Member Avatar for normanallen

This is mostly my own fault, but solving the problem has got me beat so far.
I subscribed to a list from laughternetwork.com called freefunnyjokes.
Recently their site said "to continue getting our newsletter goto http://freefunnyjokes.info/update.php ". Going to this site said "To continue Click here" - a link to http://laughternetwork.com/installer/videos/new_videos.exe"
More fool me, I clicked on the link, and it has installed something that shows on the system tray as a smiley with a drop down list for assorted kinds of videos.
I cannot find any way of removing this. There is nothing obvious in Add/Remove Programs. I have various software programs showing me what should run at startup, and it all *looks* legitimate. Task Manager gives all the processes running, but again there is nothing obvious there.
I have sent the owners of this list an email asking how to get rid of it, but there has been no response in over a week. Does anyone have any idea of how to get rid of this?

Norman

  • 4 Contributors
  • 13 Replies
  • 180 Views
  • 1 Day Discussion Span
  • Latest Post Latest Post by PhilliePhan
jbennet commented: some rep to get you started +4

Recommended Answers

All 13 Replies

Member Avatar for caperjack

because this is spyware related i will move you to the spyware section ,

commented: good +4
Member Avatar for normanallen

I'm not 100% sure this is spyware, but in any case Ad-aware doesn't come up with anything. I have attached the log from HijackThis if anyone cares to scan it for something out of the ordinary.
(Just as an aside - references to Whale are legitimate - it's the application I need to use to access my company's network). I can identify most of what's there, but there are some things I really don't know what they do!

Norman

Logfile of HijackThis v1.99.1
Scan saved at 20:26:12, on 06/01/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\DU Meter\DUMeter.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\PC Magazine Utilities\StartEase\StartEase.exe
C:\Program Files\Creative\SBAudigy\TaskBar\CTLTask.exe
C:\Program Files\RssReader\RssReader.exe
C:\FBTaskScheduler.exe
C:\Program Files\FreeMeter\FreeMeter.exe
C:\Program Files\FireTrust\MailWasher Pro\MailWasher.exe
C:\Program Files\Memturbo 4\MemTurbo.exe
C:\Program Files\PrintKey2000\Printkey2000.exe
C:\FSScrCtl.exe
C:\Program Files\Microsoft Office\Office10\msoffice.exe
C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\hjt\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O2 - BHO: (no name) - {FFFFFEF0-5B30-21D4-945D-000000000000} - C:\PROGRA~1\STARDO~1\SDIEInt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [nwiz] "nwiz.exe" /install
O4 - HKLM\..\Run: [NvMediaCenter] "RUNDLL32.EXE" C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [DU Meter] "C:\Program Files\DU Meter\DUMeter.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] "C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] "c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe"
O4 - HKLM\..\Run: [WinPatrol] "C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe"
O4 - HKLM\..\Run: [zBrowser Launcher] "C:\Program Files\Logitech\iTouch\iTouch.exe"
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBAudigy\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [CTStartup] "C:\Program Files\Creative\Splash Screen\CTEaxSpl.EXE" /run
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [StartEase] "C:\Program Files\PC Magazine Utilities\StartEase\StartEase.exe"
O4 - HKCU\..\Run: [TClockEx] "C:\Program Files\TClockEx\TCLOCKEX.EXE"
O4 - HKCU\..\Run: [TaskBar] "C:\Program Files\Creative\SBAudigy\TaskBar\CTLTask.exe"
O4 - HKCU\..\Run: [RssReader] "C:\Program Files\RssReader\RssReader.exe"
O4 - Startup: FBTaskScheduler.lnk = C:\FBTaskScheduler.exe
O4 - Startup: FreeMeter.lnk = C:\Program Files\FreeMeter\FreeMeter.exe
O4 - Startup: MailWasherPro.lnk = C:\Program Files\FireTrust\MailWasher Pro\MailWasher.exe
O4 - Startup: MemTurbo.lnk = C:\Program Files\Memturbo 4\MemTurbo.exe
O4 - Startup: Printkey2000.lnk = C:\Program Files\PrintKey2000\Printkey2000.exe
O4 - Startup: Screen Saver.lnk = C:\FSScrCtl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: Download with Star Downloader - C:\Program Files\Star Downloader\sdie.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Enqueue in Star Downloader - C:\Program Files\Star Downloader\sdieenq.htm
O8 - Extra context menu item: Leech with Star Downloader - C:\Program Files\Star Downloader\leechie.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\progra~1\whalec~1\client~1\31265d~1.0\whlnsp.dll
O10 - Unknown file in Winsock LSP: c:\progra~1\whalec~1\client~1\31265d~1.0\whllsp.dll
O10 - Unknown file in Winsock LSP: c:\progra~1\whalec~1\client~1\31265d~1.0\whllsp.dll
O10 - Unknown file in Winsock LSP: c:\progra~1\whalec~1\client~1\31265d~1.0\whllsp.dll
O10 - Unknown file in Winsock LSP: c:\progra~1\whalec~1\client~1\31265d~1.0\whllsp.dll
O16 - DPF: JavaConnect - https://ukw2whale.tsainc.com/whalecom9364d5b02f446396d5a5265371c3f3a4/whalecom0/sametime/javaconnect/JavaConnect.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1E40C477-ECA7-48DC-A9FC-D4F77A365442} (STURLConnection Control) - https://ukw2whale.tsainc.com/whalecom9364d5b02f446396d5a5265371c3f3a4/whalecom0/sametime/javaconnect/STUrlConLoader.cab
O16 - DPF: {53F92AF2-3C1E-4A63-B2EA-2E33DA6286B7} (STAutoAway Control) - https://ukw2whale.tsainc.com/whalecom9364d5b02f446396d5a5265371c3f3a4/whalecom0/sametime/javaconnect/STAutoAwayLoader.cab
O16 - DPF: {5E3E59C4-7847-11D0-9081-0080C76A0985} (IPTDImageControl.SImage) - https://ukw2whale.tsainc.com/whalecom8e239aad310b748a251b6944b30d/whalecom1/Common/activex/iptdimagecontrol.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1160604489250
O16 - DPF: {7584C670-2274-4EFB-B00B-D6AABA6D3850} (Microsoft RDP Client Control (redist)) - https://ukw2whale.tsainc.com/whalecom8b78d7b82e02789643ce6a5bcf529f/whalecom0/tsweb/msrdp.cab
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://download.shockwave.com/pub/otoy/OTOYAX.cab
O16 - DPF: {8D9563A9-8D5F-459B-87F2-BA842255CB9A} (Whale Client Components) - https://oma2whaletest.tsainc.com/InternalSite/WhlCompMgr.cab
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secure/HPGetDownloadManager.ocx
O16 - DPF: {AE9DCB17-F804-11D2-A44A-0020182C1446} (IntraLaunch.MainControl) - file://F:\system\IntraLaunch.CAB
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://aciworldwide.webex.com/client/T23L/support/ieatgpc.cab
O16 - DPF: {F5131C24-E56D-11CF-B78A-444553540000} (Ikonic Menu Control) - https://ukw2whale.tsainc.com/whalecom8e239aad310b748a251b6944b30d/whalecom1/common/activex/ikcntrls.cab
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: BlueSoleil Hid Service - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PACSPTISVR - Sony Cor
Member Avatar for PhilliePhan

