Spywareno Keep Returning..... ( Solved )

[The Dragon Slayer]

Logfile of HijackThis v1.99.1

Scan saved at 10:08:59 AM, on 2/12/2006

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Ahead\InCD\InCDsrv.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\Explorer.EXE

C:\PROGRA~1\ELTech\Keyboard\Easymain.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe

C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe

C:\WINDOWS\SOUNDMAN.EXE

C:\Program Files\EPSON\ESM2\eEBSVC.exe

C:\Program Files\Motherboard Monitor 5\MBM5.EXE

C:\WINDOWS\system32\LVCOMSX.EXE

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe

C:\WINDOWS\system32\svchost.exe

C:\Documents and Settings\Paul\Desktop\System

Optimized\Tclock\tclock.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Maxthon\Maxthon.exe

C:\Program Files\Microsoft Office\Office10\WINWORD.EXE

C:\WINDOWS\msagent\AgentSvr.exe

C:\Hjack This\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =

http://www.cbc.ca/business/

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}

- C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -

C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-

CF10577473F7} - c:\program files\google\googletoolbar2.dll

O2 - BHO: SpoofStick BHO - {CBA74CDA-DF78-4AD9-954E-3B15D0A993DE} -

C:\Program Files\CoreStreet\SpoofStick\SpoofStickBHO.dll

O3 - Toolbar: SpoofStick - {4D46ED77-1429-4CF6-8F63-C84B5D710BAF} -

C:\Program Files\CoreStreet\SpoofStick\SpoofStick.dll

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} -

c:\program files\google\googletoolbar2.dll

O4 - HKLM\..\Run: [E-KeyWork] C:\PROGRA~1\ELTech\Keyboard\Easymain.exe

O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe

/STARTUP

O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe

O4 - HKLM\..\Run: [CamMonitor] C:\Program Files\Hewlett-

Packard\Digital Imaging\\Unload\hpqcmon.exe

O4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXE

O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe

O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft

AntiSpyware\gcasServ.exe"

O4 - HKLM\..\Run: [MBM 5] "C:\Program Files\Motherboard Monitor 5

\MBM5.EXE"

O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - Startup: tclock.exe.lnk = C:\Documents and

Settings\Paul\Desktop\System Optimized\Tclock\tclock.exe

O8 - Extra context menu item: &Google Search - res://c:\program

files\google\GoogleToolbar2.dll/cmsearch.html

O8 - Extra context menu item: &Translate English Word -

res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html

O8 - Extra context menu item: Backward Links - res://c:\program

files\google\GoogleToolbar2.dll/cmbacklinks.html

O8 - Extra context menu item: Cached Snapshot of Page -

res://c:\program files\google\GoogleToolbar2.dll/cmcache.html

O8 - Extra context menu item: E&xport to Microsoft Excel -

res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000

O8 - Extra context menu item: Similar Pages - res://c:\program

files\google\GoogleToolbar2.dll/cmsimilar.html

O8 - Extra context menu item: Translate Page into English -

res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501}

- C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-

AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683}

- C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-

BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {54B52E52-8000-4413-BD67-FC7FE24B59F2} (EARTPatchX Class) -

http://www.ea.com/downloads/rtpatch/EARTPX.cab

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class)

-

http://v5.windowsupdate.microsoft.com/v5co...rols/en/x86/cli

ent/wuweb_site.cab?1101065973661

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class)

-

http://update.microsoft.com/microsoftupdat...ls/en/x86/clien

t/muweb_site.cab?1122951771953

O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control)

-

http://a840.g.akamai.net/7/840/537/2004061....trendmicro.com

/housecall/xscan53.cab

O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan

Installer Class) -

http://acs.pandasoftware.com/activescan/as5free/asinst.cab

O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} -

"C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)

O23 - Service: Ati HotKey Poller - ATI Technologies Inc. -

C:\WINDOWS\system32\Ati2evxx.exe

O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32

\ati2sgag.exe

O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o.

