basilhall
asked on
Ad-Aware false positives?
I am running WinXP (home)
I had a problem with Ad-Aware SE 1.01 and the same problem with SE 1.02 which detected the following two reg values:
Possible Browser hijack attempt.
cat. data miner
27 bytes
loc. HKEY_LOCAL_MACHINE:SYSTEM|
Possible Browser hijack attempt.
cat. data miner
27 bytes
loc. HKEY_LOCAL_MACHINE:SYSTEM|
I looked at the TAC page and no match was found for either of them (whatever that means?)
The effect of removing them to quarantine was to block my access to all pages on the net. I reinstated and quarantined them a few times and got different results. Sometimes the denial of access to the net was instantaneous, sometimes I could access only to find, after a few minutes, access was denied. One time , having removed them to quarantine they were found again by Ad-Aware. This morning, before I did work on the internet, I took them out of "ignore" where I had placed them.Two further scans did not detect them, but after using the computer for some time Ad-Aware picked them up again.
Does anyone consider them a threat or can I put them in ignore as false positives?.
Thanks
Basil
After that check with HijackThis and post the log here:
http://www.spychecker.com/program/hijackthis.html
http://www.spychecker.com/program/hijackthis.html
ASKER
jvuz thanks, I already did this waiting for a reply and the second entry "CurrentControlSet" also appears in HJT.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
i found that the node :
HKEY_LOCAL_MACHINE:SYSTEM\
° tcp/ip - filtering ,
° your ip configuration: dhcp ,ras ...
°
HKEY_LOCAL_MACHINE:SYSTEM\
° tcp/ip - filtering ,
° your ip configuration: dhcp ,ras ...
°
sorry i wasn't ready:
the problem is how do you obtail your ip adress with dhcp?Cuz there you can manage your dhcp restrictions about obtaining your own ip adress-find out if you have another internet connections in network palces than your own connection ,i'm not sure but seems like troyan trick or dialer trick...
° see this scanner also and read the whole article!!!! :
http://www.uninstall-i-lookup.com/lop-uninstall/lop-uninstall.html
"....You should also delete the following entries if you have them and they are not just blank:
HKEY_LOCAL_MACHINE\Softwar
HKEY_LOCAL_MACHINE\System\
HKEY_LOCAL_MACHINE\System\
HKEY_LOCAL_MACHINE\System\
....."
° Maximum transfer unit(MTU):
http://support.microsoft.com/default.aspx?scid=kb;en-us;Q170359
° APIPA IP:
http://support.microsoft.com/default.aspx?http://support.microsoft.com:80/support/kb/articles/Q220/8/74.ASP&NoWebContent=1 ! Please ,read this article too it's impotaint !!!
cu
the problem is how do you obtail your ip adress with dhcp?Cuz there you can manage your dhcp restrictions about obtaining your own ip adress-find out if you have another internet connections in network palces than your own connection ,i'm not sure but seems like troyan trick or dialer trick...
° see this scanner also and read the whole article!!!! :
http://www.uninstall-i-lookup.com/lop-uninstall/lop-uninstall.html
"....You should also delete the following entries if you have them and they are not just blank:
HKEY_LOCAL_MACHINE\Softwar
HKEY_LOCAL_MACHINE\System\
HKEY_LOCAL_MACHINE\System\
HKEY_LOCAL_MACHINE\System\
....."
° Maximum transfer unit(MTU):
http://support.microsoft.com/default.aspx?scid=kb;en-us;Q170359
° APIPA IP:
http://support.microsoft.com/default.aspx?http://support.microsoft.com:80/support/kb/articles/Q220/8/74.ASP&NoWebContent=1 ! Please ,read this article too it's impotaint !!!
cu
ASKER
Thanks mwnnj, but a friend who analyses hijack this logs tells me that the two registry entries are merely false positives.
Cheers
Basil
Cheers
Basil
ASKER
Sorry mwnnj, but I am new, old and paranoid and in denial. It is easy to take the simplest and most pleasing explanation, but I am sure you are right.
