Post by: charlie on October 25, 2005, 07:15:19 AM
I hope someone here can help me please. I keep getting this CWS.HiddenDll and can't get rid of it. 2 of my other spywares (TrustSoft AntiSpyware and Aluria) also keep telling me that I have this bug each night when I do a scan. My CWShredder vs2.00 also remove it every night as well.
Could someone here help me please. I need good instructions as I am not that computer savvy. That being so, I can follow instructions very well. I need someone with patience please. This is driving me mad.
Thanks in advance
Post by: charlie on October 25, 2005, 07:24:31 AM
Logfile of HijackThis v1.99.1
Scan saved at 10:20:27 PM, on 25/10/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\ALURIA~1\AL_ADS~1.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Common Files\Command Software\dvpapi.exe
C:\Program Files\iPass\Tempest Telecom Dialer\iPCAgent.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\PROGRA~1\ALURIA~1\AluriaMsgSrv.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\TrustSoft AntiSpyware\TrustSoftAntiSpyware.exe
C:\Program Files\CA\eTrust PestPatrol\PPActiveDetection.exe
C:\PROGRA~1\ALURIA~1\SecurityCenter.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iolo\System Mechanic 4 Professional\PopupStopper.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\PROGRA~1\ALURIA~1\AluriaFW.exe
C:\WINDOWS\system32\AuthFw.exe
C:\Program Files\iPass\Tempest Telecom Dialer\downloader\ipccheck.exe
C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe
C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\WINDOWS\system32\cmd.exe
C:\Program Files\MetroPipe Tunneler\app\plink.exe
C:\PROGRA~1\MOZILLA.ORG\MOZILLA\MOZILLA.EXE
C:\HJT\hijackthis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&t...ilion&pf=laptop (http://\"http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_AU&c=Q105&bd=pavilion&pf=laptop\")
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&t...ilion&pf=laptop (http://\"http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_AU&c=Q105&bd=pavilion&pf=laptop\")
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&t...ilion&pf=laptop (http://\"http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_AU&c=Q105&bd=pavilion&pf=laptop\")
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 127.0.0.1:8080
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\RoboForm.dll
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\RoboForm.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_6_2_0.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKLM\..\Run: [TrustSoftAntiSpyware] C:\Program Files\TrustSoft AntiSpyware\TrustSoftAntiSpyware.exe /STARTUP
O4 - HKLM\..\Run: [eTrustPPAP] "C:\Program Files\CA\eTrust PestPatrol\PPActiveDetection.exe"
O4 - HKLM\..\Run: [Aluria Security Center] C:\PROGRA~1\ALURIA~1\SecurityCenter.exe /minimize
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\RunOnce: [System Mechanic Cache Cleanup] C:\Program Files\iolo\System Mechanic 4 Professional\SysMech4.exe /COMPLETECACHE
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [System Mechanic Popup Stopper] "C:\Program Files\iolo\System Mechanic 4 Professional\PopupStopper.exe"
O4 - HKCU\..\Run: [RoboForm] "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe"
O4 - HKCU\..\Run: [Mozilla Quick Launch] "C:\PROGRA~1\MOZILLA.ORG\MOZILLA\MOZILLA.EXE" -turbo
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: BTTray.lnk = ?
