Grokster Testing Part 1

This forum is for testing I do with various security settings and tools. Infection infiltration, security lock down among other things. Currently XP Home-w\SP 2 installed

Moderators: Admin Team, Moderators

User avatar
TICTestBox
Site Admin
Site Admin
Posts: 245
Joined: Tue Apr 19, 2005 12:11 pm
Area Of Expertise: Infectcious Malware
experience: I know the functions, OS settings, registry tweaks and more
Location: TeMerc's House
Contact:

Grokster Testing Part 1

Postby TICTestBox » Thu Aug 18, 2005 12:19 am

Ok, the other day, I read about the latest Grokster bundling over at Sunbelt Blog. I decided to go and have at it, to see what would happen.

I fired up InCtrl5, but forgot about Total Uninstall, which won't happen with my next round of testing, as I am going to consult a couple of people to form a firm procedure for logging everything.

Once the install began, I accpted almost each and every prompt from Avast, regardless of what it was yelling at me about. Nothing else made any noises, as the install was not ActiveX based(no XP SP 2 warnings).

So, there I sat, accepting the alerts, and following along the prompts for the install. More and more desktop icons appeared here and there, totalling 9 by the time I began to see what I had gotten myself into.

One of the first things, I noticed was popups. Of course, no way to avoid those eh?

WinFixer was the first one to popup, and then a few from 21adsserver.com and a few from random search site, I think it was search cc.com or something of the like.

The first thing I did was to try and see what would remove from Add\Remove. This went pretty good, considering. There was not all that many there really, if you look at the results from the scans below.




First thing to run, HJT of course. Here is the log produced, I've hi-lited the Grokster related stuff:

Logfile of HijackThis v1.99.1
Scan saved at 5:59:10 PM, on 8/16/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AVPersonal\AVSched32.EXE
C:\Program Files\AVPersonal\AVGNT.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Wallpaper Master\Wallpaper.exe
C:\Program Files\Gadwin Systems\PrintScreen\PrintScreen.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\AVPersonal\AVGUARD.EXE
C:\Program Files\AVPersonal\AVWUPSRV.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\DOCUME~1\TEMERC~1.TEM\LOCALS~1\Temp\G18151~1.EXE
C:\Program Files\Web_Cpr\WebCpr1.exe
C:\Program Files\Web_Cpr\WebCpr0.exe

C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\rundll32.exe
C:\HJT1991\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dailyrotation.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: My Global Search Bar BHO - {37B85A21-692B-4205-9CAD-2626E4993404} - C:\Program Files\MyGlobalSearch\bar\1.bin\MGSBAR.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [AVSCHED32] C:\Program Files\AVPersonal\AVSched32.EXE /min
O4 - HKLM\..\Run: [AVGCtrl] C:\Program Files\AVPersonal\AVGNT.EXE /min
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [WallpaperChanger] C:\Program Files\Wallpaper Master\Wallpaper.exe
O4 - HKLM\..\Run: [WebCpr0] C:\Program Files\Web_Cpr\WebCpr0.exe
O4 - HKLM\..\Run: [rtrmin] C:\DOCUME~1\TEMERC~1.TEM\LOCALS~1\Temp\G18151~1.EXE
O4 - HKLM\..\Run: [tvs_b] c:\Program Files\tvs\tvs_ln.exe
O4 - HKLM\..\Run: [WebRebates0] "C:\Program Files\Web_Rebates\WebRebates0.exe"
O4 - HKLM\..\Run: [Wast] C:\WINDOWS\wast2.exe 2
O4 - HKLM\..\Run: [AdRoarUpdate] C:\WINDOWS\ARUpdate.exe
O4 - HKLM\..\RunOnce: [tvs_re] c:\Program Files\Common Files\Java\tvs_re_inst.exe
O4 - HKLM\..\RunOnce: [djtopr1150.exe] "C:\DOCUME~1\TEMERC~1.TEM\LOCALS~1\Temp\djtopr1150.exe"
O4 - HKCU\..\Run: [Gadwin PrintScreen 2.6] C:\Program Files\Gadwin Systems\PrintScreen\PrintScreen.exe /nosplash
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"
O8 - Extra context menu item: &Copy Location - C:\WINDOWS\WEB\graburl.htm
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O8 - Extra context menu item: Web Rebates - file://C:\Program Files\Web_Rebates\Sy1150\Tp1150\scri1150a.htm
O9 - Extra button: (no name) - {B06300D0-CCDE-11d2-92D3-0000F87A4A55} - C:\WINDOWS\system32\webzone.dll
O9 - Extra 'Tools' menuitem: Add to R&estricted Zone - {B06300D0-CCDE-11d2-92D3-0000F87A4A55} - C:\WINDOWS\system32\webzone.dll
O9 - Extra button: (no name) - {BF80219A-CCDD-11d2-92D3-0000F87A4A55} - C:\WINDOWS\system32\webzone.dll
O9 - Extra 'Tools' menuitem: Add to Tr&usted Zone - {BF80219A-CCDD-11d2-92D3-0000F87A4A55} - C:\WINDOWS\system32\webzone.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Offline - {FC09D8A3-C85A-11d2-92D0-0000F87A4A55} - C:\WINDOWS\system32\oline.dll
O15 - Trusted Zone: http://*.gemal.dk
O15 - Trusted Zone: http://*.windowsupdate.microsoft.com
O15 - Trusted Zone: http://housecall.trendmicro.com
O15 - Trusted Zone: http://*.windowsupdate.com
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage) - http://go.microsoft.com/fwlink/?linkid= ... lcid=0x409
O16 - DPF: {4208FB4D-4E53-4F5A-BF7A-3E047DDB5281} (ActiveX Control) - http://www.icannnews.com/app/ST/ActiveX.ocx
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupda ... 0239597484
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004 ... scan53.cab
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://www.nick.com/common/groove/gx/GrooveAX27.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMe ... loader.cab
O20 - Winlogon Notify: Reliability - C:\WINDOWS\system32\actodisc.dll
O23 - Service: AntiVir Service (AntiVirService) - H+BEDV Datentechnik GmbH - C:\Program Files\AVPersonal\AVGUARD.EXE
O23 - Service: AntiVir Update (AVWUpSrv) - H+BEDV Datentechnik GmbH, Germany - C:\Program Files\AVPersonal\AVWUPSRV.EXE
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe


Not too shabby really. Seemed like not much I have not seen before and had users remove, aside from that 020 entry, but more on that one later.

I also took some screenshots of some of the Avast alerts:
ImageImageImage

There were close to about 20 or so. All sorts of trojans, exloits, and other nonsense.

I then ran Adaware, and here are the results, in this log, I will just leave the onfections, as these AAW logs are notoriously long:


Ad-Aware SE Build 1.06r1
Logfile Created on:Tuesday, August 16, 2005 11:17:21 PM
Created with Ad-Aware SE Personal, free for private use.
Using definitions file:SE1R61 10.08.2005
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

References detected during the scan:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
AltnetBDE(TAC index:4):2 total references
BargainBuddy(TAC index:8):39 total references
BroadCastPC(TAC index:7):4 total references
Cydoor(TAC index:7):7 total references
Ebates MoneyMaker(TAC index:4):1 total references
Other(TAC index:5):11 total references
Possible Browser Hijack attempt(TAC index:3):2 total references
TopMoxie(TAC index:3):7 total references
Tracking Cookie(TAC index:3):2 total references
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
8-16-2005 11:17:21 PM - Scan started. (Full System Scan)

Started registry scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Cydoor Object Recognized!
Type : Regkey
Data :
TAC Rating : 7
Category : Data Miner
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-1060284298-1957994488-1708537768-1003\software\cydoor

Cydoor Object Recognized!
Type : RegValue
Data :
TAC Rating : 7
Category : Data Miner
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-1060284298-1957994488-1708537768-1003\software\cydoor
Value : ConnType

AltnetBDE Object Recognized!
Type : Regkey
Data :
TAC Rating : 4
Category : Data Miner
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\altnet

Cydoor Object Recognized!
Type : Regkey
Data :
TAC Rating : 7
Category : Data Miner
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\cydoor

TopMoxie Object Recognized!
Type : Regkey
Data :
TAC Rating : 3
Category : Data Miner
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\windows\currentversion\uninstall\unwcpr2000

Cydoor Object Recognized!
Type : Regkey
Data :
TAC Rating : 7
Category : Data Miner
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-1060284298-1957994488-1708537768-1003\\software\cydoor

Cydoor Object Recognized!
Type : RegValue
Data :
TAC Rating : 7
Category : Data Miner
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-1060284298-1957994488-1708537768-1003\\software\cydoor
Value : ConnType

Registry Scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 7
Objects found so far: 7


Started deep registry scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Deep registry scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 7


Started Tracking Cookie scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : temerc@fastclick[2].txt
TAC Rating : 3
Category : Data Miner
Comment :
Value : C:\Documents and Settings\TeMerc.TEMERC-HIGI1780\Cookies\temerc@fastclick[2].txt

Tracking cookie scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 1
Objects found so far: 8

Deep scanning and examining files (C:)
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Cydoor Object Recognized!
Type : File
Data : cd_clint.dll
TAC Rating : 7
Category : Data Miner
Comment :
Object : C:\Documents and Settings\TeMerc.TEMERC-HIGI1780\Local Settings\Temp\
FileVersion : 3, 2, 1, 6
ProductVersion : 3, 2, 1, 6
ProductName : cd_clint
FileDescription : cd_clint
InternalName : cd_clint
LegalCopyright : Copyright © 2003
OriginalFilename : cd_clint.dll

TopMoxie Object Recognized!
Type : File
Data : SupportInstall.exe
TAC Rating : 3
Category : Data Miner
Comment :
Object : C:\Documents and Settings\TeMerc.TEMERC-HIGI1780\Local Settings\Temp\

TopMoxie Object Recognized!
Type : File
Data : disp2000.exe
TAC Rating : 3
Category : Data Miner
Comment :
Object : C:\Program Files\Web_Cpr\

Ebates MoneyMaker Object Recognized!
Type : File
Data : 2000_1.dat
TAC Rating : 4
Category : Data Miner
Comment :
Object : C:\Program Files\Web_Cpr\Sy2000\Sy2000\

TopMoxie Object Recognized!
Type : File
Data : 2000_2.dat
TAC Rating : 3
Category : Data Miner
Comment :
Object : C:\Program Files\Web_Cpr\Sy2000\Sy2000\

TopMoxie Object Recognized!
Type : File
Data : WebCpr1.exe
TAC Rating : 3
Category : Data Miner
Comment :
Object : C:\Program Files\Web_Cpr\

Cydoor Object Recognized!
Type : File
Data : A0028284.dll
TAC Rating : 7
Category : Data Miner
Comment :
Object : C:\System Volume Information\_restore{0952E54F-16EF-4772-A8BE-1E3B737877EA}\RP101\
FileVersion : 3, 2, 1, 6
ProductVersion : 3, 2, 1, 6
ProductName : cd_clint
FileDescription : cd_clint
InternalName : cd_clint
LegalCopyright : Copyright © 2003
OriginalFilename : cd_clint.dll

BroadCastPC Object Recognized!
Type : File
Data : A0028315.exe
TAC Rating : 7
Category : Data Miner
Comment :
Object : C:\System Volume Information\_restore{0952E54F-16EF-4772-A8BE-1E3B737877EA}\RP101\

BargainBuddy Object Recognized!
Type : File
Data : exdl.exe
TAC Rating : 8
Category : Malware
Comment :
Object : C:\WINDOWS\system32\
FileVersion : 1, 0, 0, 8
ProductVersion : 1, 0, 0, 8
ProductName : Download Module
CompanyName : eXact Advertising
FileDescription : Download Module
InternalName : Download Utility
LegalCopyright : Copyright © 2003, 2004. eXact Advertising, LLC. All Rights Reserved.
OriginalFilename : exdl.exe

BargainBuddy Object Recognized!
Type : File
Data : exdl1.exe
TAC Rating : 8
Category : Malware
Comment :
Object : C:\WINDOWS\system32\
FileVersion : 1, 0, 0, 8
ProductVersion : 1, 0, 0, 8
ProductName : Download Module
CompanyName : eXact Advertising
FileDescription : Download Module
InternalName : Download Utility
LegalCopyright : Copyright © 2003, 2004. eXact Advertising, LLC. All Rights Reserved.
OriginalFilename : exdl.exe

BargainBuddy Object Recognized!
Type : File
Data : exdl2.exe
TAC Rating : 8
Category : Malware
Comment :
Object : C:\WINDOWS\system32\
FileVersion : 1, 0, 0, 8
ProductVersion : 1, 0, 0, 8
ProductName : Download Module
CompanyName : eXact Advertising
FileDescription : Download Module
InternalName : Download Utility
LegalCopyright : Copyright © 2003, 2004. eXact Advertising, LLC. All Rights Reserved.
OriginalFilename : exdl.exe

BargainBuddy Object Recognized!
Type : File
Data : exdl3.exe
TAC Rating : 8
Category : Malware
Comment :
Object : C:\WINDOWS\system32\
FileVersion : 1, 0, 0, 8
ProductVersion : 1, 0, 0, 8
ProductName : Download Module
CompanyName : eXact Advertising
FileDescription : Download Module
InternalName : Download Utility
LegalCopyright : Copyright © 2003, 2004. eXact Advertising, LLC. All Rights Reserved.
OriginalFilename : exdl.exe

BargainBuddy Object Recognized!
Type : File
Data : exul.exe
TAC Rating : 8
Category : Malware
Comment :
Object : C:\WINDOWS\system32\
FileVersion : 1, 0, 0, 2
ProductVersion : 1, 0, 0, 2
ProductName : Upload Module
CompanyName : eXact Advertising
FileDescription : Upload Module
InternalName : Upload Utility
LegalCopyright : Copyright © 2003, 2004. eXact Advertising, LLC. All Rights Reserved.
OriginalFilename : exul.exe

BargainBuddy Object Recognized!
Type : File
Data : exul1.exe
TAC Rating : 8
Category : Malware
Comment :
Object : C:\WINDOWS\system32\
FileVersion : 1, 0, 0, 2
ProductVersion : 1, 0, 0, 2
ProductName : Upload Module
CompanyName : eXact Advertising
FileDescription : Upload Module
InternalName : Upload Utility
LegalCopyright : Copyright © 2003, 2004. eXact Advertising, LLC. All Rights Reserved.
OriginalFilename : exul.exe

BargainBuddy Object Recognized!
Type : File
Data : exul3.exe
TAC Rating : 8
Category : Malware
Comment :
Object : C:\WINDOWS\system32\
FileVersion : 1, 0, 0, 2
ProductVersion : 1, 0, 0, 2
ProductName : Upload Module
CompanyName : eXact Advertising
FileDescription : Upload Module
InternalName : Upload Utility
LegalCopyright : Copyright © 2003, 2004. eXact Advertising, LLC. All Rights Reserved.
OriginalFilename : exul.exe

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : temerc@tickle[2].txt
TAC Rating : 3
Category : Data Miner
Comment :
Value : C:\WINDOWS\Temp\Cookies\temerc@tickle[2].txt

Disk Scan Result for C:\
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 24


Scanning Hosts file......
Hosts file location:"C:\WINDOWS\system32\drivers\etc\hosts".
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Hosts file scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
1 entries scanned.
New critical objects:0
Objects found so far: 24

Possible Browser Hijack attempt Object Recognized!
Type : File
Data : Casino.url
TAC Rating : 3
Category : Misc
Comment : Problematic URL discovered: http://sportsbook.mayancasino.com/
Object : C:\Documents and Settings\TeMerc.TEMERC-HIGI1780\Start Menu\

Possible Browser Hijack attempt Object Recognized!
Type : File
Data : Sportsbook.url
TAC Rating : 3
Category : Misc
Comment : Problematic URL discovered: http://sportsbook.mayancasino.com/
Object : C:\Documents and Settings\TeMerc.TEMERC-HIGI1780\Start Menu\

Performing conditional scans...
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

AltnetBDE Object Recognized!
Type : Folder
TAC Rating : 4
Category : Data Miner
Comment : AltnetBDE
Object : C:\Program Files\Altnet

TopMoxie Object Recognized!
Type : RegValue
Data :
TAC Rating : 3
Category : Data Miner
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\internet explorer\main\ins
Value : 1150

TopMoxie Object Recognized!
Type : Folder
TAC Rating : 3
Category : Data Miner
Comment : TopMoxie
Object : C:\Program Files\Web_Cpr

BroadCastPC Object Recognized!
Type : Regkey
Data :
TAC Rating : 7
Category : Data Miner
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\wast

BroadCastPC Object Recognized!
Type : RegValue
Data :
TAC Rating : 7
Category : Data Miner
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\wast
Value : DT

BroadCastPC Object Recognized!
Type : File
Data : wast2.exe
TAC Rating : 7
Category : Data Miner
Comment :
Object : C:\WINDOWS\

BargainBuddy Object Recognized!
Type : Regkey
Data :
TAC Rating : 8
Category : Malware
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\windows\currentversion\uninstall\navisearch

BargainBuddy Object Recognized!
Type : RegValue
Data :
TAC Rating : 8
Category : Malware
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\windows\currentversion\uninstall\navisearch
Value : UninstallString