Find spyscan and HJS logs below:
Scan initialized on 24/08/2004 10:20:45 a.m.
==========================
Started memory scan
====================
Running processes:
1: \SystemRoot\System32\smss.
2: \??\C:\WINDOWS\system32\wi
3: C:\WINDOWS\system32\servic
4: C:\WINDOWS\system32\lsass.
5: C:\WINDOWS\system32\svchos
6: C:\WINDOWS\System32\svchos
7: C:\WINDOWS\Explorer.EXE
8: C:\WINDOWS\system32\spools
9: C:\PROGRA~1\Grisoft\AVG6\a
10: C:\Program Files\PivX\Qwik-Fix\qfload
11: C:\WINDOWS\System32\svchos
12: C:\WINDOWS\system32\ZoneLa
13: C:\WINDOWS\SOUNDMAN.EXE
14: C:\Program Files\Grisoft\AVG6\avgcc32
15: C:\PROGRA~1\ZONELA~1\ZONEA
16: C:\Program Files\PivX\Qwik-Fix\qfui.e
17: C:\WINDOWS\system32\SWEEPE
18: C:\WINDOWS\System32\ctfmon
19: C:\Program Files\Messenger\msmsgs.exe
20: C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
21: C:\Program Files\Fantastic-Bits\WiSi\
22: C:\Program Files\BHODemon 2\BHODemon.exe
23: C:\WINDOWS\System32\wuaucl
24: C:\PROGRA~1\SpyBlocs\SpyBl
Memory scan result:
Total modules found:24
Suspicious modules found: 0
Started registry scan
====================
Iambigbrother Trial Version
Spy - SEVERE
Registry scan result:
Suspicious keys found: 1
Started folder scan
====================
BDE Trial Version
Adware - SEVERE
BDE Trial Version
Adware - SEVERE
Folder scan result:
Folder processed: 0
Suspicious folders found: 2
Started file scan
====================
File scan result:
Suspicious files found: 0
Scanning finished
====================
Suspicious modules found: 0
Suspicious keys found: 1
Suspicious folders found: 2
Suspicious files found: 0
====================
Components ignored:0
Total components found:3
Logfile of HijackThis v1.98.2
Scan saved at 11:06:14 a.m., on 24/08/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.e
C:\WINDOWS\system32\winlog
C:\WINDOWS\system32\servic
C:\WINDOWS\system32\lsass.
C:\WINDOWS\system32\svchos
C:\WINDOWS\System32\svchos
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spools
C:\PROGRA~1\Grisoft\AVG6\a
C:\Program Files\PivX\Qwik-Fix\qfload
C:\WINDOWS\System32\svchos
C:\WINDOWS\system32\ZoneLa
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Grisoft\AVG6\avgcc32
C:\PROGRA~1\ZONELA~1\ZONEA
C:\Program Files\PivX\Qwik-Fix\qfui.e
C:\WINDOWS\system32\SWEEPE
C:\WINDOWS\System32\ctfmon
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\Fantastic-Bits\WiSi\
C:\Program Files\BHODemon 2\BHODemon.exe
C:\WINDOWS\System32\wuaucl
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Basil Hall\Desktop\VIRUS\HijackT
R1 - HKLM\Software\Microsoft\In
R0 - HKLM\Software\Microsoft\In
R0 - HKLM\Software\Microsoft\In
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-7
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-2
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AVG_CC] C:\Program Files\Grisoft\AVG6\avgcc32
O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~1\ZONELA~1\ZONEA
O4 - HKLM\..\Run: [Qwik-Fix User Interface] C:\Program Files\PivX\Qwik-Fix\\qfui.
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroC
O4 - HKLM\..\Run: [SpyBlocs] C:\Program Files\SpyBlocs\SpyBlocs.ex
O4 - HKLM\..\Run: [Internet Sweeper] C:\WINDOWS\system32\SWEEPE
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe
O4 - Startup: BHODemon 2.0.lnk = C:\Program Files\BHODemon 2\BHODemon.exe
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O4 - Global Startup: WiSi.lnk = C:\Program Files\Fantastic-Bits\WiSi\
O14 - IERESET.INF: START_PAGE_URL=http://www.jdi.co.nz
O17 - HKLM\System\CCS\Services\T
Cheers
Basil
Find spyscan and HJS logs below:
Scan initialized on 24/08/2004 10:20:45 a.m.
