Text only | Text with Images

LandzDown Forum

Security => Analysis and Malware Removal => Topic started by: heart on September 17, 2005, 10:33:43 PM

Title: Can't Remove Win32:ADAN & Win32:TROJAN & Others.
Post by: heart on September 17, 2005, 10:33:43 PM
 I'm a newbie, using a Compact Armada E500 laptop, w/ Xp Home Edition, and McAfee that wasn't current, and no other security software.  Had troubles installing EasyShare software for a new camera.  Downloaded and installed Service Pack2, and still couldn't install EasyShare.
Next day uninstalled McAfee, & installed & ran scan with Avast Personal SE.  Found "Memory Infected" as well as numerous other warnings w/ no options that would work, wouldn't allow Repair, Delete, or Move to Chest.
Installed & ran Updated Spybot S&D as well as Updated AdAware & "fixed" what I could.  There are 2-3 items that return as unable to fix.
Did another scan w/ Avast & numerous warnings continue, but I can complete the scan now.
The continuing warnings include:
win32:ADAN 142 TRJ
win32:ADAN 025
win32:TROJANO 1793
win32:TROJANO 1152 TRJ

There are others...

Am struggling to learn 4 new software programs w/in a short time, Avast, AdAware, Spybot, HijackThis in last 5 days trying to "catch up" with what I need to know to clean up my computer, so please be SIMPLE w/ any responses.  Reviewed postings here as well as at postings at the forums at Avast & Net Integrations, and I am hoping you all can help!  I see now that I should have waited to install Service Pack2 after I cleaned my computer.  Learning as fast as I can now, to make up for the lack of understanding & time to make sure my computer was secure.  Also had System Restore disabled for some of the above scans, but not all.  Wasn't sure if I should & when.  Not quite sure what to do now.  Pleeeez help.

Have installed, scanned & created a log with HijackThis for your review.  Have done nothing else with it.

Scan saved at 5:16:41 PM, on 9/17/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\System32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\WINDOWS\System32\atievxx.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\System32\alg.exe
C:\PROGRA~1\Toolbar\PIB.exe
C:\WINDOWS\explorer.exe
C:\PROGRA~1\Toolbar\TBPS.exe
c:\WINDOWS\TBSSaver.scr
C:\Program Files\Spybot - Search & Destroy\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.websearch.com/ie.aspx?tb_id=50207
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/ie/defaults/sp/sbcydsl/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://yahoo.sbc.com/dsl
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapps.yahoo.com/customize/ie/defaults/su/sbcydsl/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=50207
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = res://C:\PROGRA~1\Toolbar\toolbar.dll/sa
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ie/defaults/sb/sbcydsl/*http://www.yahoo.com/search/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/ie/defaults/sp/sbcydsl/*http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=50207
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = res://C:\PROGRA~1\Toolbar\toolbar.dll/sa
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - {8952A998-1E7E-4716-B23D-3DBE03910972} - C:\PROGRA~1\Toolbar\toolbar.dll
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_6_2_0.dll
O2 - BHO: WinStat - {0BAE99AF-A9F7-4f7e-9C72-2C1CC81BE0FF} - C:\WINDOWS\System32\WinStat13.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {8952A998-1E7E-4716-B23D-3DBE03910972} - C:\PROGRA~1\Toolbar\toolbar.dll
O2 - BHO: (no name) - {8DA5457F-A8AA-4CCF-A842-70E6FD274094} - C:\PROGRA~1\COMMON~1\WinTools\WToolsT.dll (file missing)
O2 - BHO: ADefaultSearch Class - {944864A5-3916-46E2-96A9-A2E84F3F1208} - C:\Program Files\Accoona\ASearchAssist.dll
O2 - BHO: Starware - {CA356D79-679B-4b4c-8E49-5AF97014F4C1} - C:\Program Files\Starware\bin\Starware.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_6_2_0.dll
O3 - Toolbar: Starware - {D49E9D35-254C-4c6a-9D17-95018D228FF5} - C:\Program Files\Starware\bin\Starware.dll
O3 - Toolbar: Accoona - {364B6276-C6C1-40B6-A6D7-6C48871FD707} - C:\Program Files\Accoona\atoolbar.dll
O3 - Toolbar: &WebSearch Toolbar - {339BB23F-A864-48C0-A59F-29EA915965EC} - C:\PROGRA~1\Toolbar\toolbar.dll
O4 - HKLM\..\Run: [YBrowser] C:\Program Files\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [IPInSightLAN 02] "C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe" -l
O4 - HKLM\..\Run: [IPInSightMonitor 02] "C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPMon32.exe"
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [YOP] C:\PROGRA~1\Yahoo!\YOP\yop.exe /autostart
O4 - HKLM\..\Run: [BearShare] "C:\Program Files\BearShare\BearShare.exe" /pause
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [TBPS] C:\PROGRA~1\Toolbar\TBPS.exe
O4 - HKLM\..\RunOnce: [TBPS] C:\PROGRA~1\Toolbar\TBPS.exe /boot
O4 - HKCU\..\Run: [Yahoo! Pager] 1
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: SBC Self Support Tool.lnk = C:\Program Files\SBC Self Support Tool\bin\matcli.exe
O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearch.html?p=ZBzeb032YYUS_ZNxmk493ACUS
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: NDWCab - http://www.neededware.com/ndw4.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {4EC8E993-32C1-47F5-A07A-5B0574655AD4} (WXcom Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/controls/ysftcntr/ysftcntr_current.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,84/mcinsctl.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,21/mcgdmgr.cab
O16 - DPF: {F919FBD3-A96B-4679-AF26-F551439BB5FD} - http://winfixer.com/pages/scanner/WFI.cab
O18 - Protocol: tpro - {FF76A5DA-6158-4439-99FF-EDC1B3FE100C} - C:\PROGRA~1\Toolbar\toolbar.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE

Title: Re: Can't Remove Win32:ADAN & Win32:TROJAN & Others.
Post by: normmork on September 19, 2005, 05:56:29 PM
It looks like you have the IBIS toolbar on your machine. WE are first goinng to try to remove it using Windows Add/Remove Programs

Remove IBIS/Web Search
First, uninstall the Web Search program and WinTools program from Add/Remove Programs
1) Click on Start, Settings, Control Panel
2) Double click on Add/Remove Programs
3) Find "Web Search Toolbar" and "Win-Tools Easy Installer (By Web Search)" in the list of installed programs and click on Change/Remove to uninstall it.   
During the uninstall process, you will be presented with several prompts to guide you through uninstalling the product. Read these carefully to make sure you are actually choosing to uninstall rather than keep the software.
4) Next, open My Computer, Drive C, and double-click on the Program Files folder
5) Right-click and delete the folder below if it still exists
·   Toolbar
Also check for the presence of the C:\Program Files\Common Files\Wintools directory. If this folder still remains you may have to follow the then let us know so we can guide you through the Wintools uninstall procedure.
6) IBIS WebSearch (websearch.com) should now be completely uninstalled from your computer.

7) Reboot and Repost a new HJT log file.
Title: Re: Can't Remove Win32:ADAN & Win32:TROJAN & Others.
Post by: heart on September 20, 2005, 01:24:54 AM
i uninstalled WebSherch ToolBarwith Add/Remove. However under WebSearch ToolBars there was WebSearch Tools  do you want me to remove also?

