion : 7.00.00.1954
ProductVersion : 7.00.00.1954
Copyright : Copyright © Microsoft Corp. 1981-2000
CompanyName : Microsoft Corporation
FileDescription : WMDM PMSP Service
InternalName : MSPMSPSV.EXE
OriginalFilename : MSPMSPSV.EXE
ProductName : Microsoft ® DRM
Created on : 6/26/2000 12:44:20 PM
Last accessed : 5/17/2004 5:02:12 PM
Last modified : 6/26/2000 12:44:20 PM

#:17 [rundll32.exe]
FilePath : C:\WINDOWS\system32\
ThreadCreationTime : 5-17-2004 5:39:30 PM
BasePriority : Normal
FileSize : 31 KB
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
CompanyName : Microsoft Corporation
FileDescription : Run a DLL as an App
InternalName : rundll
OriginalFilename : RUNDLL.EXE
ProductName : Microsoft
Created on : 8/18/2001 12:00:00 PM
Last accessed : 5/17/2004 5:39:34 PM
Last modified : 8/18/2001 12:00:00 PM

#:18 [devldr32.exe]
FilePath : C:\WINDOWS\System32\
ThreadCreationTime : 5-17-2004 5:39:30 PM
BasePriority : Normal
FileSize : 25 KB
FileVersion : 1, 0, 0, 22
ProductVersion : 1, 0, 0, 22
Copyright : Copyright
CompanyName : Creative Technology Ltd.
FileDescription : DevLdr32
InternalName : DevLdr
OriginalFilename : DevLdr32.exe
ProductName : Creative Ring3 NT Inteface
Created on : 1/4/2004 11:14:04 PM
Last accessed : 5/17/2004 4:48:41 PM
Last modified : 8/31/2001 1:44:30 PM

#:19 [explorer.exe]
FilePath : C:\WINDOWS\
ThreadCreationTime : 5-17-2004 5:39:33 PM
BasePriority : Normal
FileSize : 980 KB
FileVersion : 6.00.2800.1106 (xpsp1.020828-1920)
ProductVersion : 6.00.2800.1106
CompanyName : Microsoft Corporation
FileDescription : Windows Explorer
InternalName : explorer
OriginalFilename : EXPLORER.EXE
ProductName : Microsoft
Created on : 9/13/2003 4:34:38 PM
Last accessed : 5/17/2004 5:39:33 PM
Last modified : 8/29/2002 10:41:24 AM

#:20 [ccapp.exe]
FilePath : C:\Program Files\Common Files\Symantec Shared\
ThreadCreationTime : 5-17-2004 5:39:34 PM
BasePriority : Normal
FileSize : 69 KB
FileVersion : 2.1.0.610
ProductVersion : 2.1.0.610
Copyright : Copyright © 2000-2003 Symantec Corporation. All rights reserved.
CompanyName : Symantec Corporation
FileDescription : Common Client User Session
InternalName : ccApp
OriginalFilename : ccApp.exe
ProductName : Common Client
Created on : 11/30/2003 3:01:52 AM
Last accessed : 5/17/2004 5:39:34 PM
Last modified : 11/10/2003 7:30:02 PM

#:21 [jusched.exe]
FilePath : C:\Program Files\Java\j2re1.4.2_03\bin\
ThreadCreationTime : 5-17-2004 5:39:35 PM
BasePriority : Normal
FileSize : 32 KB
Created on : 11/19/2003 10:48:18 PM
Last accessed : 5/17/2004 5:39:35 PM
Last modified : 11/19/2003 10:48:14 PM

#:22 [diagent.exe]
FilePath : C:\Program Files\Creative\SBLive\Creative Diagnostics 2.0\
ThreadCreationTime : 5-17-2004 5:39:35 PM
BasePriority : Normal
FileSize : 168 KB
FileVersion : 1.0.10.0
ProductVersion : 1.00.10
Copyright : Copyright © 2001 Creative Technology Ltd
CompanyName : Creative Technology Ltd
FileDescription : Creative Diagnostics Agent
InternalName : Creative Diagnostics Agent
OriginalFilename : diagent.exe
ProductName : Creative Diagnostics Agent
Created on : 9/7/2003 6:38:58 PM
Last accessed : 5/17/2004 5:39:35 PM
Last modified : 8/30/2001 7:00:00 AM