==========================
Started memory scan
====================
Running processes:
1: \SystemRoot\System32\smss.
2: \??\C:\WINDOWS\system32\wi
3: C:\WINDOWS\system32\servic
4: C:\WINDOWS\system32\lsass.
5: C:\WINDOWS\system32\svchos
6: C:\WINDOWS\System32\svchos
7: C:\WINDOWS\Explorer.EXE
8: C:\WINDOWS\system32\spools
9: C:\PROGRA~1\Grisoft\AVG6\a
10: C:\Program Files\PivX\Qwik-Fix\qfload
11: C:\WINDOWS\System32\svchos
12: C:\WINDOWS\system32\ZoneLa
13: C:\WINDOWS\SOUNDMAN.EXE
14: C:\Program Files\Grisoft\AVG6\avgcc32
15: C:\PROGRA~1\ZONELA~1\ZONEA
16: C:\Program Files\PivX\Qwik-Fix\qfui.e
17: C:\WINDOWS\system32\SWEEPE
18: C:\WINDOWS\System32\ctfmon
19: C:\Program Files\Messenger\msmsgs.exe
20: C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
21: C:\Program Files\Fantastic-Bits\WiSi\
22: C:\Program Files\BHODemon 2\BHODemon.exe
23: C:\WINDOWS\System32\wuaucl
24: C:\PROGRA~1\SpyBlocs\SpyBl
Memory scan result:
Total modules found:24
Suspicious modules found: 0
Started registry scan
====================
Iambigbrother Trial Version
Spy - SEVERE
Registry scan result:
Suspicious keys found: 1
Started folder scan
====================
BDE Trial Version
Adware - SEVERE
BDE Trial Version
Adware - SEVERE
Folder scan result:
Folder processed: 0
Suspicious folders found: 2
Started file scan
====================
File scan result:
Suspicious files found: 0
Scanning finished
====================
Suspicious modules found: 0
Suspicious keys found: 1
Suspicious folders found: 2
Suspicious files found: 0
====================
Components ignored:0
Total components found:3
Logfile of HijackThis v1.98.2
Scan saved at 11:06:14 a.m., on 24/08/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.e
C:\WINDOWS\system32\winlog
C:\WINDOWS\system32\servic
C:\WINDOWS\system32\lsass.
C:\WINDOWS\system32\svchos
C:\WINDOWS\System32\svchos
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spools
C:\PROGRA~1\Grisoft\AVG6\a
C:\Program Files\PivX\Qwik-Fix\qfload
C:\WINDOWS\System32\svchos
C:\WINDOWS\system32\ZoneLa
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Grisoft\AVG6\avgcc32
C:\PROGRA~1\ZONELA~1\ZONEA
C:\Program Files\PivX\Qwik-Fix\qfui.e
C:\WINDOWS\system32\SWEEPE
C:\WINDOWS\System32\ctfmon
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\Fantastic-Bits\WiSi\
C:\Program Files\BHODemon 2\BHODemon.exe
C:\WINDOWS\System32\wuaucl
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Basil Hall\Desktop\VIRUS\HijackT
R1 - HKLM\Software\Microsoft\In
R0 - HKLM\Software\Microsoft\In
R0 - HKLM\Software\Microsoft\In
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-7
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-2
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AVG_CC] C:\Program Files\Grisoft\AVG6\avgcc32
O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~1\ZONELA~1\ZONEA
O4 - HKLM\..\Run: [Qwik-Fix User Interface] C:\Program Files\PivX\Qwik-Fix\\qfui.