O8 - Extra context menu item: Customize Menu - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Fill Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: RoboForm Toolbar - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O8 - Extra context menu item: Save Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRA~1\Yahoo!\Common\yhexbmesau.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRA~1\Yahoo!\Common\yhexbmesau.dll
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_AU&c=Q105&bd=pavilion&pf=laptop
O14 - IERESET.INF: MS_START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_AU&c=Q105&bd=pavilion&pf=laptop
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {77DD44BF-551D-4E3C-82CD-D637D5018D3C} - http://www.surveys.com/promptcast/Installs...AST%20SETUP.cab (http://\"http://www.surveys.com/promptcast/Installs/SURVEYS.COM%20PROMPTCAST%20SETUP.cab\")
O18 - Protocol: widimg - {EE7C2AFF-5742-44FF-BD0E-E521B0D3C3BA} - C:\WINDOWS\system32\btxppanel.dll
O23 - Service: AL_ADSService - Aluria Software, LLC - C:\PROGRA~1\ALURIA~1\AL_ADS~1.EXE
O23 - Service: Aluria Security Center Spyware Eliminator Service (ASCService) - Unknown owner - C:\PROGRA~1\ALURIA~1\ascserv.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Bluetooth Service (btwdins) - WIDCOMM, Inc. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: DvpApi (dvpapi) - Command Software Systems, Inc. - C:\Program Files\Common Files\Command Software\dvpapi.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\SHARED\HPQWMI.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPassConnectEngine - iPass - C:\Program Files\iPass\Tempest Telecom Dialer\iPassConnectEngine.exe
O23 - Service: iPCAgent - iPass, Inc. - C:\Program Files\iPass\Tempest Telecom Dialer\iPCAgent.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kerio Personal Firewall 4 (KPF4) - Kerio Technologies - C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Aluria Message Service (MsgSrvService) - Aluria Software, LLC. - C:\PROGRA~1\ALURIA~1\AluriaMsgSrv.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
Post by: guestolo on October 25, 2005, 08:06:19 PM
I know it sounds strange, but they will make it difficult to help with any fixes we must try
and make it hard to identify what we are up against
Here's what I would do
I would uninstall these first 2 programs if you didn't pay for them
They are not that good, free software such as Ad-Aware Personal 1.06 and Spybot 1.4 will do much better
These are the ones I would remove
Aluria Security Center
TrustSoft AntiSpyware
If you choose to keep the above, I need you too disable it's realtime protections
But I recommend you remove them
Restart after removal
I also need you to disable your other Spyware Protections
The ones I know of
SpySweeper=
To disable SpySweeper:
Open it click >Options over to the left then >program options >Uncheck "load at windows startup".
Over to the left click "shields" and uncheck all there.
Uncheck "home page shield".
Uncheck "automatically restore default without notification".
eTrust™ PestPatrol Anti-Spyware=I've never used it but please ensure it's realtime protection is disabled
NOTE: It's not a good idea to run more than one Anti-Virus software on your computer
This can cause a decrease in system performance and conflicts
If you are running more than one, please disable one completely from running on startup or uninstall it
The same goes for Firewalls>>If you have more than one running please disable the others, which includes the built in firewall of Windows
I would hold onto Kerio and disable XP's
After you have done all the above
Restart your computer one more time
Browse a bit,
I hate to have you do it, but can you use Internet Explorer for awhile
and then come back here and post a fresh hijackthis log
This should help us identify what is actually going on
SpywareGuard=Double cllick it's icon by the clock
Left click Options
Uncheck everything under General Protection items
Save Settings
Click File>>Exit
Post by: charlie on October 26, 2005, 01:18:45 AM
I have also turn off the protection in SpywareGuard. I then restart the computer and browse around a bit. Here is the result of HJT:
Logfile of HijackThis v1.99.1
Scan saved at 4:14:22 PM, on 26/10/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\PROGRA~1\ALURIA~1\AL_ADS~1.EXE
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Common Files\Command Software\dvpapi.exe
C:\Program Files\iPass\Tempest Telecom Dialer\iPCAgent.exe
C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\PROGRA~1\ALURIA~1\AluriaMsgSrv.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\WINDOWS\system32\rundll32.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iolo\System Mechanic 4 Professional\PopupStopper.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe
C:\PROGRA~1\MOZILLA.ORG\MOZILLA\MOZILLA.EXE
C:\Program Files\iPass\Tempest Telecom Dialer\downloader\ipccheck.exe
C:\WINDOWS\system32\cmd.exe
C:\Program Files\MetroPipe Tunneler\app\plink.exe
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Program Files\TrustSoft AntiSpyware\TrustSoftAntiSpyware.exe
C:\HJT\hijackthis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&t...ilion&pf=laptop (http://\"http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_AU&c=Q105&bd=pavilion&pf=laptop\")
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&t...ilion&pf=laptop (http://\"http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_AU&c=Q105&bd=pavilion&pf=laptop\")
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&t...ilion&pf=laptop (http://\"http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_AU&c=Q105&bd=pavilion&pf=laptop\")
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 127.0.0.1:8080
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\RoboForm.dll
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\RoboForm.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_6_2_0.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [System Mechanic Popup Stopper] "C:\Program Files\iolo\System Mechanic 4 Professional\PopupStopper.exe"
O4 - HKCU\..\Run: [RoboForm] "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe"
O4 - HKCU\..\Run: [Mozilla Quick Launch] "C:\PROGRA~1\MOZILLA.ORG\MOZILLA\MOZILLA.EXE" -turbo
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: BTTray.lnk = ?
