Long distance support and troubles !

mitch · December 11, 2005, 04:24:18 PM

a friend of mine has 1800 and it won't go away!
so far just used AAW and ccleaner

any ideas ( she is a newbie so simple answers please)
thanks
note on ref file se1R77 it said rootkit next to it ;-(
latest log after running aaw,ccleaner and a reboot, this is the scan

thanks
Ad-Aware SE Build 1.06r1
Logfile Created on:Thursday, December 08, 2005 6:54:04 AM
Created with Ad-Aware SE Personal, free for private use.
Using definitions file:SE1R78 07.12.2005
��

References detected during the scan:
��
180Solutions(TAC index:6):1 total references
��

Definition File:
=========================
Definitions File Loaded:
Reference Number : SE1R77 30.11.2005
Internal build : 89
File location : C:\Program Files\Lavasoft\Ad-Aware SE Personal\defs.ref
File size : 555081 Bytes
Total size : 1663687 Bytes
Signature data size : 1629692 Bytes
Reference data size : 33483 Bytes
Signatures total : 46320
CSI Fingerprints total : 1127
CSI data size : 32388 Bytes
Target categories : 15
Target families : 788

12-8-2005 6:44:24 AM Performing WebUpdate...

Installing Update...
Definitions File Loaded:
Reference Number : SE1R78 07.12.2005
Internal build : 90
File location : C:\Program Files\Lavasoft\Ad-Aware SE Personal\defs.ref
File size : 559432 Bytes
Total size : 1678057 Bytes
Signature data size : 1643953 Bytes
Reference data size : 33592 Bytes
Signatures total : 46698
CSI Fingerprints total : 1147
CSI data size : 32968 Bytes
Target categories : 15
Target families : 794

12-8-2005 6:46:33 AM Success
Update successfully downloaded and installed.

Memory + processor status:
==========================
Number of processors : 1
Processor architecture : Intel Pentium III
Memory available:56 %
Total physical memory:522160 kb
Available physical memory:291688 kb
Total page file size:883604 kb
Available on page file:703220 kb
Total virtual memory:2097024 kb
Available virtual memory:2046888 kb
OS:Microsoft Windows XP Home Edition Service Pack 2 (Build 2600)

Ad-Aware SE Settings
===========================
Set : Search for low-risk threats
Set : Safe mode (always request confirmation)
Set : Scan active processes
Set : Scan registry
Set : Deep-scan registry
Set : Scan my IE Favorites for banned URLs
Set : Scan my Hosts file

Extended Ad-Aware SE Settings
===========================
Set : Unload recognized processes & modules during scan
Set : Scan registry for all users instead of current user only
Set : During removal, unload Explorer and IE if necessary
Set : Let Windows remove files in use at next reboot
Set : Delete quarantined objects after restoring
Set : Include basic Ad-Aware settings in log file
Set : Include additional Ad-Aware settings in log file
Set : Include reference summary in log file
Set : Include alternate data stream details in log file
Set : Play sound at scan completion if scan locates critical objects

12-8-2005 6:54:04 AM - Scan started. (Full System Scan)

Listing running processes
��

#:1 [smss.exe]
FilePath : \SystemRoot\System32\
ProcessID : 628
ThreadCreationTime : 12-8-2005 11:36:27 AM
BasePriority : Normal

#:2 [csrss.exe]
FilePath : \??\C:\WINNT\system32\
ProcessID : 692
ThreadCreationTime : 12-8-2005 11:36:51 AM
BasePriority : Normal

#:3 [winlogon.exe]
FilePath : \??\C:\WINNT\system32\
ProcessID : 716
ThreadCreationTime : 12-8-2005 11:36:51 AM
BasePriority : High

#:4 [services.exe]
FilePath : C:\WINNT\system32\
ProcessID : 760
ThreadCreationTime : 12-8-2005 11:36:52 AM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft� Windows� Operating System
CompanyName : Microsoft Corporation
FileDescription : Services and Controller app
InternalName : services.exe
LegalCopyright : � Microsoft Corporation. All rights reserved.
OriginalFilename : services.exe