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroC
O4 - HKLM\..\Run: [SpyBlocs] C:\Program Files\SpyBlocs\SpyBlocs.ex
O4 - HKLM\..\Run: [Internet Sweeper] C:\WINDOWS\system32\SWEEPE
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe
O4 - Startup: BHODemon 2.0.lnk = C:\Program Files\BHODemon 2\BHODemon.exe
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O4 - Global Startup: WiSi.lnk = C:\Program Files\Fantastic-Bits\WiSi\
O14 - IERESET.INF: START_PAGE_URL=http://www.jdi.co.nz
O17 - HKLM\System\CCS\Services\T
Cheers
Basil
Not at all,always welcome!
See ,wait to proove this decision ,if something wrong happens - post it here .
BTW: run the aluria's spyware scanner -this is a good one and verify the results from ad-aware and aluria.
cu
See ,wait to proove this decision ,if something wrong happens - post it here .
BTW: run the aluria's spyware scanner -this is a good one and verify the results from ad-aware and aluria.
cu
ASKER
mwnnj, did a full scan with aluria's free before purchasing spyware scanner, which found nothing ???
Any explanation why Ad-aware and HJT should have found something while the Aluria scan found nothing?
Basil
Any explanation why Ad-aware and HJT should have found something while the Aluria scan found nothing?
Basil
hi ,there !
i couldn't understand you clear:did you purchase the aluria's scanner??
If you have done so -you needn't ; it is full functional without purchasing the software ;as i already told you above -you can use only the scanner (full functional) ,but you need to remove the pests by hand...
My wish is to give you a chance to keep your pc clean out of pests without giving money for this ;so ,all of the software i adviced you to use is free of charge,but of course you can buy the software if you wish - it depends on you!
OK,i am waiting for your answer...
About the scanner differences :
Theese are quite different type of scan engines and you can't find the best adware sanner ,cuz there is not a pain killer under theese pest scanners -if you can understand me.You didn't say , you have already updated the aluria scanner with the latest definitions,if not -do so .Another good scanner is Spy Sweeper:
http://www.webroot.com/wb/products/spysweeper/index.php and PLEASE ,do not purchase ,if you don't want to do it by your own!!!,you can use the scanner full functional also for free with a one update option.But see the different scanner which i give you, are only another engines ,which can detect ,if theese two pests are for real or not !So as Aluria they are not ; try Spy sweeper and find out what will happen ;if this scanner will not detect the two registry valusues than it is quite reasonable that you stop worrying about that...
another two programs, which are also good, are:
Spywate blaster-detects active X pests and spyware guard:
http://www.javacoolsoftware.com/spywareblaster.html ,
Did you make the install of pest patrol and the restrictions in it as i told you ;if not, you can make it -this is evaluation software ,but is full functional and for free ,so -think before purchase .I like pest patrol at most.
You said, that a friend of you told you ,that the HJT log is clean; is it true or not ;if you are not sure don't worry and post the log here ,we will try to give you the best advices as we can.
But see,first of all ,read carefully what we post here as answers to your problem.
Second:read the disclaimers of the software you install on your pc,you must not pay for something in case you don't want it and it's not neccesary to do it!
Thus you will find the best solution for you ,and this forum is not a marketing place but a forum for software and harware solutions.
As i said-i'am waiting for your answer&try the different scanner to compare the results.
Good luck!
till later
i couldn't understand you clear:did you purchase the aluria's scanner??
If you have done so -you needn't ; it is full functional without purchasing the software ;as i already told you above -you can use only the scanner (full functional) ,but you need to remove the pests by hand...
My wish is to give you a chance to keep your pc clean out of pests without giving money for this ;so ,all of the software i adviced you to use is free of charge,but of course you can buy the software if you wish - it depends on you!
OK,i am waiting for your answer...