Hi Norman,

Let's have a look, shall we?

FIRST:
Download HijackThis from http://downloads.malwareremoval.com/hijackthis_sfx.exe

Save the setup file on your desktop.
Then, DoubleClick on it and by default it should install to C:\Program Files\HijackThis
Continue through the setup and allow it to create a desktop icon for you. Follow all the prompts, click Finish

-- Run HJT > Click Do a system scan and save a logfile and submit that for me.

EDIT PP: Missed your last post - please do the below as well....


ALSO:
Let's get a StartupList.
Run HijackThis and open the Misc Tools section.
-- Check the boxes to List minor sections & List empty sections
-- Click Generate StartupList & Yes
-- Please submit that log for me as well.


Will check back as time permits. Lotta playoff football to watch this weekend! ;)

PP

Member Avatar for normanallen

As requested

StartupList report, 06/01/2007, 22:07:04
StartupList version: 1.52.2
Started from : C:\hjt\HijackThis.EXE
Detected: Windows XP SP2 (WinNT 5.01.2600)
Detected: Internet Explorer v6.00 SP2 (6.00.2900.2180)
* Using default options
* Including empty and uninteresting sections
* Showing rarely important sections
==================================================

Running processes:

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\DU Meter\DUMeter.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\PC Magazine Utilities\StartEase\StartEase.exe
C:\Program Files\Creative\SBAudigy\TaskBar\CTLTask.exe
C:\Program Files\RssReader\RssReader.exe
C:\FBTaskScheduler.exe
C:\Program Files\FreeMeter\FreeMeter.exe
C:\Program Files\FireTrust\MailWasher Pro\MailWasher.exe
C:\Program Files\Memturbo 4\MemTurbo.exe
C:\Program Files\PrintKey2000\Printkey2000.exe
C:\FSScrCtl.exe
C:\Program Files\Microsoft Office\Office10\msoffice.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
C:\hjt\HijackThis.exe