Win/-ToolsEI was not in my list of installed programs. However, there was a Windows Installer 3.1.
There was no folder Toolbar in my program files. Also therewere no WINTools directery common files .


there was Winsoftware in common files folder.-
Here is my HJT file.
Logfile of HijackThis v1.99.1
Scan saved at 8:01:05 PM, on 9/19/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\System32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Yahoo!\browser\ybrwicon.exe
C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe
C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPMon32.exe
C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
C:\PROGRA~1\Yahoo!\YOP\yop.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\WINDOWS\System32\atievxx.exe
C:\Program Files\SBC Self Support Tool\bin\mpbtn.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Spybot - Search & Destroy\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/ie/defaults/sp/sbcydsl/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://yahoo.sbc.com/dsl
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapps.yahoo.com/customize/ie/defaults/su/sbcydsl/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ie/defaults/sb/sbcydsl/*http://www.yahoo.com/search/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/ie/defaults/sp/sbcydsl/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_6_2_0.dll
O2 - BHO: WinStat - {0BAE99AF-A9F7-4f7e-9C72-2C1CC81BE0FF} - C:\WINDOWS\System32\WinStat13.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {8DA5457F-A8AA-4CCF-A842-70E6FD274094} - C:\PROGRA~1\COMMON~1\WinTools\WToolsT.dll (file missing)
O2 - BHO: ADefaultSearch Class - {944864A5-3916-46E2-96A9-A2E84F3F1208} - C:\Program Files\Accoona\ASearchAssist.dll
O2 - BHO: Starware - {CA356D79-679B-4b4c-8E49-5AF97014F4C1} - C:\Program Files\Starware\bin\Starware.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_6_2_0.dll
O3 - Toolbar: Starware - {D49E9D35-254C-4c6a-9D17-95018D228FF5} - C:\Program Files\Starware\bin\Starware.dll
O3 - Toolbar: Accoona - {364B6276-C6C1-40B6-A6D7-6C48871FD707} - C:\Program Files\Accoona\atoolbar.dll
O4 - HKLM\..\Run: [YBrowser] C:\Program Files\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [IPInSightLAN 02] "C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe" -l
O4 - HKLM\..\Run: [IPInSightMonitor 02] "C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPMon32.exe"
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [YOP] C:\PROGRA~1\Yahoo!\YOP\yop.exe /autostart
O4 - HKLM\..\Run: [BearShare] "C:\Program Files\BearShare\BearShare.exe" /pause
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [Yahoo! Pager] 1
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: SBC Self Support Tool.lnk = C:\Program Files\SBC Self Support Tool\bin\matcli.exe
O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearch.html?p=ZBzeb032YYUS_ZNxmk493ACUS
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: NDWCab - http://www.neededware.com/ndw4.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {4EC8E993-32C1-47F5-A07A-5B0574655AD4} (WXcom Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/controls/ysftcntr/ysftcntr_current.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,84/mcinsctl.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,21/mcgdmgr.cab
O16 - DPF: {F919FBD3-A96B-4679-AF26-F551439BB5FD} - http://winfixer.com/pages/scanner/WFI.cab
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE
Title: Re: Can't Remove Win32:ADAN & Win32:TROJAN & Others.
Post by: normmork on September 20, 2005, 10:40:07 AM
YEs please remove Websearch Tools using Add/Remove Programs as well. Your HJT log is looking much better

Please read this about Bearshare http://www.malwhere.com/processes/bearshare.exe.html

PLease post a new HJT log when done
Title: Re: Can't Remove Win32:ADAN & Win32:TROJAN & Others.
Post by: heart on September 20, 2005, 09:03:02 PM
I removed Web Search Tools thru Add/Remove Programs.  Rebooted & attached new HJT log.
Prior to coming here, I downloaded & installed the free version of BearShare.  Friend told me about the spyware connected, so removed thru Add/Remove Programs as well.  It's no longer on that list, but since you've brought it to my attention...is it still there?  I'd like to have it gone.
I have friends w/ the paid for version of BearShare Pro that say they have no problems on their computer.  Is this paid for option safe to use?  Is it safe to use if I install the Malware program you directed me to review?
Also I see Acoona toolbar & Starware in my HJT log...is that what is next to remove?

                                                                      :lol:

Logfile of HijackThis v1.99.1
Scan saved at 8:01:05 PM, on 9/19/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\System32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Yahoo!\browser\ybrwicon.exe
C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe
C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPMon32.exe
C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
C:\PROGRA~1\Yahoo!\YOP\yop.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\WINDOWS\System32\atievxx.exe
C:\Program Files\SBC Self Support Tool\bin\mpbtn.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Spybot - Search & Destroy\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/ie/defaults/sp/sbcydsl/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://yahoo.sbc.com/dsl
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapps.yahoo.com/customize/ie/defaults/su/sbcydsl/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ie/defaults/sb/sbcydsl/*http://www.yahoo.com/search/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/ie/defaults/sp/sbcydsl/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_6_2_0.dll
O2 - BHO: WinStat - {0BAE99AF-A9F7-4f7e-9C72-2C1CC81BE0FF} - C:\WINDOWS\System32\WinStat13.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {8DA5457F-A8AA-4CCF-A842-70E6FD274094} - C:\PROGRA~1\COMMON~1\WinTools\WToolsT.dll (file missing)
O2 - BHO: ADefaultSearch Class - {944864A5-3916-46E2-96A9-A2E84F3F1208} - C:\Program Files\Accoona\ASearchAssist.dll
O2 - BHO: Starware - {CA356D79-679B-4b4c-8E49-5AF97014F4C1} - C:\Program Files\Starware\bin\Starware.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_6_2_0.dll
O3 - Toolbar: Starware - {D49E9D35-254C-4c6a-9D17-95018D228FF5} - C:\Program Files\Starware\bin\Starware.dll
O3 - Toolbar: Accoona - {364B6276-C6C1-40B6-A6D7-6C48871FD707} - C:\Program Files\Accoona\atoolbar.dll
O4 - HKLM\..\Run: [YBrowser] C:\Program Files\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [IPInSightLAN 02] "C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe" -l
O4 - HKLM\..\Run: [IPInSightMonitor 02] "C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPMon32.exe"
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [YOP] C:\PROGRA~1\Yahoo!\YOP\yop.exe /autostart
O4 - HKLM\..\Run: [BearShare] "C:\Program Files\BearShare\BearShare.exe" /pause
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [Yahoo! Pager] 1
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: SBC Self Support Tool.lnk = C:\Program Files\SBC Self Support Tool\bin\matcli.exe
O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearch.html?p=ZBzeb032YYUS_ZNxmk493ACUS
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: NDWCab - http://www.neededware.com/ndw4.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {4EC8E993-32C1-47F5-A07A-5B0574655AD4} (WXcom Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/controls/ysftcntr/ysftcntr_current.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,84/mcinsctl.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,21/mcgdmgr.cab
O16 - DPF: {F919FBD3-A96B-4679-AF26-F551439BB5FD} - http://winfixer.com/pages/scanner/WFI.cab
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exec
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE
Title: Re: Can't Remove Win32:ADAN & Win32:TROJAN & Others.
Post by: normmork on September 21, 2005, 10:30:06 AM
Yes please remove Acoona toolbar & Starware using Windwos Add/REmove Programs. After removal check to see if these folders were deleted:
C:\Program Files\Starware\
C:\Program Files\Accoona\

The Bearshare paid version is supposely free of spyware

HJT log getting cleaner, we will remove all other unwanted/orphaned entries using HJT, once all spyware programs have been remvoed

Reboot and then post a new HJT log file
Title: Re: Can't Remove Win32:ADAN & Win32:TROJAN & Others.
Post by: heart on September 21, 2005, 11:29:42 PM
I removed Accoona Toolbar & Starware from Add/Remove programs.  I've attached a HJT log.
Additionally, I ran a thorough full system scan w/ Avast w/ no warnings!
Ran Spybot & was clean.
Then ran AdAware & about 30 critical objects came up, including IBIS Toolbar w/ 22 entries.
I thought we got rid of IBIS Toolbar (websearch....)? I opted to delete all.
I'd like to install 2 software programs, one for a new printer, and one for a new digital camera.
Is it safe to proceed, or shall I wait?   


                                                                            :sos:


Logfile of HijackThis v1.99.1
Scan saved at 6:29:14 PM, on 9/21/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\System32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\WINDOWS\System32\atievxx.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Yahoo!\browser\ybrwicon.exe
C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe
C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPMon32.exe
C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
C:\PROGRA~1\Yahoo!\YOP\yop.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\Program Files\SBC Self Support Tool\bin\mpbtn.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Yahoo!\Messenger\YPAGER.EXE
C:\PROGRA~1\Yahoo!\browser\ybrowser.exe
C:\Program Files\Spybot - Search & Destroy\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.accoona.com/search_assistant/accoona_search_assistant.jsp?&utm_id=400005&utm_content=leftnav&utm_source=wdz&utm_medium=bund&utm_campaign=wdz0605
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.accoona.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://yahoo.sbc.com/dsl
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapps.yahoo.com/customize/ie/defaults/su/sbcydsl/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ie/defaults/sb/sbcydsl/*http://www.yahoo.com/search/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/ie/defaults/sp/sbcydsl/*http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.accoona.com/search_assistant/accoona_search_assistant.jsp?&utm_id=400005&utm_content=leftnav&utm_source=wdz&utm_medium=bund&utm_campaign=wdz0605
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_6_2_0.dll
O2 - BHO: WinStat - {0BAE99AF-A9F7-4f7e-9C72-2C1CC81BE0FF} - C:\WINDOWS\System32\WinStat13.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {8DA5457F-A8AA-4CCF-A842-70E6FD274094} - C:\PROGRA~1\COMMON~1\WinTools\WToolsT.dll (file missing)
O2 - BHO: Accoona Search Assistant - {944864A5-3916-46E2-96A9-A2E84F3F1208} - C:\Program Files\Accoona\ASearchAssist.dll (file missing)
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_6_2_0.dll
O4 - HKLM\..\Run: [YBrowser] C:\Program Files\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [IPInSightLAN 02] "C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe" -l
O4 - HKLM\..\Run: [IPInSightMonitor 02] "C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPMon32.exe"
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [YOP] C:\PROGRA~1\Yahoo!\YOP\yop.exe /autostart
O4 - HKLM\..\Run: [BearShare] "C:\Program Files\BearShare\BearShare.exe" /pause
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [Yahoo! Pager] 1
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: SBC Self Support Tool.lnk = C:\Program Files\SBC Self Support Tool\bin\matcli.exe
O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearch.html?p=ZBzeb032YYUS_ZNxmk493ACUS
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: NDWCab - http://www.neededware.com/ndw4.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {4EC8E993-32C1-47F5-A07A-5B0574655AD4} (WXcom Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/controls/ysftcntr/ysftcntr_current.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,84/mcinsctl.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,21/mcgdmgr.cab
O16 - DPF: {F919FBD3-A96B-4679-AF26-F551439BB5FD} - http://winfixer.com/pages/scanner/WFI.cab
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE
Title: Re: Can't Remove Win32:ADAN & Win32:TROJAN & Others.
Post by: normmork on September 22, 2005, 02:21:46 PM
Unfortunately no uninstaller program works 100%

If you have Winfixer on your machine remove it by Add/Remove Programs

I would highly suggest that you do not palce any new s/w on your machine until we get ti cleaned up


You may need to be in Safe Mode to find it or use My Computer/Windows Explorer and activate "Show Hidden/System Files" Show Hidden and System files:
http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2002092715262339?Open&src=ent&docid=2002092514302348&nsf=ent-urity.nsf&view=docid&dtype=corp&prod=Symantec%20AntiVirus%20Corporate%20Edition&ver=8.x&osv=&osv_lvl=  (http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2002092715262339?Open&src=ent&docid=2002092514302348&nsf=ent-urity.nsf&view=docid&dtype=corp&prod=Symantec%20AntiVirus%20Corporate%20Edition&ver=8.x&osv=&osv_lvl=)

Clean out these folders
* C:\Windows\Temp\
* C:\Documents and Settings\<Your Profile>\Local Settings\Temporary Internet Files\ <=This will delete all your cached internet content including cookies.
* C:\Documents and Settings\<Your Profile>\Local Settings\Temp\
* C:\Documents and Settings\<Any other users Profile>\Local Settings\Temporary Internet Files\
* C:\Documents and Settings\<Any other users Profile>\Local Settings\Temp\
* Empty your "Recycle Bin".
MAy want to use CCleaner (http://www.ccleaner.com)
Please follow the instructions below if you wish to remove the offending items

Do NOT connect to the internet for the following
Close all windows
Open HJT and scan
Place checkmark(s) beside the entries below, once all entries have been checked press Fixed Check
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.accoona.com/search_assistant/accoona_search_assistant.jsp?&utm_id=400005&utm_content=leftnav&utm_source=wdz&utm_medium=bund&utm_campaign=wdz0605
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.accoona.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapps.yahoo.com/customize/ie/defaults/su/sbcydsl/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ie/defaults/sb/sbcydsl/*http://www.yahoo.com/search/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/ie/defaults/sp/sbcydsl/*http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.accoona.com/search_assistant/accoona_search_assistant.jsp?&utm_id=400005&utm_content=leftnav&utm_source=wdz&utm_medium=bund&utm_campaign=wdz0605
R3 - Default URLSearchHook is missing
O2 - BHO: WinStat - {0BAE99AF-A9F7-4f7e-9C72-2C1CC81BE0FF} - C:\WINDOWS\System32\WinStat13.dll (file missing)
O2 - BHO: (no name) - {8DA5457F-A8AA-4CCF-A842-70E6FD274094} - C:\PROGRA~1\COMMON~1\WinTools\WToolsT.dll (file missing)
O2 - BHO: Accoona Search Assistant - {944864A5-3916-46E2-96A9-A2E84F3F1208} - C:\Program Files\Accoona\ASearchAssist.dll (file missing)
O4 - HKLM\..\Run: [BearShare] "C:\Program Files\BearShare\BearShare.exe" /pause
O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearch.html?p=ZBzeb032YYUS_ZNxmk493ACUS
O16 - DPF: NDWCab - http://www.neededware.com/ndw4.cab
O16 - DPF: {F919FBD3-A96B-4679-AF26-F551439BB5FD} - http://winfixer.com/pages/scanner/WFI.cab

Run two of the following programs
Update defintion files before scanning with any programs

Spysweeper
http://www.webroot.com/downloads/?WRSID=ca63153ba6cfe8ae94a8c66981b574e5

Microsoft Anti-spyware
http://www.microsoft.com/athome/security/spyware/software/default.mspx

Ewido
http://www.ewido.net

Counterspy
http://www.sunbeltsoftware.com

Reboot
Repost a new HJT log file
Title: Re: Can't Remove Win32:ADAN & Win32:TROJAN & Others.
Post by: Ripley on September 23, 2005, 07:32:13 PM
This is another member ripley sending a question for member heart.

She is having frustrations at her end trying to learn how to navigate thru learning XP.  I've been in phone contact with her since she's started her topic here at the forum.

Here's her reply/question:

Normmork, I am working on your recommendations, but I have a basic question.
I cleaned out the temp internet files for myself & other profiles.
When I go to my Temp, there are hundreds (exaggeration) of folders w/ stuff & others.  How do I clean out the Temp area?  Can I select all the folders & just delete them & their contents?  Or should I be doing something else with this process?
Sorry to be so unsure here.
Additionally, my Avast Personal SE will not scan...get message Unable to scan.  Log says multiple scanning errors.  Do I leave that alone for now, and proceed w/ your current recommendations to clean out temp files & fix w/ HJT?


Title: Re: Can't Remove Win32:ADAN & Win32:TROJAN & Others.
Post by: Corrine on September 23, 2005, 09:43:42 PM
Hi, Heart.  If you would like to use CCleaner to clean the temp files, perhaps the instructions below will help.  CCleaner is available from http://www.ccleaner.com

-- To use CCleaner to assist in this process, please follow these instructions:In the Windows Tab:

Clean all entries in the "Internet Explorer" section.
Clean all the entries in the "Windows Explorer" section.
Clean all entries in the "System" section.
Clean all entries in the "Advanced" section.
Clean any others that you choose.

In the Applications Tab:

Clean all in the Firefox/Mozilla section if you use it.
Clean all in the Opera section if you use it.
Clean Sun Java in the Internet Section.
Clean any others that you choose.

5. Then click "Analyze", review the list and then click the "Run Cleaner" button and it will scan and clean your system.
6. Click exit
7. Shutdown/restart[/list]

Alternatively, instead of clicking Analyze above, you can click Run Cleaner.  I personally like to see what is happening on my machine which is why I "analyze" and then "run".  If you need additional help with CCleaner, post back and I'll put together some screen prints.

If you elect to clean the temp files manually, you have to open the folders and delete the contents, not the folders themselves.  There will be files that are in use that you will not be able to remove manually.
Title: Re: Can't Remove Win32:ADAN & Win32:TROJAN & Others.
Post by: Ripley on September 23, 2005, 11:45:42 PM
Thank you Corrine!
I got the CCleaner myself so I can see what heart will be doing when she downloads & runs. 
Should have just taken Normmork's suggestion & had her download CCleaner, but didn't think she would a problem manually cleaning out those temp files.

Update for Normmork: I'll be working w/ heart to get CCleaner & complete the rest of your suggestions...probably take 2-3 days.

Still don't know what to tell her concerning Avast being unable to scan...leave that alone for now right?



Title: Re: Can't Remove Win32:ADAN & Win32:TROJAN & Others.
Post by: Corrine on September 24, 2005, 12:39:44 AM
Ripley, you could have her download Ewido.  See the instructions here:  http://www.landzdown.com/index.php/topic,1133.0.html .  DieHard put a nice tutorial together that is linked there.