- C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe

O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. -

C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe

O23 - Service: EpsonBidirectionalService - Unknown owner - C:\Program

Files\EPSON\ESM2\eEBSVC.exe

O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program

Files\Ahead\InCD\InCDsrv.exe

Above is the HJT log. Please let me know what to delete. Adaware tags 1 registry key and 7 registry values. They keep coming back after deleting with Adaware when I reboot. Thanks.

Edited February 14, 2006 by The Dragon Slayer

[TheTerrorist_75]

I don't know how your log became so disorganized but this should make it easier for the experts to read.

---------------------------------------------------------------------------------

Logfile of HijackThis v1.99.1

Scan saved at 10:08:59 AM, on 2/12/2006

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Ahead\InCD\InCDsrv.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\Explorer.EXE

C:\PROGRA~1\ELTech\Keyboard\Easymain.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe

C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe

C:\WINDOWS\SOUNDMAN.EXE

C:\Program Files\EPSON\ESM2\eEBSVC.exe

C:\Program Files\Motherboard Monitor 5\MBM5.EXE

C:\WINDOWS\system32\LVCOMSX.EXE

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe

C:\WINDOWS\system32\svchost.exe

C:\Documents and Settings\Paul\Desktop\System Optimized\Tclock\tclock.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Maxthon\Maxthon.exe

C:\Program Files\Microsoft Office\Office10\WINWORD.EXE

C:\WINDOWS\msagent\AgentSvr.exe

C:\Hjack This\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cbc.ca/business/

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} -

C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -

C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} -

c:\program files\google\googletoolbar2.dll

O2 - BHO: SpoofStick BHO - {CBA74CDA-DF78-4AD9-954E-3B15D0A993DE} -

C:\Program Files\CoreStreet\SpoofStick\SpoofStickBHO.dll

O3 - Toolbar: SpoofStick - {4D46ED77-1429-4CF6-8F63-C84B5D710BAF} -

C:\Program Files\CoreStreet\SpoofStick\SpoofStick.dll

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} -

c:\program files\google\googletoolbar2.dll

O4 - HKLM\..\Run: [E-KeyWork] C:\PROGRA~1\ELTech\Keyboard\Easymain.exe

O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP

O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe

O4 - HKLM\..\Run: [CamMonitor] C:\Program Files\Hewlett-Packard\Digital Imaging\\Unload\hpqcmon.exe

O4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXE

O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe

O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"

O4 - HKLM\..\Run: [MBM 5] "C:\Program Files\Motherboard Monitor 5\MBM5.EXE"

O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - Startup: tclock.exe.lnk = C:\Documents and Settings\Paul\Desktop\System Optimized\Tclock\tclock.exe

O8 - Extra context menu item: &Google Search -

res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html

O8 - Extra context menu item: &Translate English Word -

res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html

O8 - Extra context menu item: Backward Links -

res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html

O8 - Extra context menu item: Cached Snapshot of Page -

res://c:\program files\google\GoogleToolbar2.dll/cmcache.html

O8 - Extra context menu item: E&xport to Microsoft Excel -

res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000

O8 - Extra context menu item: Similar Pages -

res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html

O8 - Extra context menu item: Translate Page into English -

res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} -

C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} -

C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} -

C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} -

C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {54B52E52-8000-4413-BD67-FC7FE24B59F2} (EARTPatchX Class) -

http://www.ea.com/downloads/rtpatch/EARTPX.cab

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) -

http://v5.windowsupdate.microsoft.com/v5co...b?1101065973661

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) -

http://update.microsoft.com/microsoftupdat...b?1122951771953

O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) -

http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab

O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) -

http://acs.pandasoftware.com/activescan/as5free/asinst.cab

O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} -

"C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)

O23 - Service: Ati HotKey Poller - ATI Technologies Inc. -

C:\WINDOWS\system32\Ati2evxx.exe

O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe

O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o.-

C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe

O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. -

C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe

O23 - Service: EpsonBidirectionalService - Unknown owner -

C:\Program Files\EPSON\ESM2\eEBSVC.exe

O23 - Service: InCD Helper (InCDsrv) - Nero AG -

C:\Program Files\Ahead\InCD\InCDsrv.exe

[Andy_veal]

I just wanted to ask what version of Ad-aware you were running? And if you have the latest definition file?..... There was recently a False Positive in a definition file, though this has been corrected.

[The Dragon Slayer]

I just wanted to ask what version of Ad-aware you were running? And if you have the latest definition file?..... There was recently a False Positive in a definition file, though this has been corrected.

Free version 1.06r1, SE1R91 08.02.2006, The up-to-date one. I'm thinking about it too. No one finds anything except Adaware such as A squared, MS antispyware, Panda online scan, PC pitstop spyware scan and webroot spy sweeper. While I'm waiting for the expert to look at my HJT log, I just scan away to see if any program can tag SpywareNo as Adaware said.

[Andy_veal]

You are receiving that Ad-aware is finding that object, in fault.

What Ad-aware is finding, is a F/P (False Positive). I believed the F/P had been fixed, but it currently hasn't

This F/P is to do with ActiveDesktop. Many of SpywareNo / SpySherrif's downloaders (and other rogues) mess around with the desktop settings... especially the background ("Your computer is infected with blah blah blah") so this key has been flagged, although it should be flagging for those only infected with SpySherrif / SpywareNo. This should only affect users who have ActiveDesktop enabled. We will adjust our definitions accordingly... thanks guys!

Quote from LS SteveJ at DSLReports.com , who is a Lavasoft employee.

So.... You have no reason to concern about what Ad-aware is finding....

If you were infected, you would see this item:

O4 - HKCU\..\Run: [spywareNo] C:\Program Files\SpywareNo\SpywareNo.exe

This object should disappear with the next update. Otherwise, you can just add it to your ignore list:

1. Run a scan with Ad-Aware

2. Select the objects you want to add to the ignore list in the Scan Summary, Critical Objects, or Negligible Objects lists on the Scanning Results screen.

3. Right click and select "Add selected to ignore list"

4. A pop-up window showing the number of objects that will be added to the ignore list opens. Click "OK" to continue.

The object is now added to the Ignore List

Any other problems?

Regards,

Andy

(Thanks to Corrine and winchester73 )

Edited February 13, 2006 by Andy_veal

[The Dragon Slayer]

You are receiving that Ad-aware is finding that object, in fault.

What Ad-aware is finding, is a F/P (False Positive). I believed the F/P had been fixed, but it currently hasn't

This F/P is to do with ActiveDesktop. Many of SpywareNo / SpySherrif's downloaders (and other rogues) mess around with the desktop settings... especially the background ("Your computer is infected with blah blah blah") so this key has been flagged, although it should be flagging for those only infected with SpySherrif / SpywareNo. This should only affect users who have ActiveDesktop enabled. We will adjust our definitions accordingly... thanks guys!

Quote from LS SteveJ at DSLReports.com , who is a Lavasoft employee.

So.... You have no reason to concern about what Ad-aware is finding....

If you were infected, you would see this item:

O4 - HKCU\..\Run: [spywareNo] C:\Program Files\SpywareNo\SpywareNo.exe

This object should disappear with the next update. Otherwise, you can just add it to your ignore list:

1. Run a scan with Ad-Aware

2. Select the objects you want to add to the ignore list in the Scan Summary, Critical Objects, or Negligible Objects lists on the Scanning Results screen.

3. Right click and select "Add selected to ignore list"

4. A pop-up window showing the number of objects that will be added to the ignore list opens. Click "OK" to continue.

The object is now added to the Ignore List

Any other problems?

Regards,

Andy

(Thanks to Corrine and winchester73 )

Thanks, Andy.

[Corrine]

SE1R92 14.02.2006 has been released. Give it a try.

[Andy_veal]

Welcome to BestTechie Corrine!

[The Dragon Slayer]

SE1R92 14.02.2006 has been released. Give it a try.

Thanks. FP confirmed. New scan resulted in a few tracking cookies.

Thanks to you, Andy as well!

[Matt]

Since this issue appears to be resolved ... this Topic has been closed. Glad we could help.

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.