O8 - Extra context menu item: Customize Menu - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Fill Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: RoboForm Toolbar - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O8 - Extra context menu item: Save Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRA~1\Yahoo!\Common\yhexbmesau.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRA~1\Yahoo!\Common\yhexbmesau.dll
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_AU&c=Q105&bd=pavilion&pf=laptop
O14 - IERESET.INF: MS_START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_AU&c=Q105&bd=pavilion&pf=laptop
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {77DD44BF-551D-4E3C-82CD-D637D5018D3C} - http://www.surveys.com/promptcast/Installs...AST%20SETUP.cab (http://\"http://www.surveys.com/promptcast/Installs/SURVEYS.COM%20PROMPTCAST%20SETUP.cab\")
O18 - Protocol: widimg - {EE7C2AFF-5742-44FF-BD0E-E521B0D3C3BA} - C:\WINDOWS\system32\btxppanel.dll
O23 - Service: AL_ADSService - Aluria Software, LLC - C:\PROGRA~1\ALURIA~1\AL_ADS~1.EXE
O23 - Service: Aluria Security Center Spyware Eliminator Service (ASCService) - Unknown owner - C:\PROGRA~1\ALURIA~1\ascserv.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Bluetooth Service (btwdins) - WIDCOMM, Inc. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: DvpApi (dvpapi) - Command Software Systems, Inc. - C:\Program Files\Common Files\Command Software\dvpapi.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\SHARED\HPQWMI.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPassConnectEngine - iPass - C:\Program Files\iPass\Tempest Telecom Dialer\iPassConnectEngine.exe
O23 - Service: iPCAgent - iPass, Inc. - C:\Program Files\iPass\Tempest Telecom Dialer\iPCAgent.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kerio Personal Firewall 4 (KPF4) - Kerio Technologies - C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Aluria Message Service (MsgSrvService) - Aluria Software, LLC. - C:\PROGRA~1\ALURIA~1\AluriaMsgSrv.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
Post by: guestolo on October 26, 2005, 10:22:46 AM
Quote
2 of my other spywares (TrustSoft AntiSpyware and Aluria) also keep telling me that I have this bug each night when I do a scan. My CWShredder vs2.00 also remove it every night as well.I have never used Trust or Aluria, and probably never will
I don't want to know if they are finding anything because I don't trust them
Cwshredder, the latest version is 2.15
I'll try and do what I can, but no promises
I still see Trust and Aluria in memory, could be interference
Also, still see SpywareGuard running
If this doesn't show nothing, I may have to step back from this one
Download DLLCompare (http://\"http://downloads.subratam.org/DllCompare.exe\")
Start the Program and click the Run Locate.com
Let it complete the SCAN, which won't take long
Click the Compare button to start the next process.This will take a bit longer.
The results appear in two panes - files in the upper pane have been verified to 'exist'.
Files in the lower pane were 'not able to be accessed'.
Very few files should be listed in the lower pane,if any, when the Compare scan is complete.
Click on each of the listed entries in the lower pane to select them. Right-click on the file and use the option Rescan. This will cause Windows Find to see if the file does exist, and then if so it will be removed from the list to reduce the number of identified files.