About the scanner differences :
Theese are quite different type of scan engines and you can't find the best adware sanner ,cuz there is not a pain killer under theese pest scanners -if you can understand me.You didn't say , you have already updated the aluria scanner with the latest definitions,if not -do so .Another good scanner is Spy Sweeper:
http://www.webroot.com/wb/products/spysweeper/index.php and PLEASE ,do not purchase ,if you don't want to do it by your own!!!,you can use the scanner full functional also for free with a one update option.But see the different scanner which i give you, are only another engines ,which can detect ,if theese two pests are for real or not !So as Aluria they are not ; try Spy sweeper and find out what will happen ;if this scanner will not detect the two registry valusues than it is quite reasonable that you stop worrying about that...
another two programs, which are also good, are:
Spywate blaster-detects active X pests and spyware guard:
http://www.javacoolsoftware.com/spywareblaster.html ,
Did you make the install of pest patrol and the restrictions in it as i told you ;if not, you can make it -this is evaluation software ,but is full functional and for free ,so -think before purchase .I like pest patrol at most.
You said, that a friend of you told you ,that the HJT log is clean; is it true or not ;if you are not sure don't worry and post the log here ,we will try to give you the best advices as we can.
But see,first of all ,read carefully what we post here as answers to your problem.
Second:read the disclaimers of the software you install on your pc,you must not pay for something in case you don't want it and it's not neccesary to do it!
Thus you will find the best solution for you ,and this forum is not a marketing place but a forum for software and harware solutions.
As i said-i'am waiting for your answer&try the different scanner to compare the results.
Good luck!
till later
ASKER
Hi, don't worry, I am too frugal to puchase anything that I do not need to. Yes, I did update and run both Aluria Spyware Eliminator and Webroot SpySweeper. Completely clean on both. I have SpywareBlaster already installed on my machine.
I did the Pest Patrol as directed, but neither of the original Ad-aware entries were found, so I must conclude that they are no threat.
Here is the Pest Patrol Log:
"",Pest,Pest Info,File Info,""
2,Twain-Tech,Category: Adware Background Info: Click here,In Registry: HKEY_LOCAL_MACHINE\softwar
1,SpediaBar,Category: Adware Background Info: Click here,In Registry: HKEY_LOCAL_MACHINE\softwar
You asked for my HJT log. I posted it in an earlier message, but here it is again.Only one of the two registry entries originally found by Ad-aware was found by HJT, at the bottom as reported in an earlier message.
Logfile of HijackThis v1.98.2
Scan saved at 11:06:14 a.m., on 24/08/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.e
C:\WINDOWS\system32\winlog
C:\WINDOWS\system32\servic
C:\WINDOWS\system32\lsass.
C:\WINDOWS\system32\svchos
C:\WINDOWS\System32\svchos
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spools
C:\PROGRA~1\Grisoft\AVG6\a
C:\Program Files\PivX\Qwik-Fix\qfload
C:\WINDOWS\System32\svchos
C:\WINDOWS\system32\ZoneLa
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Grisoft\AVG6\avgcc32
C:\PROGRA~1\ZONELA~1\ZONEA
C:\Program Files\PivX\Qwik-Fix\qfui.e
C:\WINDOWS\system32\SWEEPE
C:\WINDOWS\System32\ctfmon
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\Fantastic-Bits\WiSi\
C:\Program Files\BHODemon 2\BHODemon.exe
C:\WINDOWS\System32\wuaucl
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Basil Hall\Desktop\VIRUS\HijackT
R1 - HKLM\Software\Microsoft\In
R0 - HKLM\Software\Microsoft\In
R0 - HKLM\Software\Microsoft\In
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-7
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-2
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AVG_CC] C:\Program Files\Grisoft\AVG6\avgcc32
O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~1\ZONELA~1\ZONEA
O4 - HKLM\..\Run: [Qwik-Fix User Interface] C:\Program Files\PivX\Qwik-Fix\\qfui.
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroC
O4 - HKLM\..\Run: [SpyBlocs] C:\Program Files\SpyBlocs\SpyBlocs.ex
O4 - HKLM\..\Run: [Internet Sweeper] C:\WINDOWS\system32\SWEEPE
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe
O4 - Startup: BHODemon 2.0.lnk = C:\Program Files\BHODemon 2\BHODemon.exe
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O4 - Global Startup: WiSi.lnk = C:\Program Files\Fantastic-Bits\WiSi\
O14 - IERESET.INF: START_PAGE_URL=http://www.jdi.co.nz
O17 - HKLM\System\CCS\Services\T
Cheers
Basil
I did the Pest Patrol as directed, but neither of the original Ad-aware entries were found, so I must conclude that they are no threat.