#:23 [bartshel.exe]
FilePath : C:\Program Files\ISP50\bin\
ThreadCreationTime : 5-17-2004 5:39:35 PM
BasePriority : Normal
FileSize : 132 KB
FileVersion : 5, 6, 0, 61
ProductVersion : 5, 0, 0, 0
Copyright : Copyright
CompanyName : PeoplePC
FileDescription : PeoplePal Module
InternalName : PeoplePal
OriginalFilename : BartShel.exe
ProductName : BartShell Module
Created on : 3/2/2004 7:19:24 PM
Last accessed : 5/17/2004 5:38:24 PM
Last modified : 3/2/2004 7:19:24 PM

#:24 [realsched.exe]
FilePath : C:\Program Files\Common Files\Real\Update_OB\
ThreadCreationTime : 5-17-2004 5:39:36 PM
BasePriority : Normal
FileSize : 172 KB
FileVersion : 0.1.0.2879
ProductVersion : 0.1.0.2879
Copyright : Copyright
CompanyName : RealNetworks, Inc.
FileDescription : RealNetworks Scheduler
InternalName : schedapp
OriginalFilename : realsched.exe
ProductName : RealPlayer (32-bit)
Created on : 2/8/2004 4:05:21 AM
Last accessed : 5/17/2004 5:39:36 PM
Last modified : 2/8/2004 4:05:21 AM

#:25 [sgmain.exe]
FilePath : C:\Program Files\SpywareGuard\
ThreadCreationTime : 5-17-2004 5:39:37 PM
BasePriority : Normal
FileSize : 352 KB
FileVersion : 2.02.0001
ProductVersion : 2.02.0001
Copyright : Copyright © 2002-2003 Javacool Software LLC
FileDescription : SpywareGuard
InternalName : sgmain
OriginalFilename : sgmain.exe
ProductName : SpywareGuard
Created on : 8/30/2003 12:05:35 AM
Last accessed : 5/17/2004 5:39:37 PM
Last modified : 8/30/2003 12:05:35 AM

#:26 [msiexec.exe]
FilePath : C:\WINDOWS\System32\
ThreadCreationTime : 5-17-2004 5:39:38 PM
BasePriority : Normal
FileSize : 63 KB
FileVersion : 2.0.2600.1106
ProductVersion : 2.0.2600.1106
Copyright : Copyright
CompanyName : Microsoft Corporation
FileDescription : Windows
InternalName : msiexec
OriginalFilename : msiexec.exe
ProductName : Windows Installer - Unicode
Created on : 9/13/2003 4:37:45 PM
Last accessed : 5/17/2004 5:26:30 PM
Last modified : 8/29/2002 10:41:26 AM

#:27 [ppshared.exe]
FilePath : C:\PROGRA~1\ISP50\bin\
ThreadCreationTime : 5-17-2004 5:39:38 PM
BasePriority : Normal
FileSize : 89 KB
FileVersion : 5, 5, 3, 21
ProductVersion : 5, 0, 0, 0
Copyright : Copyright 2003
CompanyName : PeoplePC
FileDescription : PPShared Module
InternalName : PPShared
OriginalFilename : PPShared.EXE
ProductName : PPShared Module
Created on : 11/25/2003 4:37:38 PM
Last accessed : 5/17/2004 4:50:32 PM
Last modified : 11/25/2003 4:37:38 PM

#:28 [sgbhp.exe]
FilePath : C:\Program Files\SpywareGuard\
ThreadCreationTime : 5-17-2004 5:39:58 PM
BasePriority : Normal
FileSize : 228 KB
FileVersion : 2.02.0001
ProductVersion : 2.02.0001
Copyright : Copyright © 2002-2003 Javacool Software LLC.
FileDescription : SG Browser Hijacking Protection
InternalName : sgbhp
OriginalFilename : sgbhp.exe
ProductName : SG Browser Hijacking Protection
Created on : 8/29/2003 4:14:56 PM
Last accessed : 5/17/2004 4:50:50 PM
Last modified : 8/29/2003 4:14:56 PM