#:5 [lsass.exe]
FilePath : C:\WINNT\system32\
ProcessID : 772
ThreadCreationTime : 12-8-2005 11:36:52 AM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft� Windows� Operating System
CompanyName : Microsoft Corporation
FileDescription : LSA Shell (Export Version)
InternalName : lsass.exe
LegalCopyright : � Microsoft Corporation. All rights reserved.
OriginalFilename : lsass.exe

#:6 [svchost.exe]
FilePath : C:\WINNT\system32\
ProcessID : 916
ThreadCreationTime : 12-8-2005 11:36:53 AM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft� Windows� Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : � Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:7 [svchost.exe]
FilePath : C:\WINNT\system32\
ProcessID : 996
ThreadCreationTime : 12-8-2005 11:36:53 AM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft� Windows� Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : � Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:8 [svchost.exe]
FilePath : C:\WINNT\System32\
ProcessID : 1036
ThreadCreationTime : 12-8-2005 11:36:53 AM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft� Windows� Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : � Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:9 [svchost.exe]
FilePath : C:\WINNT\System32\
ProcessID : 1088
ThreadCreationTime : 12-8-2005 11:36:53 AM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft� Windows� Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : � Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:10 [svchost.exe]
FilePath : C:\WINNT\System32\
ProcessID : 1196
ThreadCreationTime : 12-8-2005 11:36:54 AM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft� Windows� Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : � Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:11 [ccsetmgr.exe]
FilePath : C:\Program Files\Common Files\Symantec Shared\
ProcessID : 1332
ThreadCreationTime : 12-8-2005 11:36:54 AM
BasePriority : Normal
FileVersion : 103.0.4.3
ProductVersion : 103.0.4.3
ProductName : Client and Host Security Platform
CompanyName : Symantec Corporation
FileDescription : Symantec Settings Manager Service
InternalName : ccSetMgr
LegalCopyright : Copyright (c) 2000-2004 Symantec Corporation. All
rights reserved.
OriginalFilename : ccSetMgr.exe

#:12 [sndsrvc.exe]
FilePath : C:\Program Files\Common Files\Symantec Shared\
ProcessID : 1348
ThreadCreationTime : 12-8-2005 11:36:54 AM
BasePriority : Normal
FileVersion : 5.5.1.6
ProductVersion : 5.5
ProductName : Symantec Security Drivers
CompanyName : Symantec Corporation
FileDescription : Network Driver Service
InternalName : SndSrvc
LegalCopyright : Copyright 2002, 2003, 2004 Symantec Corporation
OriginalFilename : SndSrvc.exe

#:13 [spbbcsvc.exe]
FilePath : C:\Program Files\Common Files\Symantec
Shared\SPBBC\
ProcessID : 1360
ThreadCreationTime : 12-8-2005 11:36:55 AM
BasePriority : Normal
FileVersion : 1,0,1,47
ProductVersion : 1,0,1,47
ProductName : SPBBC
CompanyName : Symantec Corporation
FileDescription : SPBBC Service
InternalName : SPBBCSvc
LegalCopyright : Copyright (c) 2004 Symantec Corporation. All rights
reserved.
OriginalFilename : SPBBCSvc.exe

#:14 [ccevtmgr.exe]
FilePath : C:\Program Files\Common Files\Symantec Shared\
ProcessID : 1420
ThreadCreationTime : 12-8-2005 11:36:55 AM
BasePriority : Normal
FileVersion : 103.0.4.3
ProductVersion : 103.0.4.3
ProductName : Client and Host Security Platform
CompanyName : Symantec Corporation
FileDescription : Symantec Event Manager Service
InternalName : ccEvtMgr
LegalCopyright : Copyright (c) 2000-2004 Symantec Corporation. All
rights reserved.
OriginalFilename : ccEvtMgr.exe