Here is the Pest Patrol Log:
"",Pest,Pest Info,File Info,""
2,Twain-Tech,Category: Adware Background Info: Click here,In Registry: HKEY_LOCAL_MACHINE\softwar
1,SpediaBar,Category: Adware Background Info: Click here,In Registry: HKEY_LOCAL_MACHINE\softwar
You asked for my HJT log. I posted it in an earlier message, but here it is again.Only one of the two registry entries originally found by Ad-aware was found by HJT, at the bottom as reported in an earlier message.
Logfile of HijackThis v1.98.2
Scan saved at 11:06:14 a.m., on 24/08/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.e
C:\WINDOWS\system32\winlog
C:\WINDOWS\system32\servic
C:\WINDOWS\system32\lsass.
C:\WINDOWS\system32\svchos
C:\WINDOWS\System32\svchos
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spools
C:\PROGRA~1\Grisoft\AVG6\a
C:\Program Files\PivX\Qwik-Fix\qfload
C:\WINDOWS\System32\svchos
C:\WINDOWS\system32\ZoneLa
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Grisoft\AVG6\avgcc32
C:\PROGRA~1\ZONELA~1\ZONEA
C:\Program Files\PivX\Qwik-Fix\qfui.e
C:\WINDOWS\system32\SWEEPE
C:\WINDOWS\System32\ctfmon
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\Fantastic-Bits\WiSi\
C:\Program Files\BHODemon 2\BHODemon.exe
C:\WINDOWS\System32\wuaucl
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Basil Hall\Desktop\VIRUS\HijackT
R1 - HKLM\Software\Microsoft\In
R0 - HKLM\Software\Microsoft\In
R0 - HKLM\Software\Microsoft\In
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-7
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-2
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AVG_CC] C:\Program Files\Grisoft\AVG6\avgcc32
O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~1\ZONELA~1\ZONEA
O4 - HKLM\..\Run: [Qwik-Fix User Interface] C:\Program Files\PivX\Qwik-Fix\\qfui.
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroC
O4 - HKLM\..\Run: [SpyBlocs] C:\Program Files\SpyBlocs\SpyBlocs.ex
O4 - HKLM\..\Run: [Internet Sweeper] C:\WINDOWS\system32\SWEEPE
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe
O4 - Startup: BHODemon 2.0.lnk = C:\Program Files\BHODemon 2\BHODemon.exe
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O4 - Global Startup: WiSi.lnk = C:\Program Files\Fantastic-Bits\WiSi\
O14 - IERESET.INF: START_PAGE_URL=http://www.jdi.co.nz
O17 - HKLM\System\CCS\Services\T
Cheers
Basil
Hi , Basil,
i must excuse but i think there was a server error at E#E ,i'm quite sure i did't saw your first HJT log posting ,please excuse- it was not mentioned to write rude or something in this stile .So ,about the problem:
The Pest Patrol log wasn't clear ;actually pest patrol tells you that you have two pests on your pc and the first pest is:
http://pestpatrol.com/pestinfo/s/spediabar.asp - some kind of spy ,
the second is Twain-Tech:
http://www.pestpatrol.com/PestInfo/t/twain-tech.asp -this is actually a troyan horse!!!
Both of them are BHO's!Remove theese two pests immediately!
So, on the two pages you will find the needed removal instructions for the two pest !Actually pest patrol must remove them too-no problem that its eval,but make it for sure by hand too!
Please ,do this very carefully then run the good ad-aware to see if the BHO 017-problem still persists on your system ,try to connect to internet to find out if everything is still ok with your internet connection.
