| Forum Home | ||||
| Press F1 | ||||
| Thread ID: 95887 | 2008-12-20 04:43:00 | Super anti Spyware reports file and registry entries as adware. | Colpol (444) | Press F1 |
| Post ID | Timestamp | Content | User | ||
| 731159 | 2008-12-20 04:43:00 | Hi folks. Ran SASW on my system. It came back with ADWARE.HB Helper(12 items) Files c:\program files\IE toolbar\eco bar\tbhelper.dll Registry Keys 10 lines with addresses HKCR\CLSID then "numbers/letter" some of which have InprocServer32 InprocServer32#thread ProgID TypeLib VersionIndependentProgram HKCR\URLSearchHook.ToolbarURLSearchHook HKCR\URLSearchHook.ToolbarURLSearchHook1 HKLM\Software\Classes\CLSID\("Numbers and letters") Hope this makes sense. Unable to extract the relevent entries from SASW so have had to write it out. Anyway Deleted the relevent entries but it came back so Disabled System restore and emptied recycle bin and ran it again. Still came back. Is it part of the windows protected file system??? Here is My HJT log. Maybe something in there. BTW the entry 023 Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\Windows\System32\LEXBCES.EXE Refers to the Lexmark Printer I had months ago. I delete it with HJT but it seems stuck in place and keeps coming back. Not woried about it just curious as to why it will not remove. Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 2:23:47 p.m., on 20/12/2008 Platform: Windows Vista SP1 (WinNT 6.00.1905) MSIE: Internet Explorer v7.00 (7.00.6001.18000) Boot mode: Normal Running processes: C:\Windows\system32\taskeng.exe C:\Windows\system32\Dwm.exe C:\Windows\Explorer.EXE C:\Windows\RtHDVCpl.exe C:\Program Files\Alwil Software\Avast4\ashDisp.exe C:\Program Files\ScanSoft\OmniPagePro12.0\opware12.exe C:\Windows\system32\schtasks.exe C:\Program Files\COMODO\SafeSurf\cssurf.exe C:\Windows\System32\rundll32.exe C:\Program Files\Windows Sidebar\sidebar.exe C:\Program Files\Brother\ControlCenter3\brccMCtl.exe C:\Program Files\SUPERAntiSpyware\SUPERANTISPYWARE.EXE C:\Program Files\Windows Media Player\wmpnscfg.exe C:\Windows\ehome\ehtray.exe C:\Program Files\FireTrust\MailWasher Pro\MailWasher.exe C:\Windows\system32\jusched.exe C:\Windows\ehome\ehmsas.exe C:\Program Files\Windows Sidebar\sidebar.exe C:\Windows\system32\wuauclt.exe C:\Program Files\Windows Mail\WinMail.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = go.microsoft.com R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = ie.redirect.hp.com R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = go.microsoft.com R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = go.microsoft.com R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = ie.redirect.hp.com R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = localhost;*.local R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = O1 - Hosts: ::1 localhost O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe O4 - HKLM\..\Run: [SunJavaUpdateReg] "C:\Windows\system32\jureg.exe" O4 - HKLM\..\Run: [BrMfcWnd] C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe /AUTORUN O4 - HKLM\..\Run: [ControlCenter3] C:\Program Files\Brother\ControlCenter3\brctrcen.exe /autorun O4 - HKLM\..\Run: [ avast! ] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe O4 - HKLM\..\Run: [Opware12] "C:\Program Files\ScanSoft\OmniPagePro12.0\Opware12.exe" O4 - HKLM\..\Run: [COMODO SafeSurf] "C:\Program Files\COMODO\SafeSurf\cssurf.exe" -s O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\RunOnce: [Launcher] %WINDIR%\SMINST\launcher.exe O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE') O4 - Startup: MailWasherPro.lnk = C:\Program Files\FireTrust\MailWasher Pro\MailWasher.exe O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O13 - Gopher Prefix: O20 - AppInit_DLLs: C:\Windows\system32\guard32.dll C:\Windows\system32\cssdll32.dll O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762# # (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe O23 - Service: COMODO Firewall Pro Helper Service (cmdAgent) - Unknown owner - C:\Program Files\COMODO\Firewall\cmdagent.exe O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - c:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\Windows\System32\LEXBCES.EXE O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe O23 - Service: RoxMediaDB9 - Sonic Solutions - c:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe -- End of file - 7564 bytes Thanks Colin |
Colpol (444) | ||
| 731160 | 2008-12-20 04:51:00 | Uninstall all versions of Java then update it Tick these then tick fix checked Close browsers Did you uninstall the printer drivers, you didn't just delete its folder did you? O4 - HKLM\..\Run: [SunJavaUpdateReg] "C:\Windows\system32\jureg.exe" O4 - HKLM\..\Run: C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe /AUTORUN O4 - HKLM\..\Run: [ControlCenter3] C:\Program Files\Brother\ControlCenter3\brctrcen.exe /autorun O4 - HKLM\..\RunOnce: [Launcher] %WINDIR%\SMINST\launcher.exe [B]If you didnt do this tick these 2 O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present Do a scan with malwarebytes |
Speedy Gonzales (78) | ||
| 731161 | 2008-12-20 05:37:00 | That was quick. No wonder your nick is speedy. I uninstalled the printer. Unistalled java but auto install wont work(Installer cannot proceed with the current Internet Connction Settings) so downloading for manual install. Removed entries as suggested. The entries found by SASW were not found by Malwarebytes before but on your suggestion am scanning again. |
Colpol (444) | ||
| 731162 | 2008-12-20 05:46:00 | Then reboot after that. If its still there disable system restore | Speedy Gonzales (78) | ||
| 731163 | 2008-12-20 07:24:00 | Then reboot after that. If its still there disable system restore OK. Did the HJT bit. Java updated. SR was still disabled from previous efforts. Scanned with both MWB and SASW. Nothing found by MWB. Same set found by SASW Restarted. Rescanned with SASW Damn entries still present?????????????:badpc::badpc: |
Colpol (444) | ||
| 731164 | 2008-12-20 07:58:00 | Use trojan remover then. Install update click on scan Then select all options under utilities Dont use this tho if Vista is 64 bit, its not compatible with 64 bit |
Speedy Gonzales (78) | ||
| 731165 | 2008-12-20 09:24:00 | Use trojan remover then. Install update click on scan Then select all options under utilities Dont use this tho if Vista is 64 bit, its not compatible with 64 bit Hi Speedy. Installed and ran Trojan Remover. Found nothing. SASW still finds them.:badpc::mad::groan: |
Colpol (444) | ||
| 731166 | 2008-12-20 09:34:00 | Did you update it / select everything under utilities as well, then reboot? Or if youre game you can do this (www.symantec.com) If theres an entry in add/remove programs called rich media uninstall it |
Speedy Gonzales (78) | ||
| 731167 | 2008-12-20 10:10:00 | Did you update it / select everything under utilities as well, then reboot? Or if youre game you can do this (www.symantec.com) If theres an entry in add/remove programs called rich media uninstall it Thanks Speedy. Installed it but it would not update. Couldnt find the servers to dowload from. Will try again tomorrow morning. That procedure looks to scary. Nothing in Add/Remove called rich Media. Will try the update tomorrow. Cheers Colin |
Colpol (444) | ||
| 731168 | 2008-12-20 20:44:00 | Hi folks. Ran SASW on my system. It came back with ADWARE.HB Helper(12 items) c:\program files\IE toolbar\eco bar\tbhelper.dll Registry Keys 10 lines with addresses HKCR\CLSID then "numbers/letter" some of which Remove them manually. |
pctek (84) | ||
| 1 2 | |||||