#:15 [spoolsv.exe]
FilePath : C:\WINNT\system32\
ProcessID : 1556
ThreadCreationTime : 12-8-2005 11:36:56 AM
BasePriority : Normal
FileVersion : 5.1.2600.2696 (xpsp_sp2_gdr.050610-1519)
ProductVersion : 5.1.2600.2696
ProductName : Microsoft� Windows� Operating System
CompanyName : Microsoft Corporation
FileDescription : Spooler SubSystem App
InternalName : spoolsv.exe
LegalCopyright : � Microsoft Corporation. All rights reserved.
OriginalFilename : spoolsv.exe

#:16 [navapsvc.exe]
FilePath : C:\Program Files\Norton AntiVirus\
ProcessID : 1684
ThreadCreationTime : 12-8-2005 11:36:56 AM
BasePriority : Normal
FileVersion : 11.0.9.16
ProductVersion : 11.0.9
ProductName : Norton AntiVirus
CompanyName : Symantec Corporation
FileDescription : Norton AntiVirus Auto-Protect Service
InternalName : NAVAPSVC
LegalCopyright : Norton AntiVirus 2005 for Windows 98/ME/2000/XP
Copyright � 2004 Symantec Corporation. All rights reserved.
OriginalFilename : NAVAPSVC.EXE

#:17 [npfmntor.exe]
FilePath : C:\Program Files\Norton AntiVirus\IWP\
ProcessID : 1796
ThreadCreationTime : 12-8-2005 11:36:56 AM
BasePriority : Normal
FileVersion : 11.0.9.16
ProductVersion : 11.0.9
ProductName : Norton AntiVirus
CompanyName : Symantec Corporation
FileDescription : Norton AntiVirus Firewall Install Monitor
InternalName : NPFMonitor
LegalCopyright : Norton AntiVirus 2005 for Windows 98/ME/2000/XP
Copyright � 2004 Symantec Corporation. All rights reserved.
OriginalFilename : NPFMonitor.EXE

#:18 [nprotect.exe]
FilePath : C:\Program Files\Norton AntiVirus\AdvTools\
ProcessID : 1816
ThreadCreationTime : 12-8-2005 11:36:56 AM
BasePriority : Normal
FileVersion : 16.00.0.22
ProductVersion : 16.00.0.22
ProductName : Norton Utilities
CompanyName : Symantec Corporation
FileDescription : Norton Protection Status
InternalName : NPROTECT
LegalCopyright : Copyright (C) 2003 Symantec Corporation
LegalTrademarks : Norton Utilities
OriginalFilename : NPROTECT.EXE

#:19 [svchost.exe]
FilePath : C:\WINNT\System32\
ProcessID : 1924
ThreadCreationTime : 12-8-2005 11:36:57 AM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft� Windows� Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : � Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:20 [symlcsvc.exe]
FilePath : C:\Program Files\Common Files\Symantec
Shared\CCPD-LC\
ProcessID : 1956
ThreadCreationTime : 12-8-2005 11:36:57 AM
BasePriority : Normal
FileVersion : 1, 8, 54, 478
ProductVersion : 1, 8, 54, 478
ProductName : Symantec Core Component
CompanyName : Symantec Corporation
FileDescription : Symantec Core Component
InternalName : symlcsvc
LegalCopyright : Copyright (C) 2003
OriginalFilename : symlcsvc.exe

#:21 [explorer.exe]
FilePath : C:\WINNT\
ProcessID : 648
ThreadCreationTime : 12-8-2005 11:37:07 AM
BasePriority : Normal
FileVersion : 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 6.00.2900.2180
ProductName : Microsoft� Windows� Operating System
CompanyName : Microsoft Corporation
FileDescription : Windows Explorer
InternalName : explorer
LegalCopyright : � Microsoft Corporation. All rights reserved.
OriginalFilename : EXPLORER.EXE