#:29 [spybotsd.exe]
FilePath : C:\Program Files\Spybot - Search & Destroy\
ThreadCreationTime : 5-17-2004 5:40:25 PM
BasePriority : Normal
FileSize : 3855 KB
FileVersion : 1, 3, 0, 12
ProductVersion : 1, 3, 0, 12
CompanyName : Safer Networking Limited
FileDescription : Spybot - Search & Destroy
InternalName : SpyBotSD
OriginalFilename : SpyBotSD.exe
ProductName : SpyBot-S&D
Created on : 5/12/2004 6:03:00 AM
Last accessed : 5/17/2004 5:41:06 PM
Last modified : 5/12/2004 6:03:00 AM

#:30 [iexplore.exe]
FilePath : C:\Program Files\Internet Explorer\
ThreadCreationTime : 5-17-2004 5:40:51 PM
BasePriority : Normal
FileSize : 89 KB
FileVersion : 6.00.2800.1106 (xpsp1.020828-1920)
ProductVersion : 6.00.2800.1106
CompanyName : Microsoft Corporation
FileDescription : Internet Explorer
InternalName : iexplore
OriginalFilename : IEXPLORE.EXE
ProductName : Microsoft
Created on : 9/13/2003 4:35:10 PM
Last accessed : 5/17/2004 5:40:54 PM
Last modified : 8/29/2002 10:41:26 AM

#:31 [msmsgs.exe]
FilePath : C:\Program Files\Messenger\
ThreadCreationTime : 5-17-2004 5:44:43 PM
BasePriority : Normal
FileSize : 1476 KB
FileVersion : 4.7.0041
ProductVersion : Version 4.7
Copyright : Copyright © Microsoft Corporation 1997-2001
CompanyName : Microsoft Corporation
FileDescription : Messenger
InternalName : msmsgs
OriginalFilename : msmsgs.exe
ProductName : Messenger
Created on : 9/13/2003 4:37:52 PM
Last accessed : 5/17/2004 5:38:24 PM
Last modified : 8/29/2002 10:41:26 AM

#:32 [ad-aware.exe]
FilePath : C:\Program Files\Lavasoft\Ad-aware 6\
ThreadCreationTime : 5-17-2004 5:46:38 PM
BasePriority : Normal
FileSize : 668 KB
FileVersion : 6.0.1.181
ProductVersion : 6.0.0.0
Copyright : Copyright
CompanyName : Lavasoft Sweden
FileDescription : Ad-aware 6 core application
InternalName : Ad-aware.exe
OriginalFilename : Ad-aware.exe
ProductName : Lavasoft Ad-aware Plus
Created on : 12/13/2003 1:07:51 AM
Last accessed : 5/17/2004 5:46:37 PM
Last modified : 7/13/2003 4:00:20 AM

Memory scan result :
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
New objects : 0
Objects found so far: 0

Started registry scan
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

IBIS Toolbar Object recognized!
Type : RegKey
Data :
Rootkey : HKEY_LOCAL_MACHINE
Object : Software\BTIEIN

Registry scan result :
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
New objects : 1
Objects found so far: 1

Started deep registry scan
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

Deep registry scan result :
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
New objects : 0
Objects found so far: 1

¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

Deep scanning and examining files (C:)
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

Scanning Hosts file(C:\WINDOWS\System32\drivers\etc\hosts)
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

Hosts file scan result:
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
13 entries scanned.
New objects :0
Objects found so far: 1

Performing conditional scans..
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

IBIS Toolbar Object recognized!
Type : Folder
Object : c:\program files\Toolbar

IBIS Toolbar Object recognized!
Type : File
Data : temp
Object : c:\program files\toolbar\

Created on : 5/8/2004 11:07:39 PM
Last accessed : 5/10/2004 3:00:39 PM
Last modified : 5/8/2004 11:07:39 PM

Conditional scan result:
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
New objects : 2
Objects found so far: 3

12:49:06 PM Scan complete

Summary of this scan
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
Total scanning time :00:02:22:203
Objects scanned :46386
Objects identified :3
Objects ignored :0
New objects :3

And yes I fixed all three in adaware.

LoPhatPhuud

May 18 2004, 06:04 PM

Hi Aivanther,

Calamity Jane asked me to give a hand with the Look2me/VX2.BetterInternet infection. The fix has just undergone some changes and I have been following this and one other rather closely. CJ will still be the main contact for other issues.

The program we are downloading is the newest version, so delete any prior version you have first.

Download the following tool and install it in its own folder:
http://tools.zerosrealm.com/VX2Finder.exe

Press 'Click to Find VX2.BetterInternet.
Press 'Make Log' and post it in this thread for review.

Select all the files found.
Press 'Delete These Files'.

The program will delete all files but one that will be deleted on reboot.
Allow program to reboot.

Once Restarted:
Press 'Guardian.reg'.
Press 'User Agent'.
Press 'Restore Policy'.

Update AdAware to make sure you have the most recent Reference file, then run it.

Run the VX2finder program again.
Press 'Click to Find VX2.betterInterent'
Save the log and post it in this thread

Post a new HiJackThis log in this thread.

thanks for your cooperation.

Aivanther

May 18 2004, 07:10 PM

Pre-Fix VX2 log:

QUOTE

Log for VX2.BetterInternet File Finder

Files Found---
C:\WINDOWS\System32\6ao4svc.dll
C:\WINDOWS\System32\6co4svc.dll
C:\WINDOWS\System32\6do4svc.dll
C:\WINDOWS\System32\6go4svc.dll
C:\WINDOWS\System32\6ho4svc.dll
C:\WINDOWS\System32\6io4svc.dll
C:\WINDOWS\System32\6mo4svc.dll
C:\WINDOWS\System32\6po4svc.dll
C:\WINDOWS\System32\6ro4svc.dll
C:\WINDOWS\System32\6wo4svc.dll
C:\WINDOWS\System32\6xo4svc.dll
C:\WINDOWS\System32\6zo4svc.dll
C:\WINDOWS\System32\asaamon.dll
C:\WINDOWS\System32\ayledit.dll
C:\WINDOWS\System32\azaamon.dll

Guardian Key--- is called: GuardianSFNVB
Asynchronous 000
DllName C:\WINDOWS\system32\asaamon.dll
Impersonate 000
Logon WinLogon
Logoff WinLogoff
Version 124
ID {4C505162-DBCE-442E-B4CE-CB5F8B4C8A91}
IDex DS3

User Agent String---
{4C505162-DBCE-442E-B4CE-CB5F8B4C8A91}

Post-Delet VX2 log:

QUOTE

Log for VX2.BetterInternet File Finder

Files Found---

Guardian Key--- is called:

User Agent String---

HijackThis log:

QUOTE

Logfile of HijackThis v1.97.7
Scan saved at 2:07:06 PM, on 5/18/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\WINDOWS\runservice.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\Creative\SBLive\Creative Diagnostics 2.0\DIAGENT.EXE
C:\Program Files\ISP50\bin\bartshel.exe
C:\WINDOWS\System32\devldr32.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\PROGRA~1\ISP50\bin\ppshared.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mail.yahoo.com/
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [DIAGENT] C:\Program Files\Creative\SBLive\Creative Diagnostics 2.0\DIAGENT.EXE startup
O4 - HKLM\..\Run: [AHQInit] C:\Program Files\Creative\SBLive\Program\AHQInit.exe
O4 - HKLM\..\Run: [Bart Station] C:\Program Files\ISP50\hta\station.sbrt
O4 - HKLM\..\Run: [PPCRunonce] C:\WINDOWS\System32\PPCRunOnce.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
O8 - Extra context menu item: Si&milar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: ICQ Pro (HKLM)
O9 - Extra 'Tools' menuitem: ICQ (HKLM)
O9 - Extra button: AIM (HKLM)
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeupdate/content/opuc.cab
O16 - DPF: {68BCE50A-DC9B-4519-A118-6FDA19DB450D} (Info Class) - http://www.blizzard.com/support/includes/cabs/si.cab
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installengine.com/engine/isetup.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...7877.3942013889
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab
O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://www.gamespot.com/KDX22/download/kdx.cab

LoPhatPhuud

May 18 2004, 07:21 PM

Hello again Aivanther,

Thank you for the logs. Look2me/VX2 BetterInternet is now gone. That new fix is great!!

I will turn your log back to CalamityJane for review and any other actions she thinks necessary.

CalamityJane

May 18 2004, 08:00 PM

Thanks for the assist on the Vx2 infection, LPP - much appreciated :thumb:

We still have the stubborn Huntbar issue.

First, make a backup of your Registry:

How to Back Up Your Windows Registry
http://service1.symantec.com/SUPPORT/sunse...src=bar_sch_nam

Make sure you are logged on as the Adminstrator account

The follow the manual instructions for removal here (this is for your variant of Huntbar)
HuntBar.btiein
Manual removal
http://www.kephyr.com/spywarescanner/libra...ein/index.phtml

Aivanther

May 18 2004, 10:28 PM

QUOTE

Delete 'HKEY_LOCAL_MACHINE \ SOFTWARE \ Classes \ CLSID \ {63B78BC1-A711-4D46-AD2F-C581AC420D41}, if it exists.

Delete 'HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Explorer \ Browser Helper Objects \ {63B78BC1-A711-4D46-AD2F-C581AC420D41}, if it exists.

C:\Windows\System32\btiein.dll

I triple checked, I couldn't find any of these. And spybot still finds Huntbar. However, I noticed in the log that it finds it at: HKEY_LOCAL_MACHINE\Software\BTIEIN

When I looked at that, I found something called:
Name: Type: Data:
(Default) REG_SV (value not set)

with a subfolder, also called BTIEIN (HKEY_LOCAL_MACHINE\Software\BTIEIN\BTIEIN)
that contains
(Default)
CFG_VER
FIT
IGU
LastCheck
LastDll
LastTaskID
Reboot
STimeout
TaskCount
TB_ID

There's another subfolder, called taskcache(HKEY_LOCAL_MACHINE\Software\BTIEIN\BTIEN\taskcache)
when I try to select it I get the error message
"Cannot open taskcache: Error while openning key."

Sorry for the hassle, and thanks for all you've done so far.

CalamityJane

May 18 2004, 11:18 PM

Don't apologize, it's not your fault. This one can be apparently very difficult.

http://www.pchell.com/support/huntbar.shtml

QUOTE

In some cases the registry entry HKEY_LOCAL_MACHINE\Software\BTIEIN has been difficult, if not impossible to remove. In these instances change the user account to Administrator access and try to delete it or run SpyBot after changing to Administrator priviledges.

I'm going to have to do some more digging <_<

CalamityJane

May 19 2004, 07:58 PM

See if the manual removal instructions here work at all (follow the ones from BTIEIN)

Huntbar
http://www.doxdesk.com/parasite/HuntBar.html

Aivanther

May 20 2004, 09:10 PM

Well, the whole "regsvr32 /u btiein.dll " thing didn't work, I get some message about how "The spicfied module cound not be found" (btw %WINDIR% means the windows folder, correct?), and the btiein.dll was not in my system32 folder. and none of the entries listed were in my windows folder, and I still couldn't delete btiein subkey in my regedit. :(

This thing is a real monster...thanks for all the help you've given so far, I really appreciate it. Sorry that it's such a hassle.

Aivanther

May 29 2004, 02:51 AM

Bump...sorry, not being harrassing, but just making sure you remember me.

LoPhatPhuud

May 29 2004, 02:59 AM

Jane has been having some system problems today and I am filling in. It has been a while. .

Thanks,

LoPhatPhuud

May 29 2004, 07:32 PM

Download and install Registrar Lite from here: (its free)
http://www.resplendence.com/download/reglite.exe

Run Rergistrar Lite

Select 'Search' from the menu bar, then 'Search Registry'

In the Search Window:
Text to seach for = Search Assistant
Search in = HKLM
Key Names = checked
Value Name = checked
Data = checked

Press Search (the magnifying glass at the botton left)

When the search is complete, the keys found containing 'Search Assistant' will be displayed in the right pane. If there are none, quit and post that info.

In the right pane, right click on the first value and select 'Jump to'

You will be returned to the main window wit hteh selected key displayed. In the left pane right click on the highlit value and select 'Export'/ Use the default value for the file name but put numeral '1' after it and press 'Save'

Go back to the Search screen, select the next value, folow the same process for each value there, Increment the number in the file name by one for each file.

When that is done, go back to the search window and follow the same procedure
but enter HKCU for 'Search in' instead of HKLM. There will porbably be no key found.

Post all the files obtained and, if nonoew for HKCU, just let me know. Once we have this info then we can finish cleaning it up.