--------------------------------------------------

Listing of startup folders:

Shell folders Startup:
[C:\Documents and Settings\Norman\Start Menu\Programs\Startup]
FBTaskScheduler.lnk = C:\FBTaskScheduler.exe
FreeMeter.lnk = C:\Program Files\FreeMeter\FreeMeter.exe
MailWasherPro.lnk = C:\Program Files\FireTrust\MailWasher Pro\MailWasher.exe
MemTurbo.lnk = C:\Program Files\Memturbo 4\MemTurbo.exe
Printkey2000.lnk = C:\Program Files\PrintKey2000\Printkey2000.exe
Screen Saver.lnk = C:\FSScrCtl.exe

Shell folders AltStartup:
*Folder not found*

User shell folders Startup:
*Folder not found*

User shell folders AltStartup:
*Folder not found*

Shell folders Common Startup:
[C:\Documents and Settings\All Users\Start Menu\Programs\Startup]
Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

Shell folders Common AltStartup:
*Folder not found*

User shell folders Common Startup:
*Folder not found*

User shell folders Alternate Common Startup:
*Folder not found*

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,

[HKLM\Software\Microsoft\Windows\CurrentVersion\Winlogon]
*Registry key not found*

[HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
*Registry value not found*

[HKCU\Software\Microsoft\Windows\CurrentVersion\Winlogon]
*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

nwiz = "nwiz.exe" /install
NvMediaCenter = "RUNDLL32.EXE" C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
NvCplDaemon = "RUNDLL32.EXE" C:\WINDOWS\system32\NvCpl.dll,NvStartup
DU Meter = "C:\Program Files\DU Meter\DUMeter.exe"
ccApp = "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
NeroFilterCheck = "C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe"
KernelFaultCheck = %systemroot%\system32\dumprep 0 -k
SpySweeper = "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
Share-to-Web Namespace Daemon = "c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe"
WinPatrol = "C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe"
zBrowser Launcher = "C:\Program Files\Logitech\iTouch\iTouch.exe"
WINDVDPatch = CTHELPER.EXE
UpdReg = C:\WINDOWS\UpdReg.EXE
Jet Detection = "C:\Program Files\Creative\SBAudigy\PROGRAM\ADGJDet.exe"
CTStartup = "C:\Program Files\Creative\Splash Screen\CTEaxSpl.EXE" /run
RegistryMechanic = 
Zone Labs Client = "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

ctfmon.exe = C:\WINDOWS\system32\ctfmon.exe
StartEase = "C:\Program Files\PC Magazine Utilities\StartEase\StartEase.exe"
TClockEx = "C:\Program Files\TClockEx\TCLOCKEX.EXE"
TaskBar = "C:\Program Files\Creative\SBAudigy\TaskBar\CTLTask.exe"
RssReader = "C:\Program Files\RssReader\RssReader.exe"

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Run

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Run

*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

[OptionalComponents]
*No values found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce

[CTStartup]
*No values found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Run
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Run
*Registry key not found*

--------------------------------------------------

File association entry for .EXE:
HKEY_CLASSES_ROOT\exefile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .COM:
HKEY_CLASSES_ROOT\comfile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .BAT:
HKEY_CLASSES_ROOT\batfile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .PIF:
HKEY_CLASSES_ROOT\piffile\shell\open\command

(Default) =
Member Avatar for PhilliePhan

As requested

Hi Norman,

I'm sorry! I am doing ten things at once and was a bit distracted . . ..

What I meant to ask for was the Uninstall List via HJT's Misc Tools.
-- Also, I have attached unstll.zip to this post
-- Please download unstll.zip and extract it to your Desktop.
-- A folder labeled unstll will appear on your Desktop.
-- Open the folder and DoubleClick unstll.bat and give it a couple seconds to run.
A very large log should pop up in Notepad. Please attach that (unstll.txt) for me.

BTW - You should be advised that anytime somebody in any forum gives you an unknown program to run (even a simple batch like this one), it is strictly a "Use At Your Own Risk" proposition!

Anyhoo, it is up to you if you want to trust me :)

-----------------------------------------

I did take a quick look at your Startuplist and saw a couple things. I doubt if they are still active. You've got plenty of anti-spy protection installed and I imagine they cleaned the threat, but I thought I'd point them out to you (these are the only ones that jumped out at me at quick glance):


aaudstum: \??\C:\DOCUME~1\Norman\LOCALS~1\Temp\aaudstum.sys (manual start) --> I don't know what this is. Doesn't look right to me.

mchInjDrv: \??\C:\WINDOWS\TEMP\mc22.tmp (disabled)---> this is related to a nasty backdoor trojan with keylogging capabilities. Probably no longer active, but you may want to investigate further.