#:22 [realsched.exe]
FilePath : C:\Program Files\Common Files\Real\Update_OB\
ProcessID : 1260
ThreadCreationTime : 12-8-2005 11:37:09 AM
BasePriority : Normal
FileVersion : 0.1.0.3034
ProductVersion : 0.1.0.3034
ProductName : RealPlayer (32-bit)
CompanyName : RealNetworks, Inc.
FileDescription : RealNetworks Scheduler
InternalName : schedapp
LegalCopyright : Copyright � RealNetworks, Inc. 1995-2004
LegalTrademarks : RealAudio(tm) is a trademark of RealNetworks, Inc.
OriginalFilename : realsched.exe

#:23 [e_fati9ea.exe]
FilePath : C:\WINNT\System32\spool\DRIVERS\W32X86\3\
ProcessID : 1316
ThreadCreationTime : 12-8-2005 11:37:10 AM
BasePriority : Normal
FileVersion : 3.00
ProductVersion : 3.00
ProductName : EPSON Status Monitor 3
CompanyName : SEIKO EPSON CORPORATION
FileDescription : EPSON Status Monitor 3
InternalName : E_S5I2E1
LegalCopyright : Copyright (C) SEIKO EPSON CORP. 2004
OriginalFilename : E_S5I2E1.EXE

#:24 [qttask.exe]
FilePath : C:\Program Files\QuickTime\
ProcessID : 1660
ThreadCreationTime : 12-8-2005 11:37:10 AM
BasePriority : Normal
FileVersion : 6.5.1
ProductVersion : QuickTime 6.5.1
ProductName : QuickTime
CompanyName : Apple Computer, Inc.
InternalName : QuickTime Task
LegalCopyright : � Apple Computer, Inc. 2001-2004
OriginalFilename : QTTask.exe

#:25 [ccapp.exe]
FilePath : C:\Program Files\Common Files\Symantec Shared\
ProcessID : 1692
ThreadCreationTime : 12-8-2005 11:37:10 AM
BasePriority : Normal
FileVersion : 103.0.4.3
ProductVersion : 103.0.4.3
ProductName : Client and Host Security Platform
CompanyName : Symantec Corporation
FileDescription : Symantec User Session
InternalName : ccApp
LegalCopyright : Copyright (c) 2000-2004 Symantec Corporation. All
rights reserved.
OriginalFilename : ccApp.exe

#:26 [wdbtnmgr.exe]
FilePath : C:\WINNT\system32\
ProcessID : 2040
ThreadCreationTime : 12-8-2005 11:37:10 AM
BasePriority : Normal
FileVersion : 1, 0, 15, 0
ProductVersion : 1, 0, 15, 0
ProductName : WD Button Manager
CompanyName : Western Digital Technologies, Inc.
FileDescription : WD Button Manager
InternalName : WD Button Manager
LegalCopyright : Copyright (C) 2003-2004
OriginalFilename : WDBtnMgr.exe

#:27 [gwmdmmsg.exe]
FilePath : C:\WINNT\
ProcessID : 2112
ThreadCreationTime : 12-8-2005 11:37:12 AM
BasePriority : Normal
FileVersion : 3.4.16 05/06/2002 19:12:44
ProductVersion : 3.4.16 05/06/2002 19:12:44
ProductName : GTW Modem Messaging Applet
CompanyName : GTW
FileDescription : Modem Messaging Applet
InternalName : smdmstat.exe
LegalCopyright : Copyright � GTW 1998-2000
OriginalFilename : smdmstat.exe

#:28 [msmsgs.exe]
FilePath : C:\Program Files\Messenger\
ProcessID : 2136
ThreadCreationTime : 12-8-2005 11:37:14 AM
BasePriority : Normal
FileVersion : 4.7.3001
ProductVersion : Version 4.7.3001
ProductName : Messenger
CompanyName : Microsoft Corporation
FileDescription : Windows Messenger
InternalName : msmsgs
LegalCopyright : Copyright (c) Microsoft Corporation 2004
LegalTrademarks : Microsoft(R) is a registered trademark of Microsoft
Corporation in the U.S. and/or other countries.
OriginalFilename : msmsgs.exe