Title: Re: Can't Remove Win32:ADAN & Win32:TROJAN & Others.
Post by: normmork on September 24, 2005, 06:41:32 PM
YEs please do not try to get AVAST 4 going right now. It may need a reinstall or something else

From the HJT log it appears these files are missing
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)

Getting the machine clean should bring hopefully back stability
l
Title: Re: Can't Remove Win32:ADAN & Win32:TROJAN & Others.
Post by: Ripley on September 28, 2005, 10:52:25 PM
Normmork,
Just wanted to let you know that heart is still working on last instructions...be back soon w/ an updated HJT log.
Title: Re: Can't Remove Win32:ADAN & Win32:TROJAN & Others.
Post by: normmork on September 29, 2005, 08:07:03 PM
Thank you for teh update  8)
Title: Re: Can't Remove Win32:ADAN & Win32:TROJAN & Others.
Post by: heart on October 06, 2005, 01:57:08 AM
Normmork, I'm back!  Sorry it took so long to get back to you...family stuff.
Downloaded & cleaned all you advised w/ CCleaner.
Ran HJT & did a fix on all entries as you noted and have pasted an updated log.
Haven't gotten the 2 of the 4 programs you recommended yet.  Plan on installing Ewido right away.  Do I still need one other?
And what about Avast problems?  Are files still missing?  Should I uninstall & re-install Avast?
Here's my log.

                                                                :gwave:

Logfile of HijackThis v1.99.1
Scan saved at 8:24:27 PM, on 10/5/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\System32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\WINDOWS\System32\atievxx.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Yahoo!\browser\ybrwicon.exe
C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe
C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPMon32.exe
C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
C:\PROGRA~1\Yahoo!\YOP\yop.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\SBC Self Support Tool\bin\mpbtn.exe
C:\Program Files\Spybot - Search & Destroy\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.accoona.com/search_assistant/accoona_search_assistant.jsp?&utm_id=400005&utm_content=leftnav&utm_source=wdz&utm_medium=bund&utm_campaign=wdz0605
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.accoona.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://yahoo.sbc.com/dsl
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapps.yahoo.com/customize/ie/defaults/su/sbcydsl/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ie/defaults/sb/sbcydsl/*http://www.yahoo.com/search/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/ie/defaults/sp/sbcydsl/*http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.accoona.com/search_assistant/accoona_search_assistant.jsp?&utm_id=400005&utm_content=leftnav&utm_source=wdz&utm_medium=bund&utm_campaign=wdz0605
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_6_2_0.dll
O2 - BHO: WinStat - {0BAE99AF-A9F7-4f7e-9C72-2C1CC81BE0FF} - C:\WINDOWS\System32\WinStat13.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: eBlocs SecurityToolbar - {68FF9E0F-2E96-4467-87FA-1A8B9734C7E7} - C:\Documents and Settings\Katelyn\Local Settings\Application Data\ssstbar\sssTbar.dll
O2 - BHO: (no name) - {8DA5457F-A8AA-4CCF-A842-70E6FD274094} - C:\PROGRA~1\COMMON~1\WinTools\WToolsT.dll (file missing)
O2 - BHO: Accoona Search Assistant - {944864A5-3916-46E2-96A9-A2E84F3F1208} - C:\Program Files\Accoona\ASearchAssist.dll (file missing)
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_6_2_0.dll
O3 - Toolbar: eBlocs SecurityToolbar - {68FF9E0F-2E96-4467-87FA-1A8B9734C7E7} - C:\Documents and Settings\Katelyn\Local Settings\Application Data\ssstbar\sssTbar.dll
O4 - HKLM\..\Run: [YBrowser] C:\Program Files\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [IPInSightLAN 02] "C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe" -l
O4 - HKLM\..\Run: [IPInSightMonitor 02] "C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPMon32.exe"
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [YOP] C:\PROGRA~1\Yahoo!\YOP\yop.exe /autostart
O4 - HKLM\..\Run: [BearShare] "C:\Program Files\BearShare\BearShare.exe" /pause
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [Yahoo! Pager] 1
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: SBC Self Support Tool.lnk = C:\Program Files\SBC Self Support Tool\bin\matcli.exe
O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearch.html?p=ZBzeb032YYUS_ZNxmk493ACUS
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: NDWCab - http://www.neededware.com/ndw4.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {4EC8E993-32C1-47F5-A07A-5B0574655AD4} (WXcom Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/controls/ysftcntr/ysftcntr_current.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,84/mcinsctl.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,21/mcgdmgr.cab
O16 - DPF: {F919FBD3-A96B-4679-AF26-F551439BB5FD} - http://winfixer.com/pages/scanner/WFI.cab
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE
Title: Re: Can't Remove Win32:ADAN & Win32:TROJAN & Others.
Post by: heart on October 06, 2005, 02:18:11 AM
Oops in a BIG WAY!
Just reviewed my post and see I sent an old HJT log in my last post...bet you were wondering exactly what I am doing here.
Here's the updated one w/ your recommendations, pending Ewido.
       

                                                                               :shock:

Logfile of HijackThis v1.99.1
Scan saved at 9:08:38 PM, on 10/5/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\System32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\WINDOWS\System32\atievxx.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Yahoo!\browser\ybrwicon.exe
C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe
C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPMon32.exe
C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
C:\PROGRA~1\Yahoo!\YOP\yop.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\SBC Self Support Tool\bin\mpbtn.exe
C:\PROGRA~1\Yahoo!\browser\ybrowser.exe
C:\Program Files\Yahoo!\Messenger\YPAGER.EXE
C:\Program Files\Spybot - Search & Destroy\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://yahoo.sbc.com/dsl
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_6_2_0.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: eBlocs SecurityToolbar - {68FF9E0F-2E96-4467-87FA-1A8B9734C7E7} - C:\Documents and Settings\Katelyn\Local Settings\Application Data\ssstbar\sssTbar.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_6_2_0.dll
O3 - Toolbar: eBlocs SecurityToolbar - {68FF9E0F-2E96-4467-87FA-1A8B9734C7E7} - C:\Documents and Settings\Katelyn\Local Settings\Application Data\ssstbar\sssTbar.dll
O4 - HKLM\..\Run: [YBrowser] C:\Program Files\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [IPInSightLAN 02] "C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe" -l
O4 - HKLM\..\Run: [IPInSightMonitor 02] "C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPMon32.exe"
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [YOP] C:\PROGRA~1\Yahoo!\YOP\yop.exe /autostart
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [Yahoo! Pager] 1
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: SBC Self Support Tool.lnk = C:\Program Files\SBC Self Support Tool\bin\matcli.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {4EC8E993-32C1-47F5-A07A-5B0574655AD4} (WXcom Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/controls/ysftcntr/ysftcntr_current.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,84/mcinsctl.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,21/mcgdmgr.cab
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE










Title: Re: Can't Remove Win32:ADAN & Win32:TROJAN & Others.
Post by: Ripley on October 06, 2005, 03:18:14 AM
Hey Normmork!  Ripley here after talking to heart about her progress.  She just told me that she was able to download & scan w/ Ewido tonight as well.  There were 65 infected files cleaned.  She wants to know if she should post an Ewido scan log?
She's cookin' now!
Think her system is going to get back to some kind of normal?
Title: Re: Can't Remove Win32:ADAN & Win32:TROJAN & Others.
Post by: normmork on October 08, 2005, 04:20:56 AM
Yes please post the ewido log and use at least another spyware scanner. THINGS ARE GETTING BETTER!!   :D

After that remvoe this using  IWndows Add/Remove Programs
eBlocs SecurityToolbar

If it is not there use HJT to remove this line, this is part of LOP
O2 - BHO: eBlocs SecurityToolbar - {68FF9E0F-2E96-4467-87FA-1A8B9734C7E7} - C:\Documents and Settings\Katelyn\Local Settings\Application Data\ssstbar\sssTbar.dll

REmove this folder in RED
C:\Documents and Settings\Katelyn\Local Settings\Application Data\ssstbar

REboot and repost a new HJT file

Title: Re: Can't Remove Win32:ADAN & Win32:TROJAN & Others.
Post by: heart on October 08, 2005, 06:52:38 PM
I removed eBlocs toolbar thru Add/Remove programs.  Could not find the "red" ssstbar folder in Katelyn's application data folder.  However, there was a Starware folder in Katelyn's application data folder...left it there.
I downloaded, updated, and scanned with Counterspy and 120 objects were found and  removed.             :chair:
Rebooted and ran another HJT scan.  The 02-BHO line with eBlocs Security Toolbar was not there, so nothing more has been done.
As
requested, here's my last Ewido log and an updated HJT log:


ewido security suite - Scan report
---------------------------------------------------------

+ Created on:         10:23:19 PM, 10/5/2005
+ Report-Checksum:      8FF3BDC4

+ Scan result:

   HKLM\SOFTWARE\Classes\AQUAX.aquaXCtrl.1\CLSID\\ -> Spyware.WebSearch : Cleaned with backup
   HKLM\SOFTWARE\Classes\CLSID\{356639AA-E878-40FF-B2F8-E22FA87DF389} -> Spyware.WebSearch : Cleaned with backup
   HKLM\SOFTWARE\Classes\CLSID\{356639AA-E878-40FF-B2F8-E22FA87DF389}\TypeLib\\ -> Spyware.WebSearch : Cleaned with backup
   HKLM\SOFTWARE\Classes\CLSID\{4278B4EB-8CC5-45E8-8AF4-43DFD0E9D250} -> Spyware.WebSearch : Cleaned with backup
   HKLM\SOFTWARE\Classes\CLSID\{4278B4EB-8CC5-45E8-8AF4-43DFD0E9D250}\TypeLib\\ -> Spyware.WebSearch : Cleaned with backup
   HKLM\SOFTWARE\Classes\CLSID\{4C42E5EB-3A9C-48E2-B2D0-59681B3DBB8C} -> Spyware.WebSearch : Cleaned with backup
   HKLM\SOFTWARE\Classes\CLSID\{9F95F736-0F62-4214-A4B4-CAA6738D4C07} -> Spyware.SaveNow : Cleaned with backup
   HKLM\SOFTWARE\Classes\Interface\{175816A5-219E-4079-B2F9-53C501C409BA}\TypeLib\\ -> Spyware.HotBar : Cleaned with backup
   HKLM\SOFTWARE\Classes\Interface\{2180C048-802A-416A-82B3-26E796633D91}\TypeLib\\ -> Spyware.WebSearch : Cleaned with backup
   HKLM\SOFTWARE\Classes\Interface\{5D16197A-1EAA-45AF-B29A-69F1AA055E87}\TypeLib\\ -> Spyware.HotBar : Cleaned with backup
   HKLM\SOFTWARE\Classes\Interface\{665ABE65-2C16-4341-B4B8-01FF799E8F4C} -> Spyware.CometCursor : Cleaned with backup
   HKLM\SOFTWARE\Classes\Interface\{665ABE65-2C16-4341-B4B8-01FF799E8F4C}\TypeLib\\ -> Spyware.CometCursor : Cleaned with backup
   HKLM\SOFTWARE\Classes\Interface\{8578D35E-C6C0-4808-9A80-0F6C29A2C423} -> Spyware.HotBar : Cleaned with backup
   HKLM\SOFTWARE\Classes\Interface\{8578D35E-C6C0-4808-9A80-0F6C29A2C423}\TypeLib\\ -> Spyware.HotBar : Cleaned with backup
   HKLM\SOFTWARE\Classes\Interface\{8A61A950-C325-4F44-BA64-273180FF3464}\TypeLib\\ -> Spyware.HotBar : Cleaned with backup
   HKLM\SOFTWARE\Classes\Interface\{956948D9-A842-4DCE-9ACE-1269B2DC8D38}\TypeLib\\ -> Spyware.WebSearch : Cleaned with backup
   HKLM\SOFTWARE\Classes\Interface\{B53D4CD4-406D-43CC-8244-7893D72236DD}\TypeLib\\ -> Spyware.HotBar : Cleaned with backup
   HKLM\SOFTWARE\Classes\Interface\{B9BB3219-F84C-4060-966B-4A1E73E24226}\TypeLib\\ -> Spyware.HotBar : Cleaned with backup
   HKLM\SOFTWARE\Classes\Interface\{BC190DA5-0187-4D99-B3AC-6C45EA1B9324} -> Spyware.HotBar : Cleaned with backup
   HKLM\SOFTWARE\Classes\Interface\{BC190DA5-0187-4D99-B3AC-6C45EA1B9324}\TypeLib\\ -> Spyware.HotBar : Cleaned with backup
   HKLM\SOFTWARE\Classes\Interface\{C285D18D-43A2-4AEF-83FB-BF280E660A97} -> Spyware.SaveNow : Cleaned with backup
   HKLM\SOFTWARE\Classes\Interface\{F786CB18-3809-4E49-BC99-9A66DA47DB8B}\TypeLib\\ -> Spyware.HotBar : Cleaned with backup
   HKLM\SOFTWARE\Classes\PROTOCOLS\Name-Space Handler\res -> Spyware.WebSearch : Cleaned with backup
   HKLM\SOFTWARE\Classes\RunMSC.Loader\CLSID\\ -> Spyware.SaveNow : Cleaned with backup
   HKLM\SOFTWARE\Classes\RunMSC.Loader.1\CLSID\\ -> Spyware.SaveNow : Cleaned with backup
   HKLM\SOFTWARE\Classes\SSaver.SaverObj -> Spyware.WebSearch : Cleaned with backup
   HKLM\SOFTWARE\Classes\SSaver.SaverObj\Clsid -> Spyware.WebSearch : Cleaned with backup
   HKLM\SOFTWARE\Classes\SSaver.SaverObj\Clsid\\ -> Spyware.WebSearch : Cleaned with backup
   HKLM\SOFTWARE\Classes\TypeLib\{3894347C-6C5A-444B-B49E-35473CB4D010} -> Spyware.WebSearch : Cleaned with backup
   HKLM\SOFTWARE\Classes\TypeLib\{5CF68A06-673D-4619-A805-C8FC9AC611DD} -> Spyware.WebSearch : Cleaned with backup
   HKLM\SOFTWARE\Classes\TypeLib\{71EFE583-62FE-4419-9918-CA3B683F7B36} -> Spyware.HotBar : Cleaned with backup
   HKLM\SOFTWARE\HbTools -> Spyware.HotBar : Cleaned with backup
   HKLM\SOFTWARE\HbTools\HbTools -> Spyware.HotBar : Cleaned with backup
   HKLM\SOFTWARE\HbTools\HbTools\PI -> Spyware.HotBar : Cleaned with backup
   HKLM\SOFTWARE\HbTools\HbTools\PI\3.2 -> Spyware.HotBar : Cleaned with backup
   HKLM\SOFTWARE\HbTools\Hotbar -> Spyware.HotBar : Cleaned with backup
   HKLM\SOFTWARE\HbTools\Hotbar\Install -> Spyware.HotBar : Cleaned with backup
   HKLM\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{7E66936C-FEA0-4984-AD26-7B6661AC5B2E} -> Spyware.HotBar : Cleaned with backup
   HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/QDow_AS2.dll\\.Owner -> Spyware.WebSearch : Cleaned with backup
   HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/QDow_AS2.dll\\{87067F04-DE4C-4688-BC3C-4FCF39D609E7} -> Spyware.WebSearch : Cleaned with backup
   HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Extensions\CmdMapping\\{946B3E9E-E21A-49c8-9F63-900533FAFE14} -> Spyware.HotBar : Cleaned with backup
   HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Extensions\CmdMapping\\{E77EDA01-3C56-4a96-8D08-02B42891C169} -> Spyware.HotBar : Cleaned with backup
   HKU\S-1-5-21-329068152-1563985344-1708537768-1007\Software\Microsoft\Internet Explorer\Explorer Bars\{90C61707-C8F8-43DB-A25C-C1F4B18EE41E} -> Spyware.CometCursor : Cleaned with backup
   HKU\S-1-5-21-329068152-1563985344-1708537768-1007\Software\Microsoft\Internet Explorer\Extensions\CmdMapping\\{946B3E9E-E21A-49c8-9F63-900533FAFE14} -> Spyware.HotBar : Cleaned with backup
   HKU\S-1-5-21-329068152-1563985344-1708537768-1007\Software\Microsoft\Internet Explorer\Extensions\CmdMapping\\{E77EDA01-3C56-4a96-8D08-02B42891C169} -> Spyware.HotBar : Cleaned with backup
   HKU\S-1-5-21-329068152-1563985344-1708537768-1007\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{8DA5457F-A8AA-4CCF-A842-70E6FD274094} -> Spyware.HuntBar : Cleaned with backup
   HKU\S-1-5-21-329068152-1563985344-1708537768-1007\Software\ShopperReports -> Spyware.HotBar : Cleaned with backup
   HKU\S-1-5-21-329068152-1563985344-1708537768-1007\Software\ShopperReports\ShopperReports -> Spyware.HotBar : Cleaned with backup
   HKU\S-1-5-21-329068152-1563985344-1708537768-1007\Software\ShopperReports\ShopperReports\PostInstaller -> Spyware.HotBar : Cleaned with backup
   HKU\S-1-5-18\Software\Microsoft\Internet Explorer\Extensions\CmdMapping\\{946B3E9E-E21A-49c8-9F63-900533FAFE14} -> Spyware.HotBar : Error during cleaning
   HKU\S-1-5-18\Software\Microsoft\Internet Explorer\Extensions\CmdMapping\\{E77EDA01-3C56-4a96-8D08-02B42891C169} -> Spyware.HotBar : Error during cleaning
   C:\Documents and Settings\Katelyn\thin-172-1-x-x.exe -> Adware.BetterInternet : Cleaned with backup
   C:\Documents and Settings\Lynn\installer_MARKETING35.exe -> TrojanDownloader.Adload.a : Cleaned with backup
   C:\Documents and Settings\Lynn\Local Settings\Temp\temp.fr123D -> TrojanDownloader.PurityScan.af : Cleaned with backup
   C:\Documents and Settings\Lynn\Local Settings\Temp\temp.fr9EEB -> TrojanDownloader.PurityScan.af : Cleaned with backup
   C:\Documents and Settings\Lynn\Start Menu\Programs\WhenU -> Spyware.SaveNow : Cleaned with backup
   C:\Documents and Settings\Lynn\Start Menu\Programs\WhenU\Learn More About Save!.url -> Spyware.SaveNow : Cleaned with backup
   C:\Documents and Settings\Lynn\Start Menu\Programs\WhenU\Learn More About SaveNow.url -> Spyware.SaveNow : Cleaned with backup
   C:\Documents and Settings\Lynn\Start Menu\Programs\WhenU\WhenU.com Website.url -> Spyware.SaveNow : Cleaned with backup
   C:\Program Files\myCleanerPC\InstallT.exe -> Spyware.VirtualBouncer : Cleaned with backup
   C:\Program Files\oose\nwtd.exe -> TrojanDownloader.PurityScan.af : Cleaned with backup
   C:\Program Files\Screensavers.com\Installer\bin\ScreensaversInst.dll -> Spyware.Comet : Cleaned with backup
   C:\WINDOWS\system32\lѕass.exe -> Spyware.PurityScan : Cleaned with backup
   C:\WINDOWS\system32\tnmaeg06.dll -> TrojanDownloader.Lastad.r : Cleaned with backup
   C:\WINDOWS\system32\WinStat12.dll -> Spyware.Winsta : Cleaned with backupLogfile of HijackThis v1.99.1
Scan saved at 1:15:00 PM, on 10/8/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\System32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\WINDOWS\System32\atievxx.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Yahoo!\browser\ybrwicon.exe
C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe
C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPMon32.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
C:\PROGRA~1\Yahoo!\YOP\yop.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\CounterSpy\sunserver.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\CounterSpy\SunProtectionServer.exe
C:\Program Files\CounterSpy\sunThreatEngine.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\SBC Self Support Tool\bin\mpbtn.exe
C:\Program Files\Spybot - Search & Destroy\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://yahoo.sbc.com/dsl
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_6_2_0.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_6_2_0.dll
O4 - HKLM\..\Run: [YBrowser] C:\Program Files\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [IPInSightLAN 02] "C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe" -l
O4 - HKLM\..\Run: [IPInSightMonitor 02] "C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPMon32.exe"
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [YOP] C:\PROGRA~1\Yahoo!\YOP\yop.exe /autostart
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SunServer] C:\Program Files\CounterSpy\sunserver.exe
O4 - HKCU\..\Run: [Yahoo! Pager] 1
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: SBC Self Support Tool.lnk = C:\Program Files\SBC Self Support Tool\bin\matcli.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {4EC8E993-32C1-47F5-A07A-5B0574655AD4} (WXcom Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/controls/ysftcntr/ysftcntr_current.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,84/mcinsctl.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,21/mcgdmgr.cab
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE
Title: Re: Can't Remove Win32:ADAN & Win32:TROJAN & Others.
Post by: normmork on October 09, 2005, 04:28:24 PM
Your HJT log looks clean  :gwave:

In anothr post it was pointed out this is a bug in HJT, so everything is OK  8)
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)

I would recommend an online  scan using Trendmicro A/V plus their anti-spyware software
http://www.trendmicro.com (http://www.trendmicro.com)

Let me know if it find anything

Title: Re: Can't Remove Win32:ADAN & Win32:TROJAN & Others.
Post by: heart on October 09, 2005, 08:52:17 PM
Normmork,
So pumped that my HJY log is clean.
Attempted a Trendmicro online scan, but when I got to the area that asks what location to scan, there were no options.  Was unable to scan.  Can you advise on how I can get this done?
I did not install their anti-spyware software, but downloaded, installed, and updated SpywareBlaster...and it is active.
Bigger question, I am still unable to scan with Avast.  Should I uninstall and re-install?
       DeleteReplyForwardSpamMove...  :uhm:
Title: Re: Can't Remove Win32:ADAN & Win32:TROJAN & Others.
Post by: normmork on October 10, 2005, 03:43:51 AM
Try here
http://housecall60.trendmicro.com/en/start_corp.asp?id=scan
Lets wait until we get the results of the trendmicro scan
Title: Re: Can't Remove Win32:ADAN & Win32:TROJAN & Others.
Post by: Ripley on October 10, 2005, 05:51:53 PM
Hey Normmork,
Was on the phone w/ heart when she attempted to run online scan...she WAS at the second link you provided for TrendMicro in your last post.  Will have her try again, but are there some software features she should disable/pause first?
She has Spybot, AdAware, SpywareBlaster, Ewido SS, Counterspy, Avast Personal, & XP w/ Service Pack 2.
Actual problem: when she arrived at the screen which asked for location to scan there was a single x in the box only, according to what she described over the phone.  Had her hit the back key 3 different times to re-attempt the process and the single x returned each time w/ no other options.  I ran the scan on my computer at the same time she was doing it, and I received My Computer, and all my disk locations and could choose drive C to start the scan.
Title: Re: Can't Remove Win32:ADAN & Win32:TROJAN & Others.
Post by: normmork on October 10, 2005, 08:37:28 PM
HI ripley

AVAST 4 is running, in fact eh fiels that HJT say are missing so it is a bug. SO it can be stopped
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe

Counterspy and Ewido can be stopped as well
One other thought is if a firewall is running then she my be stopping the program from contacting the internet
Title: Re: Can't Remove Win32:ADAN & Win32:TROJAN & Others.
Post by: heart on October 11, 2005, 03:53:25 PM
Normmork,
Attempted Trendmicro online scan 4 more times w/ no success...same issue, i.e., when I get to the point where it asks me the location on the computer to scan there is just a single x.
These attempts came after:
Disabling: XP firewall & pop-up blocker & Browser pop-up blocker.
Stopping all providers in Avast.
Disabling Ewido & Counterspy.
And adding *Trendmicro.com to my Trusted site list.
Still can't scan...any more ideas?
Also went to Add/Remove programs and selected a Repair on Avast and planning on doing a thorough scan w/ Avast to see if it will work now. :gah:
Title: Re: Can't Remove Win32:ADAN & Win32:TROJAN & Others.
Post by: normmork on October 11, 2005, 08:04:13 PM
I want to make sure you ahve nio viruses on your machine

So we have some other sites
Run at least two of the online AV scans:
Update defintion files before scanning with any programs
Panda Active Scan (http://www.pandasoftware.com/activescan/com/activescan_principal.htm)
F-SecureAntivirus scan (http://support.f-secure.com/enu/home/ols.shtml)
BitDefender Free Online Virus Scan (http://www.bitdefender.com/scan/licence.php)
Symantec Security Scan & Virus Detection (http://security.symantec.com/sscv6/home.asp?j=1&langid=ie&venid=sym&plfid=23&pkj=OQOFIHKERRDTIPOKYJL)
RAV AntiVirus Online Virus Scan! (http://www.ravantivirus.com/scan/)
Danish Antivirus scan (http://www.virus112.com/index.php?page=online_virusscan_registration)
McAfee Antivirus scan (http://us.mcafee.com/root/catalog.asp?catid=free)
Title: Re: Can't Remove Win32:ADAN & Win32:TROJAN & Others.
Post by: heart on October 13, 2005, 04:33:57 PM
Normmork,
Here is the results of the Panda online scan.  Plan to do one other, but wanted to send this.


Incident                      Status                        Location                                                                                                                                                                                                                                                       

Adware:Adware/PurityScan      No disinfected                C:\Documents and Settings\Katelyn\Local Settings\Temp\!update.exe                                                                                                                                                                                               
Adware:Adware/Comet           No disinfected                C:\Documents and Settings\Mallory\Local Settings\Temp\unpack\CC_43.inf                                                                                                                                                                                         
Adware:Adware/Comet           No disinfected                C:\Documents and Settings\Mallory\Local Settings\Temp\unpack\inst43.exe                                                                                                                                                                                         
Adware:Adware/PurityScan      No disinfected                C:\Program Files\oose\nwtd.exe
Title: Re: Can't Remove Win32:ADAN & Win32:TROJAN & Others.
Post by: heart on October 13, 2005, 06:50:39 PM
Finished doing an online scan at McAfee and there were no infections noted...how 'bout that? A big fat zero for once.
I could only find 1 of the 4 of those files pointed out by the Panda scan...the oose\nwtd.exe in my program files...have done nothing w/ it yet.  How do I get rid of it?
The other 3 files are in Temp folders, but when I go into documents & settings\katelyn...there is no Temp folder.  Same thing in Mallory's documents & settings?  How do I find, to get rid of?  I can't access CCleaner from those 2 profiles either.  I'm sure it is my unfamiliarity w/ XP.  I have something called Parental Control on these 2 profiles... could that be blocking my ability to see the Temp folders?  Don't know how to turn it off.
As far as Avast, I did a repair thru Add/Remove programs and there are fewer error messages..here is an example:

9:14:22 AM 1128435262 SYSTEM 1656 AAVM - scanning error: x_AavmCheckFileDirectEx: avfilesScanReal of C:\WINDOWS\Temp\mcuE.tmp\mcuninst.dll failed, 00000005. 
10/4/2005 9:14:22 AM 1128435262 SYSTEM 1656 AAVM - scanning error: x_AavmCheckFileDirectEx: avfilesScanReal of C:\WINDOWS\Temp\mcuE.tmp\Uninst.dll failed, 00000005. 
10/4/2005 7:57:06 PM 1128473826 SYSTEM 1656 AAVM - scanning error: x_AavmCheckFileDirectEx: avfilesScanReal of C:\WINDOWS\QTFONT.FOR failed, 00000005. 
10/5/2005 6:54:21 PM 1128556461 SYSTEM 1656 AAVM - scanning error: x_AavmCheckFileDirectEx: avfilesScanReal of C:\WINDOWS\QTFONT.FOR failed, 00000005. 
10/5/2005 7:26:27 PM 1128558387 Mallory 1936 AAVM - scanning error: x_AavmCheckFileDirectEx: avfilesScanReal of C:\WINDOWS\QTFONT.FOR failed, 00000005. 
10/8/2005 11:39:53 AM 1128789593 SYSTEM 1920 AAVM - scanning error: x_AavmCheckFileDirectEx: avfilesScanReal of C:\WINDOWS\QTFONT.FOR failed, 00000005. 
10/8/2005 6:22:12 PM 1128813732 SYSTEM 1652 AAVM - scanning error: x_AavmCheckFileDirectEx: avfilesScanReal of C:\WINDOWS\QTFONT.FOR failed, 00000005. 
10/8/2005 9:11:39 PM 1128823899 SYSTEM 1652 AAVM - scanning error: x_AavmCheckFileDirectEx: avfilesScanReal of C:\WINDOWS\QTFONT.FOR failed, 00000005. 
10/9/2005 2:24:16 AM 1128842656 SYSTEM 1652 AAVM - scanning error: x_AavmCheckFileDirectEx: avfilesScanReal of C:\WINDOWS\QTFont.for failed, 00000005. 
10/9/2005 2:24:17 AM 1128842657 SYSTEM 1652 AAVM - scanning error: x_AavmCheckFileDirectEx: avfilesScanReal of C:\WINDOWS\slrundll.exe failed, 00000005. 
10/9/2005 2:24:18 AM 1128842658 SYSTEM 1652 AAVM - scanning error: x_AavmCheckFileDirectEx: avfilesScanReal of C:\WINDOWS\unvise32qt.exe failed, 00000005. 
10/9/2005 2:24:20 AM 1128842660 SYSTEM 1652 AAVM - scanning error: x_AavmCheckFileDirectEx: avfilesScanReal of C:\WINDOWS\~DFFA2F.tmp failed, 00000005. 
10/9/2005 2:58:23 PM 1128887903 SYSTEM 1652 AAVM - scanning error: x_AavmCheckFileDirectEx: avfilesScanReal of C:\WINDOWS\QTFONT.FOR failed, 00000005. 
10/10/2005 5:18:23 PM 1128982703 SYSTEM 1652 AAVM - scanning error: x_AavmCheckFileDirectEx: avfilesScanReal of C:\WINDOWS\QTFONT.FOR failed, 00000005. 
10/11/2005 2:15:13 AM 1129014913 SYSTEM 1652 AAVM - scanning error: x_AavmCheckFileDirectEx: avfilesScanReal of C:\WINDOWS\loadhttp.dll failed, 00000005. 
10/11/2005 2:15:14 AM 1129014914 SYSTEM 1652 AAVM - scanning error: x_AavmCheckFileDirectEx: avfilesScanReal of C:\WINDOWS\RMAgentOutput.dll failed, 00000005. 
10/11/2005 2:15:14 AM 1129014914 SYSTEM 1652 AAVM - scanning error: x_AavmCheckFileDirectEx: avfilesScanReal of C:\WINDOWS\runtsckl.exe failed, 00000005. 
10/11/2005 2:15:15 AM 1129014915 SYSTEM 1652 AAVM - scanning error: x_AavmCheckFileDirectEx: avfilesScanReal of C:\WINDOWS\slrundll.exe failed, 00000005. 
10/11/2005 2:15:15 AM 1129014915 SYSTEM 1652 AAVM - scanning error: x_AavmCheckFileDirectEx: avfilesScanReal of C:\WINDOWS\TMUPDATE.DLL failed, 00000005. 
10/11/2005 2:15:17 AM 1129014917 SYSTEM 1652 AAVM - scanning error: x_AavmCheckFileDirectEx: avfilesScanReal of C:\WINDOWS\unvise32qt.exe failed, 00000005. 
10/11/2005 2:15:17 AM 1129014917 SYSTEM 1652 AAVM - scanning error: x_AavmCheckFileDirectEx: avfilesScanReal of C:\WINDOWS\UNZIP.DLL failed, 00000005. 
10/11/2005 2:15:18 AM 1129014918 SYSTEM 1652 AAVM - scanning error: x_AavmCheckFileDirectEx: avfilesScanReal of C:\WINDOWS\~DFFA2F.tmp failed, 00000005.



10/9/2005   2:58:25 PM   1128887905   SYSTEM   1652   AAVM - scanning warning: x_AavmCheckFileDirectEx [UNI]: C:\WINDOWS\QTFONT.FOR (C:\WINDOWS\QTFONT.FOR) returning error, 00000005. 
10/10/2005   5:18:24 PM   1128982704   SYSTEM   1652   AAVM - scanning warning: x_AavmCheckFileDirectEx [UNI]: C:\WINDOWS\QTFONT.FOR (C:\WINDOWS\QTFONT.FOR) returning error, 00000005. 
10/11/2005   2:15:13 AM   1129014913   SYSTEM   1652   AAVM - scanning warning: x_AavmCheckFileDirectEx [UNI]: C:\WINDOWS\loadhttp.dll (C:\WINDOWS\loadhttp.dll) returning error, 00000005
Title: Re: Can't Remove Win32:ADAN & Win32:TROJAN & Others.
Post by: normmork on October 13, 2005, 07:11:24 PM
If files are open soemtimes the A/V programs can't scan them

I don't know about parental control. You need to have an account with full administer privileges, to check this go to WIndows Control Panel|User Accounts| choose the user account|click on the properties button.