Gotta run - Will try to check back as time permits.
In the meantime, you may want to have a look at the unstll.txt and see if you can find the unwanted proggy.

Best :)
PP

Member Avatar for jbennet

get ms windows defender (free) - choose NOT to join spynet and remember to do a ms update after install to get the definitions

run a FULL scan. this has helped me before.

Member Avatar for PhilliePhan

get ms windows defender (free) - choose NOT to join spynet and remember to do a ms update after install to get the definitions

run a FULL scan. this has helped me before.

That might be a bit of overkill in this case. ;) The HJT Log shows the following active anti-spy apps:

Spy Sweeper
Spyware Doctor
Winpatrol

These are solid apps. Plus, I'm not so sure we are dealing with a baddie as much as a nuisance program.

PP :)

Member Avatar for PhilliePhan

mchInjDrv: \??\C:\WINDOWS\TEMP\mc22.tmp (disabled)---> this is related to a nasty backdoor trojan with keylogging capabilities. Probably no longer active, but you may want to investigate further.

LOL! :)

That last post jogged my memory . . . . mc22.tmp may very well be a driver related to the Spyware Doctor component of Spy Sweeper.

Good grief! How do they expect us to keep track of the good and the bad.....


PP :)

Member Avatar for jbennet

That might be a bit of overkill in this case. The HJT Log shows the following active anti-spy apps:

Spy Sweeper
Spyware Doctor
Winpatrol

sorry, didnt see that (never used HJT before)

Member Avatar for PhilliePhan

sorry, didnt see that (never used HJT before)

No worries - It was a good suggestion! :)

And, if you hadn't gotten me thinking about it, I'd probably never have placed that questionable driver with Spyware Doctor......

PP :)

commented: nice +4
Member Avatar for jbennet

i ony ever had a keylogger, 2 trojans and an adware bar on any of my pcs and ive been running them for years

i dont know how ppl keep getting so many viruses.........

Member Avatar for normanallen

GOTCHA. The uninstall list came up witha couple of curious names I didn't recognise, one of which was "mvi". I uninstalled this and *gone*. I don't know how I missed it in the first place, but having a simple list rather than the info that Add/Remove Programs generates makes it much easier to find something that tries to be anonymous.