#:29 [alg.exe]
FilePath : C:\WINNT\System32\
ProcessID : 2228
ThreadCreationTime : 12-8-2005 11:37:14 AM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft� Windows� Operating System
CompanyName : Microsoft Corporation
FileDescription : Application Layer Gateway Service
InternalName : ALG.exe
LegalCopyright : � Microsoft Corporation. All rights reserved.
OriginalFilename : ALG.exe

#:30 [ad-aware.exe]
FilePath : C:\Program Files\Lavasoft\Ad-Aware SE Personal\
ProcessID : 4028
ThreadCreationTime : 12-8-2005 11:44:13 AM
BasePriority : Normal
FileVersion : 6.2.0.236
ProductVersion : SE 106
ProductName : Lavasoft Ad-Aware SE
CompanyName : Lavasoft Sweden
FileDescription : Ad-Aware SE Core application
InternalName : Ad-Aware.exe
LegalCopyright : Copyright � Lavasoft AB Sweden
OriginalFilename : Ad-Aware.exe
Comments : All Rights Reserved

Memory scan result:
��
New critical objects: 0
Objects found so far: 0

Started registry scan
��

180Solutions Object Recognized!
Type : Regkey
Data :
TAC Rating : 6
Category : Data Miner
Comment :
Rootkey : HKEY_USERS
Object :
S-1-5-21-2033606297-4007073159-1941659763-1003\software\microsoft\windows\currentversion\ext\stats\{21b4acc4-8874-4aec-aeac-f567a249b4d4}

Registry Scan result:
��
New critical objects: 1
Objects found so far: 1

Started deep registry scan
��

Deep registry scan result:
��
New critical objects: 0
Objects found so far: 1

Started Tracking Cookie scan
��

Tracking cookie scan result:
��
New critical objects: 0
Objects found so far: 1

Deep scanning and examining files (C:)
��

Disk Scan Result for C:\
��
New critical objects: 0
Objects found so far: 1

Deep scanning and examining files (E:)
��

Disk Scan Result for E:\
��
New critical objects: 0
Objects found so far: 1

Scanning Hosts file......
Hosts file location:"C:\WINNT\system32\drivers\etc\hosts".
��

Hosts file scan result:
��
1 entries scanned.
New critical objects:0
Objects found so far: 1

Performing conditional scans...
��

Conditional scan result:
��
New critical objects: 0
Objects found so far: 1

7:12:50 AM Scan Complete

Summary Of This Scan
��
Total scanning time:00:18:46.690
Objects scanned:145181
Objects identified:1
Objects ignored:0
New critical objects:1

GR@PH;<'S · December 11, 2005, 10:15:57 PM

Mitch,
Get them to update there Ad-aware to get the latest Definition file
(SE1R79.09.12.2005) then to use CCleaner
(Note CCleaner Setup: go to >options > settings > Uncheck "Only delete files in Windows Temp folders older than 48 hours").
then scan doing a "Full Scan" and once the scan has finished
mark and remove the items then Reboot (ie: Re-start your PC)
Then re-scan doing a "Full Scan"
and repost a new log here.

then after you have dione that can you get them to download
HijackThis
After you have downloaded it and Unzipped it, doubleclick HijackThis.exe, and hit "Scan".
When the scan is finished, the "Scan" button will change into a "Save Log" button.
Press that, save the log somewhere, and then can you please post the Logfile in the
HijackThis Logs forum.
GR@PH;<'S :breakkie:

mitch · December 12, 2005, 12:19:05 AM

thanks graphics!
i'll pass on the info and it will be a day or two till i get the info to post

mitch

GR@PH;<'S · December 12, 2005, 04:05:11 PM

mitch,

no Problem just make sure they update before they scan

GR@PH;<'S :breakkie: