scrane

November 17, 2006

Thank you for all your help.

Stephen

November 17, 2006

Here is an update.

Thanks,

Stephen

Logfile of HijackThis v1.99.1

Scan saved at 6:23:56 PM, on 16/11/2006

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Windows Defender\MsMpEng.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe

C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe

C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe

C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE

C:\WINDOWS\system32\CTHELPER.EXE

C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe

C:\WINDOWS\system32\dla\tfswctrl.exe

C:\PROGRA~1\SHAWSE~1\backweb\3875767\Program\SERVIC~1.EXE

C:\WINDOWS\system32\CTsvcCDA.EXE

C:\Program Files\Shaw Secure\Anti-Virus\fsgk32st.exe

C:\Program Files\Shaw Secure\backweb\3875767\Program\fspex.exe

C:\Program Files\Shaw Secure\Anti-Virus\FSGK32.EXE

C:\Program Files\Shaw Secure\backweb\3875767\program\fsbwsys.exe

C:\Program Files\Shaw Secure\Anti-Virus\fssm32.exe

C:\Program Files\Windows Defender\MSASCui.exe

C:\WINDOWS\system32\RioMSC.exe

C:\PROGRA~1\MUSICM~1\MUSICM~3\MMDiag.exe

C:\Program Files\Dell Support\DSAgnt.exe

C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mim.exe

C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe

C:\Program Files\Shaw Secure\Common\FSMA32.EXE

C:\Program Files\Shaw Secure\Common\FSMB32.EXE

C:\Program Files\Shaw Secure\Common\FCH32.EXE

C:\Program Files\Shaw Secure\Common\FAMEH32.EXE

C:\Program Files\Shaw Secure\Anti-Virus\fsqh.exe

C:\Program Files\Shaw Secure\FWES\Program\fsdfwd.exe

C:\Program Files\Shaw Secure\Anti-Virus\fsrw.exe

C:\Program Files\Shaw Secure\Anti-Virus\fsav32.exe

C:\Program Files\Shaw Secure\FSPC\fspc.exe

C:\Program Files\Shaw Secure\Common\FSM32.EXE

C:\PROGRA~1\SHAWSE~1\ANTI-S~1\fsaw.exe

C:\Program Files\Shaw Secure\FSGUI\fsguidll.exe

C:\Documents and Settings\Stephen Crane\My Documents\Spyware Programs\Hijack This\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://start.shaw.ca/Start/enCA/Local+Cont...berta/Edmonton/

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by Shaw Internet

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll

O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"

O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

O4 - HKLM\..\Run: [intelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe

O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe /r

O4 - HKLM\..\Run: [CTDVDDET] "C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE"

O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE

O4 - HKLM\..\Run: [updReg] C:\WINDOWS\UpdReg.EXE

O4 - HKLM\..\Run: [updateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r

O4 - HKLM\..\Run: [F-Secure Manager] "C:\Program Files\Shaw Secure\Common\FSM32.EXE" /splash

O4 - HKLM\..\Run: [F-Secure TNB] "C:\Program Files\Shaw Secure\TNB\TNBUtil.exe" /CHECKALL /WAITFORSW

O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe

O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~3\mimboot.exe

O4 - HKLM\..\Run: [F-Secure Startup Wizard] "C:\Program Files\Shaw Secure\FSGUI\FSSW.EXE" /reboot

O4 - HKLM\..\Run: [News Service] "C:\Program Files\Shaw Secure\FSGUI\ispnews.exe"

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide

O4 - HKLM\..\Run: [sNM] C:\Program Files\SpyNoMore\SNM.exe /startup

O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized

O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

O4 - Global Startup: Shaw Secure.lnk = C:\Program Files\Shaw Secure\backweb\3875767\Program\fspex.exe

O8 - Extra context menu item: &Block this popup - C:\Program Files\Shaw Secure\Anti-Spyware\blockpopups.htm

O11 - Options group: [iNTERNATIONAL] International*

O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab

O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewido.net/ewidoOnlineScan.cab

O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab

O16 - DPF: {556DDE35-E955-11D0-A707-000000521957} - http://www.xblock.com/download/xclean_micro.exe

O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.safety.live.com/resource/d...lscbase8460.cab

O16 - DPF: {7BA7BCE2-D359-4407-82D9-CDF9A74C487A} (DownLoadStub Class) - http://xpupload.hpphoto.com/downloads/DownloadPhotos.cab

O16 - DPF: {7F8C8173-AD80-4807-AA75-5672F22B4582} (ICSScanner Class) - https://auportal1.agricoreunited.com/sre/ICSScanner.cab

O16 - DPF: {F127B9BA-89EA-4B04-9C67-2074A9DF61FD} (Photo Upload Plugin Class) - http://walmart.pnimedia.com/upload/activex...tupv2.0.0.9.cab?

O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll

O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe

O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe

O23 - Service: Shaw Secure (BackWeb Plug-in - 3875767) - BackWeb Technologies Inc. - C:\PROGRA~1\SHAWSE~1\backweb\3875767\Program\SERVIC~1.EXE

O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE

O23 - Service: F-Secure Gatekeeper Handler Starter - F-Secure Corporation - C:\Program Files\Shaw Secure\Anti-Virus\fsgk32st.exe

O23 - Service: fsbwsys - F-Secure Corp. - C:\Program Files\Shaw Secure\backweb\3875767\program\fsbwsys.exe

O23 - Service: F-Secure Anti-Virus Firewall Daemon (FSDFWD) - F-Secure Corporation - C:\Program Files\Shaw Secure\FWES\Program\fsdfwd.exe

O23 - Service: F-Secure HTTP Server (fshttps) - F-Secure Corporation - C:\Program Files\Shaw Secure\FSPC\fshttps\fshttps.exe

O23 - Service: FSMA - F-Secure Corporation - C:\Program Files\Shaw Secure\Common\FSMA32.EXE

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe

O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe

O23 - Service: Rio MSC Manager (RioMSC) - Digital Networks North America, Inc. - C:\WINDOWS\system32\RioMSC.exe

O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

November 16, 2006

There was no report generated. AVG picked up a few tracking cookies but no Zlob. My F-Secure software quaranteened a W32 Trojan that was deleted. Any ideas? Residual image?

Thanks,

Stephen

November 15, 2006

Here is the full line.

HKEY_CLASSES_ROOT\CLSID\{55385A7-4922-4e7e-B1C1-97140C1C16EF}

Thanks,

Stephen

November 14, 2006

HKEY_CLASSES_ROOT\CLSID\{Bunch of #'s and letters}

Does this mean anything?

November 14, 2006

Thank you for all your help.

I am running F-Secure that encompasses all of these. Obviously it is not perfect. I will add another couple of layers of protection. I did download a program called Spynomore. It still tells me that a Zlob trojan still resides. I am assuming it is reading a false positive?

Thank you again for taking the time to take care of non-professional pc users like me.

Stephen

November 14, 2006

Here is the latest. Is this log easy to read for a trained person?

Thanks,

Stephen

Logfile of HijackThis v1.99.1

Scan saved at 5:53:56 PM, on 13/11/2006

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Windows Defender\MsMpEng.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\PROGRA~1\SHAWSE~1\backweb\3875767\Program\SERVIC~1.EXE

C:\WINDOWS\system32\CTsvcCDA.EXE

C:\Program Files\Shaw Secure\Anti-Virus\fsgk32st.exe

C:\Program Files\Shaw Secure\Anti-Virus\FSGK32.EXE

C:\Program Files\Shaw Secure\backweb\3875767\program\fsbwsys.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Shaw Secure\Common\FSMA32.EXE

C:\Program Files\Shaw Secure\backweb\3875767\Program\fspex.exe

C:\Program Files\Shaw Secure\Anti-Virus\fssm32.exe

C:\Program Files\Shaw Secure\Common\FSMB32.EXE

C:\WINDOWS\system32\RioMSC.exe

C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

C:\Program Files\Shaw Secure\Common\FCH32.EXE

C:\Program Files\Shaw Secure\Common\FAMEH32.EXE

C:\Program Files\Shaw Secure\Anti-Virus\fsqh.exe

C:\Program Files\Shaw Secure\Anti-Virus\fsrw.exe

C:\Program Files\Shaw Secure\FSPC\fspc.exe

C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe

C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe

C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe

C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE

C:\WINDOWS\system32\CTHELPER.EXE

C:\Program Files\Shaw Secure\FWES\Program\fsdfwd.exe

C:\Program Files\Shaw Secure\Common\FSM32.EXE

C:\WINDOWS\system32\dla\tfswctrl.exe

C:\Program Files\Shaw Secure\Anti-Virus\fsav32.exe

C:\Program Files\Shaw Secure\FSGUI\ispnews.exe

C:\Program Files\QuickTime\qttask.exe

C:\Program Files\Windows Defender\MSASCui.exe

C:\PROGRA~1\SHAWSE~1\ANTI-S~1\fsaw.exe

C:\WINDOWS\system32\wuauclt.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mim.exe

C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

C:\Program Files\Shaw Secure\FSGUI\fsguidll.exe

C:\Program Files\MUSICMATCH\Musicmatch Jukebox\MMDiag.exe