Click the Make a Log of what was found button and post it back here
Post by: charlie on October 26, 2005, 09:25:55 PM
I reran the HJT and here is the result:[/color]
Logfile of HijackThis v1.99.1
Scan saved at 12:18:04 PM, on 27/10/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\Ati2evxx.exe
C:\PROGRA~1\ALURIA~1\AL_ADS~1.EXE
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Common Files\Command Software\dvpapi.exe
C:\Program Files\iPass\Tempest Telecom Dialer\iPCAgent.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\PROGRA~1\ALURIA~1\AluriaMsgSrv.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\WINDOWS\system32\rundll32.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iolo\System Mechanic 4 Professional\PopupStopper.exe
C:\PROGRA~1\MOZILLA.ORG\MOZILLA\MOZILLA.EXE
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\iPass\Tempest Telecom Dialer\downloader\ipccheck.exe
C:\WINDOWS\system32\wuauclt.exe
C:\HJT\hijackthis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&t...ilion&pf=laptop (http://\"http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_AU&c=Q105&bd=pavilion&pf=laptop\")
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&t...ilion&pf=laptop (http://\"http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_AU&c=Q105&bd=pavilion&pf=laptop\")
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&t...ilion&pf=laptop (http://\"http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_AU&c=Q105&bd=pavilion&pf=laptop\")
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 127.0.0.1:8080
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\RoboForm.dll
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\RoboForm.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_6_2_0.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [System Mechanic Popup Stopper] "C:\Program Files\iolo\System Mechanic 4 Professional\PopupStopper.exe"
O4 - HKCU\..\Run: [RoboForm] "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe"
O4 - HKCU\..\Run: [Mozilla Quick Launch] "C:\PROGRA~1\MOZILLA.ORG\MOZILLA\MOZILLA.EXE" -turbo
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: BTTray.lnk = ?
O8 - Extra context menu item: Customize Menu - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Fill Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: RoboForm Toolbar - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O8 - Extra context menu item: Save Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRA~1\Yahoo!\Common\yhexbmesau.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRA~1\Yahoo!\Common\yhexbmesau.dll
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_AU&c=Q105&bd=pavilion&pf=laptop
O14 - IERESET.INF: MS_START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_AU&c=Q105&bd=pavilion&pf=laptop
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {77DD44BF-551D-4E3C-82CD-D637D5018D3C} - http://www.surveys.com/promptcast/Installs...AST%20SETUP.cab (http://\"http://www.surveys.com/promptcast/Installs/SURVEYS.COM%20PROMPTCAST%20SETUP.cab\")
O18 - Protocol: widimg - {EE7C2AFF-5742-44FF-BD0E-E521B0D3C3BA} - C:\WINDOWS\system32\btxppanel.dll
O23 - Service: AL_ADSService - Aluria Software, LLC - C:\PROGRA~1\ALURIA~1\AL_ADS~1.EXE
O23 - Service: Aluria Security Center Spyware Eliminator Service (ASCService) - Unknown owner - C:\PROGRA~1\ALURIA~1\ascserv.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Bluetooth Service (btwdins) - WIDCOMM, Inc. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: DvpApi (dvpapi) - Command Software Systems, Inc. - C:\Program Files\Common Files\Command Software\dvpapi.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\SHARED\HPQWMI.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPassConnectEngine - iPass - C:\Program Files\iPass\Tempest Telecom Dialer\iPassConnectEngine.exe
O23 - Service: iPCAgent - iPass, Inc. - C:\Program Files\iPass\Tempest Telecom Dialer\iPCAgent.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kerio Personal Firewall 4 (KPF4) - Kerio Technologies - C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Aluria Message Service (MsgSrvService) - Aluria Software, LLC. - C:\PROGRA~1\ALURIA~1\AluriaMsgSrv.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
[color=\"blue\"]Here is the result of the DLL compare:
[/color]
* DLLCompare Log version(1.0.0.127)
Files Found that Windows does not See or cannot Access
*Not everything listed here means you are infected!
________________________________________________
O^E says: "There were no files found
/smile.gif\' class=\'bbc_emoticon\' alt=\':)\' />"________________________________________________
1,323 items found: 1,323 files, 0 directories.
Total of file sizes: 295,182,237 bytes 281.50 M
Administrator Account = True
--------------------End log---------------------
Post by: guestolo on October 26, 2005, 09:31:47 PM
I still see spywareguard running, does it keep blocking anything?????
Post by: charlie on October 26, 2005, 09:36:58 PM
After I posted my 2nd HJT scan following your instructions, I decided to uninstalled TrustSoft completely. Aluria is still there but none of its real time protection is on. I will use it only to run a scan eanch night. I shut down spysweeper and spyware guard as you instructed.
Re done a scan of HJT and a DLL compare for you.