Go to My Computer, find these entries and try to delete them
C:\Documents and Settings\Katelyn\Local Settings\Temp\!update.exe
C:\Documents and Settings\Mallory\Local Settings\Temp\unpack\CC_43.inf
C:\Documents and Settings\Mallory\Local Settings\Temp\unpack\inst43.exe
C:\Program Files\oose\nwtd.exe

If windows gives an error message saysing the file is in use. Then you need to try it in Windoas Safe Mode, see here for instructions
http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001052409420406

Title: Re: Can't Remove Win32:ADAN & Win32:TROJAN & Others.
Post by: heart on October 17, 2005, 05:10:48 PM
Normmork,
I went to C:Program Files and deleted the oose folder, actually the nwtd.exe file was not in there that I could see.  But I deleted the main folder...good enough?
Then I found the Temp folders in local settings/Katelyn/Mallory, and manually deleted all in their Temp folders, and ran CCleaner from both their profiles as well.
Once again, actually did not find the specific files names as pointed out by Panda scan, but have tried to clean the Temp folders as best i know how.
Is my computer clean?

                                                                                     :?:
Title: Re: Can't Remove Win32:ADAN & Win32:TROJAN & Others.
Post by: normmork on October 18, 2005, 01:27:53 AM
Pretty close

Run one more HJT scan and post teh results
Title: Re: Can't Remove Win32:ADAN & Win32:TROJAN & Others.
Post by: heart on October 18, 2005, 09:32:36 PM
Normmork,
I ran scans on AdAware, Spybot, Counterspy, Ewido, as well as Avast and NOTHING WAS FOUND ON ANY OF THEM!

I am still getting scanning errors w/ Avast, but not as many.  All see to be QuickTime related?
Here's a sample:
10/5/2005 6:54:21 PM 1128556461 SYSTEM 1656 AAVM - scanning error: x_AavmCheckFileDirectEx: avfilesScanReal of C:\WINDOWS\QTFONT.FOR failed, 00000005. 
10/5/2005 7:26:27 PM 1128558387 Mallory 1936 AAVM - scanning error: x_AavmCheckFileDirectEx: avfilesScanReal of C:\WINDOWS\QTFONT.FOR failed, 00000005. 
10/8/2005 11:39:53 AM 1128789593 SYSTEM 1920 AAVM - scanning error: x_AavmCheckFileDirectEx: avfilesScanReal of C:\WINDOWS\QTFONT.FOR failed, 00000005.

Is this something I should ignore or should I try to scan w/ Avast in safe mode?  Have not done that yet


                                                                                       :Yahoo:


Logfile of HijackThis v1.99.1
Scan saved at 4:02:25 PM, on 10/18/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\System32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\WINDOWS\System32\atievxx.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINDOWS\System32\winlogon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\CounterSpy\sunThreatEngine.ex
                                                                                         
Title: Re: Can't Remove Win32:ADAN & Win32:TROJAN & Others.
Post by: heart on October 18, 2005, 09:45:25 PM
Normmork,
Just reviewed my previous post and noticed that my HJT log was A LITTLE SHORT!
Guess I need to learn to use that "Preview" button...
Sorry, 'bout that...here's the whole thing!       :oops:



Logfile of HijackThis v1.99.1
Scan saved at 4:02:25 PM, on 10/18/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\System32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\WINDOWS\System32\atievxx.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINDOWS\System32\winlogon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\CounterSpy\sunThreatEngine.exe
C:\Program Files\CounterSpy\SunProtectionServer.exe
C:\Program Files\Yahoo!\browser\ybrwicon.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe
C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPMon32.exe
C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
C:\PROGRA~1\Yahoo!\YOP\yop.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\CounterSpy\sunserver.exe
C:\Program Files\SBC Self Support Tool\bin\mpbtn.exe
C:\PROGRA~1\Yahoo!\browser\ybrowser.exe
C:\Program Files\Yahoo!\Messenger\YPAGER.EXE
C:\Program Files\Spybot - Search & Destroy\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://yahoo.sbc.com/dsl
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://search.yahoo.com/search?p=%s
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_6_2_0.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_6_2_0.dll
O4 - HKLM\..\Run: [YBrowser] C:\Program Files\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [IPInSightLAN 02] "C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe" -l
O4 - HKLM\..\Run: [IPInSightMonitor 02] "C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPMon32.exe"
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [YOP] C:\PROGRA~1\Yahoo!\YOP\yop.exe /autostart
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SunServer] C:\Program Files\CounterSpy\sunserver.exe
O4 - HKCU\..\Run: [Yahoo! Pager] 1
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: SBC Self Support Tool.lnk = C:\Program Files\SBC Self Support Tool\bin\matcli.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {4EC8E993-32C1-47F5-A07A-5B0574655AD4} (WXcom Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/controls/ysftcntr/ysftcntr_current.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,84/mcinsctl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,21/mcgdmgr.cab
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE                                                           
Title: Re: Can't Remove Win32:ADAN & Win32:TROJAN & Others.
Post by: normmork on October 20, 2005, 01:41:55 AM
you can try AVAST in Safe Mode

Then remove this using HJT
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank

reboot
and post a new HJt log
Title: Re: Can't Remove Win32:ADAN & Win32:TROJAN & Others.
Post by: heart on October 21, 2005, 05:41:04 PM
 
Normmork,
Did a thorough scan w/ Avast in safe mode and no error or warning messages were recorded for that scan in my log.  There was nothing detected either.
In the future, do I just ignore the error messages from Avast if they are in QT as it appeared that the only error/warnings were unable to scan QT?
Here's the HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 12:19:13 PM, on 10/21/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\System32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\WINDOWS\System32\atievxx.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\CounterSpy\sunThreatEngine.exe
C:\Program Files\CounterSpy\SunProtectionServer.exe
C:\Program Files\Yahoo!\browser\ybrwicon.exe
C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe
C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPMon32.exe
C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
C:\PROGRA~1\Yahoo!\YOP\yop.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\CounterSpy\sunserver.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\SBC Self Support Tool\bin\mpbtn.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\Yahoo!\browser\ybrowser.exe
C:\Program Files\Yahoo!\Messenger\YPAGER.EXE
C:\Program Files\Spybot - Search & Destroy\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://yahoo.sbc.com/dsl
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://search.yahoo.com/search?p=%s
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_6_2_0.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_6_2_0.dll
O4 - HKLM\..\Run: [YBrowser] C:\Program Files\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [IPInSightLAN 02] "C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe" -l
O4 - HKLM\..\Run: [IPInSightMonitor 02] "C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPMon32.exe"
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [YOP] C:\PROGRA~1\Yahoo!\YOP\yop.exe /autostart
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SunServer] C:\Program Files\CounterSpy\sunserver.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] 1
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: SBC Self Support Tool.lnk = C:\Program Files\SBC Self Support Tool\bin\matcli.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {4EC8E993-32C1-47F5-A07A-5B0574655AD4} (WXcom Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/controls/ysftcntr/ysftcntr_current.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,84/mcinsctl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,21/mcgdmgr.cab
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EX       :)

Edit Note:  Inadvertently posted personal informaiton removed.
Corrine
Title: Re: Can't Remove Win32:ADAN & Win32:TROJAN & Others.
Post by: normmork on October 22, 2005, 02:56:45 AM
HJT log loooks fine now, thanks for keeping with it  :gwave:

I can't say about the error mesage to ignore it , any scans are faster in Safe Mode
Title: Re: Can't Remove Win32:ADAN & Win32:TROJAN & Others.
Post by: heart on October 25, 2005, 03:19:50 PM
Normmork,
Wasn't sure I'd ever see this day...my computer is CLEAN thanks to your help.  
Based on your suggestions and to prevent this stuff coming back in, I've purchased the one year subscriptions to Ewido and Counterspy, have SpywareBlaster and Spybot Tea-Timer active, and will keep an eye on my Avast error/warning logs.
I'm back to being a happy surfer and crusing right along!
Thanks again Normmork!

                                                                      :boat:
Title: Re: Can't Remove Win32:ADAN & Win32:TROJAN & Others.
Post by: normmork on October 28, 2005, 04:57:13 AM
Your very welcome

Sorry about the slow response I am on a training course in Las Vegas
Text only | Text with Images