27 Tools-in-1 Wichio Basic
3D Windows XP Screen Saver
3D World Map 2.1
Active Security Monitor 1.0.0.315
Ad-Aware SE Personal
Adobe Flash Player 9
Adobe Reader 8
Adobe Photoshop Album Starter Edition 3.0
AnalogX NetStat Live
AquaBall (remove only)
AquaPark
ArcSoft Panorama Maker 3.0
Ashampoo Burning Studio 5
Ashampoo PowerUp XP Platinum
Atlantis - Sky Patrol
Atomic Clock Sync
Birds on a Wire
BlueSoleil
Bugatron Worlds 1.01
Calculator Powertoy for Windows XP
Call of Duty(R) 2
Chicken Invaders: Revenge of the Yolk (Christmas Edition) demo 
ClearType Tuning Control Panel Applet
CmdHere Powertoy For Windows XP
CodeWright 6.0
Colin McRae Rally 04
Counter-Strike(TM)
Documents To Go
DU Meter
ElectricSheep 2.6.6
Fable - The Lost Chapters
FileSnoop Version 1.1
FileSpecs plug-in for Ad-Aware SE
FreeMeter
Gold Pack v1.0 for Pocket Tanks Deluxe
Golden Sub
Google Earth
Google SketchUp
Google Toolbar for Internet Explorer
GPL Ghostscript 8.54
GPL Ghostscript Fonts
G-Zapper v1.45
Hebrew Calendar 9
HexDump plug-in for Ad-Aware SE
HijackThis 1.99.1
Hotfix for Windows XP (KB896344)
Hotfix for Windows XP (KB926239)
hp deskjet 930c series
hp deskjet 930c series (Remove only)
hp instant support
HP Memories Disc
HP Photo and Imaging 2.0 - Scanners
Intel(R) 536EP Modem
InterActual Player
IrfanView (remove only)
J2SE Runtime Environment 5.0 Update 3
Kyodai Mahjongg 2006 v1.42
LimeWire 4.12.6
LiveUpdate 2.0 (Symantec Corporation)
Logitech iTouch Software
LSP Explorer plug-in for Ad-Aware SE
MailWasher Pro
MechWarrior 4 Mercenaries Downloadable Trial
Memturbo 4
Messenger-Control plug-in for Ad-Aware SE
MGI PhotoSuite 4 (Remove Only)
MGI PhotoSuite Mobile Edition (Remove only)
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB886903)
Microsoft .NET Framework 2.0
Microsoft Base Smart Card Cryptographic Service Provider Package
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Location Finder
Microsoft Office XP Small Business
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 6.0 Standard Edition
Microsoft Visual C++ 6.0 Starts Here
Mozilla Firefox (2.0.0.1)
MSDN Library - Visual Studio 6.0a
MSXML 4.0 SP2 (KB925672)
MSXML 4.0 SP2 (KB927978)
mvi
My DSC
Mysteries of Horus
Neon Wars v1.01
Nero 7 Premium
Nikon FotoShare
Nikon View 6
Nokia Connectivity Cable Driver
Nokia PC Suite
NVIDIA Drivers
OE/W Messengerctrl plug-in for Ad-Aware SE
OneTouch Software
OpenMG AAC Add-on Module 1.0.00
OpenMG Limited Patch 4.5-06-05-12-01
OpenMG Secure Module 4.5.01
OpenOffice.org 2.0
OTOY
Palm
Paparazzi
PC Connectivity Solution
PC Magazine Defrag-A-File 1.0
PC Magazine StartEase 1.0
PCI Audio Driver
PCMagazine SurfSpeed
Picasa 2
Pocket Tanks Deluxe v1.1
PowerArchiver 2006 v9.64
Prince of Persia T2T
PrintKey2000
QuickTime
Real Alternative 1.50
RealArcade
RealPlayer
Reaxxion
Registry Mechanic 5.2
RssReader
Sandlot Games Client Services 1.2.2
Sea War The Battles 2
Security Update for Microsoft .NET Framework 2.0 (KB917283)
Security Update for Microsoft .NET Framework 2.0 (KB922770)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows Media Player 9 (KB917734)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911567)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913433)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB916281)
Security Update for Windows XP (KB917159)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917422)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB918899)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920214)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921398)
Security Update for Windows XP (KB921883)
Security Update for Windows XP (KB922616)
Security Update for Windows XP (KB922760)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923694)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924191)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924496)
Security Update for Windows XP (KB925454)
Security Update for Windows XP (KB925486)
Security Update for Windows XP (KB926255)
Serious Sam 2
SiteHound for FireFox 1.5.0
Slingo Quest (remove only)
Snowball Pack v1.0 for Pocket Tanks Deluxe
SonicStage 4.0
Sound Blaster Audigy
Spy Sweeper
Spybot - Search & Destroy 1.4
Spyware Doctor 4.0
Star Downloader Pro
Steam(TM)
Super Collapse!(TM) 3 
Super Slyder(TM)
Symantec AntiVirus
Talismania(TM) Deluxe
Task Catcher
TClockEx
The Three Musketeers (remove only)
Tile Quest (remove only)
Tomb Raider III
Top Ten Solitaire (remove only)
TreeSize Professional 3.3.3
Tweak UI
Tweak-SE plug-in for Ad-Aware SE
Ulead Photo Express 4.0 SE
Update for Windows XP (KB894391)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB904942)
Update for Windows XP (KB908531)
Update for Windows XP (KB910437)
Update for Windows XP (KB911280)
Update for Windows XP (KB916595)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
USB CF-SM Dual Reader
Virtual Earth 3D (Beta)
WebEx
Whale Communications' Client Components v3.5.1
Winamp (remove only)
Windows Driver Package - Nokia (WUDFRd) WPD  (11/03/2006 6.82.26.2)
Windows Driver Package - Nokia Modem  (11/03/2006 6.82.0.1)
Windows Imaging Component
Windows Installer 3.1 (KB893803)
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Player 11
Windows Media Player 11
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB885884
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB891781
Windows XP Service Pack 2
WinPatrol
WinPatrol
WXTide32
Xfire (remove only)
XnView 1.80.3
XP Codec Pack
Yahoo! Toolbar
ZoneAlarm
Member Avatar for PhilliePhan

GOTCHA. The uninstall list came up witha couple of curious names I didn't recognise, one of which was "mvi". I uninstalled this and *gone*.

Great! Happy to hear it :)

You can also dump J2SE Runtime Environment 5.0 Update 3 and install the latest update.

Java Runtime Environment (JRE) 6

Cheers :)
PP

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.