I just ran the CWShredder vs2 again....(by the way vs2.15 never said I had the CWS.HiddenDll only the vs2 and Aluria and TrustSoft) and this time no CWS.HiddenDll is found. I'm doing a scan with Aluria to see if I'm getting the same result. Will post back the result.
charlie
Post by: charlie on October 26, 2005, 09:47:00 PM
I reran the CWShredder again just to make sure and this time the vs 2 said that it just removed the CWSHidden.Dll again.
Aluria said that I have CoolWebSearch, and Transponder.Bolger, and SearchSquire.
Just not my day
Post by: guestolo on October 26, 2005, 09:54:22 PM
Quote
Aluria said that I have CoolWebSearch, and Transponder.Bolger, and SearchSquire.
Sorry, I don't trust Aluria so I won't acknowledge what it found unless you can give me a specific file name it found
Don't use version 2 of CWShredder
The latest is 2.15
There is a reason they update
To find newer malware and fix bugs in the older versions
What does SpySweeper and Spybot find?
Post by: charlie on October 27, 2005, 10:46:15 PM
1) When I use CWShredder 2.15, it says I am not infected. Only the CWSdredder 2 says that I have it.
2) Here is the log of the scan by Aluria. Does this help you identify those 3 bugs?[/color]
ASC Version: 1.2.10 Definition Date: 10-25-2005
Date: 28/10/2005 2:56:00 AM
Action: Begin Cookie Scan
OS: Windows XP
************************************************************
Scan Time: 28/10/2005 2:56:01 AM
Spyware Found: CoolWebSearch
Item Name: software\microsoft\windows\currentversion\internet settings\zonemap\domains\coolwebsearch.com
DType: 4
******************************
Scan Time: 28/10/2005 2:56:01 AM
Spyware Found: CoolWebSearch
Item Name: software\microsoft\windows\currentversion\internet settings\zonemap\domains\searchmeup.com
DType: 4
******************************
Scan Time: 28/10/2005 2:56:01 AM
Spyware Found: SearchSquire
Item Name: software\microsoft\windows\currentversion\internet settings\zonemap\domains\searchsquire.com
DType: 4
******************************
ASC Version: 1.2.10 Definition Date: 10-25-2005
Date: 28/10/2005 2:56:01 AM
Action: Begin Spyware Scan
OS: Windows XP
************************************************************
Delete Time: 28/10/2005 4:57:04 AM
Deleted Spyware: SearchSquire
Item Name: software\microsoft\windows\currentversion\internet settings\zonemap\domains\searchsquire.com
******************************
Delete Time: 28/10/2005 4:57:04 AM
Deleted Spyware: CoolWebSearch
Item Name: software\microsoft\windows\currentversion\internet settings\zonemap\domains\searchmeup.com
******************************
Delete Time: 28/10/2005 4:57:04 AM
Deleted Spyware: CoolWebSearch
Item Name: software\microsoft\windows\currentversion\internet settings\zonemap\domains\coolwebsearch.com
******************************
[color=\"blue\"]3) Spysweeper and Spybot say I am clean.
[/color]
Post by: Guest on October 28, 2005, 12:33:47 AM
Coolwebsearch (225) address is "coolwebsearch.com"
Coolwebsearch (862) address is "searchmeup.com"
Is this info helpful at all?
Post by: charlie on October 28, 2005, 12:35:30 AM
Post by: guestolo on October 28, 2005, 10:11:36 AM
C:\WINDOWS\runwin32.exe
C:\WINDOWS\wininet32.exe
Do you normally set up to use a proxy server?
This line in your log
indicates you are, but can also be left over from some malware
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 127.0.0.1:8080
You may choose to fix that line with hijackthis and then reboot your computer
# Open Internet Explorer. Click on tools, then Internet Options. Then click on the Connect tab.
# Then press the Lan Settings button and uncheck the Use a proxy server checkbox. Then press OK until you are out of the options screen.
Restart IE
If you have trouble connecting after that just reverse the proxy setting in IE
Restore the backup hijackthis made and then reboot again
That was helpful, the SpywareBlaster info
After you have done the above can you go into SpywareBlaster and disable all protection>>Check for updates>>and then enable all protection
That's not the normal way of updating, I'm just trying something
Post by: charlie on October 29, 2005, 09:21:58 AM
c:\WINDOWS\runwin32.exe
c:\WINDOWS\wininet32.exe
Do you just want to know if they exist? I did a search and no such files are on my C drive.[/color]
Do you normally set up to use a proxy server?
This line in your log
indicates you are, but can also be left over from some malware
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 127.0.0.1:8080
[color=\"blue\"]Yes. I use metropipe.[/color]
You may choose to fix that line with hijackthis and then reboot your computer.
[color=\"blue\"]Don't know what you mean. How do I fix it with HJT?
[/color]
Restore the backup hijackthis made and then reboot again
[color=\"blue\"]How do you do this? Because I just went into HJT to look where the backups are and there are no backupfiles listed
Thanks again[/color]
Post by: guestolo on October 29, 2005, 10:56:16 PM
That's strange that SpywareBlaster finds those entries disabled all the time
They appear to be set to the Restricted Zone settings
Can you do the following please
Download: Registry Search Tool from this link
http://billsway.com/vbspage/ (http://\"http://billsway.com/vbspage/\")
Unzip and double-click "RegSrch.vbs"
Note: if your Antivirus or another program prompts about running a ".vbs" file, allow the script to run
In the open field copy and paste the below in bold then hit OK
coolwebsearch.com
Wait for the results and post them back here
Could you do the same for the next 2 also
searchmeup.com
searchsquire.com
Post by: Guest on October 30, 2005, 05:14:10 AM
Here are the results :
REGEDIT4
; RegSrch.vbs © Bill James
; Registry search results for string "coolwebsearch.com" 30/10/2005 9:09:02 PM
; NOTE: This file will be deleted when you close WordPad.
; You must manually save this file to a new location if you want to refer to it again later.
; (If you save the file with a .reg extension, you can use it to restore any Registry changes you make to these values.)
[HKEY_LOCAL_MACHINE\SOFTWARE\Webroot\SpySweeper\Host File]
"acoolwebsearch.com"="127.0.0.1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Webroot\SpySweeper\Host File]
"www.acoolwebsearch.com"="127.0.0.1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Webroot\SpySweeper\Host File]
"coolwebsearch.com"="127.0.0.1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Webroot\SpySweeper\Host File]
"www.coolwebsearch.com"="127.0.0.1"
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\coolwebsearch.com]
[HKEY_USERS\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\coolwebsearch.com]
[HKEY_USERS\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\coolwebsearch.com]
[HKEY_USERS\S-1-5-21-796845957-1417001333-839522115-1004\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\acoolwebsearch.com]
[HKEY_USERS\S-1-5-21-796845957-1417001333-839522115-1004\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\coolwebsearch.com]
[HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\coolwebsearch.com]
REGEDIT4
; RegSrch.vbs © Bill James
; Registry search results for string "searchmeup.com" 30/10/2005 9:11:04 PM
; NOTE: This file will be deleted when you close WordPad.
; You must manually save this file to a new location if you want to refer to it again later.
; (If you save the file with a .reg extension, you can use it to restore any Registry changes you make to these values.)
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\searchmeup.com]
[HKEY_USERS\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\searchmeup.com]
[HKEY_USERS\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\searchmeup.com]
[HKEY_USERS\S-1-5-21-796845957-1417001333-839522115-1004\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\searchmeup.com]
[HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\searchmeup.com]
REGEDIT4
; RegSrch.vbs © Bill James
; Registry search results for string "searchsquire.com" 30/10/2005 9:12:17 PM
; NOTE: This file will be deleted when you close WordPad.
; You must manually save this file to a new location if you want to refer to it again later.
; (If you save the file with a .reg extension, you can use it to restore any Registry changes you make to these values.)
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\searchsquire.com]
[HKEY_USERS\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\searchsquire.com]
[HKEY_USERS\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\searchsquire.com]
[HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\searchsquire.com]
Thank you
Post by: charlie on October 30, 2005, 05:15:33 AM
Regards
Post by: guestolo on October 30, 2005, 11:27:44 AM
Probably false positives
Can you do an experiment please
I use SpywareBlaster>>Ie-spyad>>Spybot's Immunization feature
and SpywareGuard for protections
Can you try this, you can reenable all these later
Don't go surfing around too much, this is just to eliminate a problem
==Download DelDomains.inf
http://www.mvps.org/winhelp2002/DelDomains.inf (http://\"http://www.mvps.org/winhelp2002/DelDomains.inf\") and save it to desktop
We'll need this later>>If using a Mozilla browser, right click on that link and SAVE Link As, save it to desktop
we'll need this later
Open SpywareGuard and click FILE>>EXIT
Open SpySweeper
Click on Shields on the left
Under each of the tabs uncheck whatever options you have running (Keep note of which ones are checked, you can reenable these later)
Make sure you uncheck the ones under the Hosts tab
Then right click on SpySweeper icon by the clock and shut it down
Is this the trial version of Spysweeper?
Open SpywareBlaster>>Disable all protection
Open SpyBot>>Click on Immunize>>OK>>then UNDO at the top
Do you have IE-Spyad installed? If so uninstall it for now
Of course I don't know anything about Aluria, but if they have similiar protections
Disable them too
Make sure you do
==Right Click on DelDomains.inf>>Choose Install from the menu bar
This is going to remove all protections, but we are just trying something
Don't go surfing the Net
Open RegSearch tool again
Once again
In the open field copy and paste the below in bold then hit OK
coolwebsearch.com
Wait for the results and post them back here
Could you do the same for the next 2 also
searchmeup.com
searchsquire.com
Post by: charlie on October 30, 2005, 08:41:37 PM
Once I disable all the spywares and do as your instructions say, can I then enable all my spywares again because I need my internet access for my work.
Thanks
charlie
Post by: guestolo on October 30, 2005, 09:02:05 PM
Remember to do all the steps
Afterwards, If you have IE-Spyad installed
Reinstall it
Open SpywareBlaster and check for updates
Then enable all protections
Open Spybot and check for updates
Then click the Immunize button>>Ok>>Immunize at the top menu bar
Then we'll go from there
Don't enable all the other protections yet
Also, I asked,
Is this the trial version of SpySweeper
How long before it expires?
Post by: charlie on October 30, 2005, 09:43:30 PM
Post by: guestolo on October 30, 2005, 09:47:59 PM
What happened to the results of the RegSearch tool after you disabled all protections?
Post by: charlie on October 31, 2005, 08:31:10 AM
I disable all as you instructed and install the DelDomains, then ran the RegSearch again for coolwebsearch.com, searchmeup.com, and searchsquire.com. The result for coolwebsearch.com is this:
[color=\"red\"]REGEDIT4
; RegSrch.vbs © Bill James
; Registry search results for string "coolwebsearch.com" 1/11/2005 12:12:25 AM
; NOTE: This file will be deleted when you close WordPad.
; You must manually save this file to a new location if you want to refer to it again later.
; (If you save the file with a .reg extension, you can use it to restore any Registry changes you make to these values.)
[HKEY_LOCAL_MACHINE\SOFTWARE\Webroot\SpySweeper\Host File]
"acoolwebsearch.com"="127.0.0.1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Webroot\SpySweeper\Host File]
"www.acoolwebsearch.com"="127.0.0.1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Webroot\SpySweeper\Host File]
"coolwebsearch.com"="127.0.0.1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Webroot\SpySweeper\Host File]
"www.coolwebsearch.com"="127.0.0.1"
[/color]
Nothing was found for searchmeup.com or searchsquire.com
charlie
Post by: guestolo on October 31, 2005, 11:28:09 PM
Again, as I said, with all the protection tools you have on your computer
And a couple not regularly recommended, they look like false positives
What do you think???
Post by: Guest on October 31, 2005, 11:47:26 PM
[post=\"67473\"]<{POST_SNAPBACK}>[/post]
[/quote]So If I do this, will the problem go away? I'm beginning to agree with you that it is a false positive.....as you call them.
So how do I enter Spysweeper Host file protection and disable it?
charlie
Post by: guestolo on November 01, 2005, 12:02:33 AM
Click on Shields on the left
Click on the Hosts file tab
Uncheck all options in that tab
Again run RegSearch.vbs and search for the following
coolwebsearch.com
Do you get any results, if so
Open Hijackthis>>Open Misc tools section
Open Hosts file manager>>click the "Open In Notepad button"
A text file will open, copy and paste that text file back here