But see ,before doing it ,!! make a copy of theese pests !! ;i mean make two folders and then all the files and reg-values for theese two pest you can sort in each folder,then you can only change the last letter of the file extensions to be sure they will not run and for best- save the data(the copy of the pests ) on a floppy disk or burn them on a cd ;then remove every track of the two pests and their copies from your hdd-thus you will clean your system from the pests and you will have also their copies on a an another external storage for if something with your internet conection goes wrong ,to recover the pest for to gain the internet access again...
i wish you good luck ,hope it will help!
i'm waiting for your reply!
till later
i must excuse but i think there was a server error at E#E ,i'm quite sure i did't saw your first HJT log posting ,please excuse- it was not mentioned to write rude or something in this stile .So ,about the problem:
The Pest Patrol log wasn't clear ;actually pest patrol tells you that you have two pests on your pc and the first pest is:
http://pestpatrol.com/pestinfo/s/spediabar.asp - some kind of spy ,
the second is Twain-Tech:
http://www.pestpatrol.com/PestInfo/t/twain-tech.asp -this is actually a troyan horse!!!
Both of them are BHO's!Remove theese two pests immediately!
So, on the two pages you will find the needed removal instructions for the two pest !Actually pest patrol must remove them too-no problem that its eval,but make it for sure by hand too!
Please ,do this very carefully then run the good ad-aware to see if the BHO 017-problem still persists on your system ,try to connect to internet to find out if everything is still ok with your internet connection.
But see ,before doing it ,!! make a copy of theese pests !! ;i mean make two folders and then all the files and reg-values for theese two pest you can sort in each folder,then you can only change the last letter of the file extensions to be sure they will not run and for best- save the data(the copy of the pests ) on a floppy disk or burn them on a cd ;then remove every track of the two pests and their copies from your hdd-thus you will clean your system from the pests and you will have also their copies on a an another external storage for if something with your internet conection goes wrong ,to recover the pest for to gain the internet access again...
i wish you good luck ,hope it will help!
i'm waiting for your reply!
till later
See ,i know that it's a job for idiots :)) to save and rename(it is not necessary to do this ,but this is the most safety way -just burn them on a cd) all kind of theese files -it was a suggestion if something goes wrong for "recovery"-one archive to keep is better than nothing .Please be careful and patient!i think ,if you follow the instructions as pest patrol you will succeed!
But first try with LSPfix if something goes wrong...
cu
But first try with LSPfix if something goes wrong...
cu
ASKER
mwnnj, I did not remove the two objects found by pestpatrol (twaintech and spediabar) because the entries that I had to deltete were not in the task manager or registry. What's more, I did a scan with XoftSpy 3.44 which camwe up with 5 further objects; CoolWebSearch, CWS oslogo, two Winpups and AdShooter.search For It.
I have come to the conclusion that these spy/adware systems produce so many false positives that they are dangerous if taken at face value.
I think you have helped me with my original problem, so please accept the 250 points.
Thanks
Basil
I have come to the conclusion that these spy/adware systems produce so many false positives that they are dangerous if taken at face value.
I think you have helped me with my original problem, so please accept the 250 points.
Thanks
Basil
Thanks ,Basil , you are always welcome!
See the Problem with BHO's is,that there is still no kind of personal firewall ,which can filter them, cause they come with the browser and this is the .exe which makes the internet connection...
I can only rather advice you that you can use the Netsacpe or better the Mozilla crew browser:Mozilla &Mozilla firefox-for ecurity reasons they are much better than the IE...
So have a nice time and wish you all the best!
mwnnj
See the Problem with BHO's is,that there is still no kind of personal firewall ,which can filter them, cause they come with the browser and this is the .exe which makes the internet connection...
I can only rather advice you that you can use the Netsacpe or better the Mozilla crew browser:Mozilla &Mozilla firefox-for ecurity reasons they are much better than the IE...
So have a nice time and wish you all the best!
mwnnj
ASKER
loc. HKEY_LOCAL_MACHINE:SYSTEM\
loc. HKEY_LOCAL_MACHINE:SYSTEM\
Both are present in my registry
Basil