BargainBuddy Object Recognized!
Type : RegValue
Data :
TAC Rating : 8
Category : Malware
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\windows\currentversion\uninstall\navisearch
Value : Publisher

BargainBuddy Object Recognized!
Type : RegValue
Data :
TAC Rating : 8
Category : Malware
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\windows\currentversion\uninstall\navisearch
Value : DisplayVersion

BargainBuddy Object Recognized!
Type : RegValue
Data :
TAC Rating : 8
Category : Malware
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\windows\currentversion\uninstall\navisearch
Value : URLInfoAbout

BargainBuddy Object Recognized!
Type : RegValue
Data :
TAC Rating : 8
Category : Malware
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\windows\currentversion\uninstall\navisearch
Value : Readme

BargainBuddy Object Recognized!
Type : RegValue
Data :
TAC Rating : 8
Category : Malware
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\windows\currentversion\uninstall\navisearch
Value : DisplayIcon

BargainBuddy Object Recognized!
Type : RegValue
Data :
TAC Rating : 8
Category : Malware
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\windows\currentversion\uninstall\navisearch
Value : HelpLink

BargainBuddy Object Recognized!
Type : RegValue
Data :
TAC Rating : 8
Category : Malware
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\windows\currentversion\uninstall\navisearch
Value : NoModify

BargainBuddy Object Recognized!
Type : RegValue
Data :
TAC Rating : 8
Category : Malware
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\windows\currentversion\uninstall\navisearch
Value : NoRepair

BargainBuddy Object Recognized!
Type : RegValue
Data :
TAC Rating : 8
Category : Malware
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\windows\currentversion\run
Value : NaviSearch

BargainBuddy Object Recognized!
Type : Folder
TAC Rating : 8
Category : Malware
Comment : BargainBuddy
Object : c:\program files\BullsEye Network

BargainBuddy Object Recognized!
Type : Folder
TAC Rating : 8
Category : Malware
Comment : BargainBuddy
Object : c:\program files\NaviSearch

BargainBuddy Object Recognized!
Type : Folder
TAC Rating : 8
Category : Malware
Comment : BargainBuddy
Object : c:\program files\navisearch\bin

BargainBuddy Object Recognized!
Type : File
Data : ad.dat
TAC Rating : 8
Category : Malware
Comment :
Object : c:\program files\bullseye network\

BargainBuddy Object Recognized!
Type : File
Data : ub.dat
TAC Rating : 8
Category : Malware
Comment :
Object : c:\program files\bullseye network\

BargainBuddy Object Recognized!
Type : File
Data : Uninstall.exe
TAC Rating : 8
Category : Malware
Comment :
Object : c:\program files\bullseye network\
FileVersion : 8.0.4.0
ProductName : BullsEye Network
CompanyName : eXact Advertising
FileDescription : BargainBuddy Module
LegalCopyright : Copyright © 2003, 2004. eXact Advertising, LLC. All Rights Reserved.
LegalTrademarks : Copyright © 2003, 2004. eXact Advertising, LLC. All Rights Reserved.
Comments : BargainBuddy Module

BargainBuddy Object Recognized!
Type : File
Data : adv.exe
TAC Rating : 8
Category : Malware
Comment :
Object : c:\program files\bullseye network\bin\
FileVersion : 1.00
ProductVersion : 1.00
ProductName : adv
CompanyName : eXact Advertising
InternalName : adv
LegalCopyright : Copyright © 2003, 2004. eXact Advertising, LLC. All Rights Reserved.
OriginalFilename : adv.exe

BargainBuddy Object Recognized!
Type : File
Data : adx.exe
TAC Rating : 8
Category : Malware
Comment :
Object : c:\program files\bullseye network\bin\
FileVersion : 1.00
ProductVersion : 1.00
ProductName : adx
CompanyName : eXact Advertising
InternalName : adx
LegalCopyright : Copyright © 2003, 2004. eXact Advertising, LLC. All Rights Reserved.
OriginalFilename : adx.exe

BargainBuddy Object Recognized!
Type : File
Data : bargains.exe
TAC Rating : 8
Category : Malware
Comment :
Object : c:\program files\bullseye network\bin\
FileVersion : 8, 0, 3, 6
ProductVersion : 8, 0, 3, 6
ProductName : BargainsBuddy ADP Module
CompanyName : eXact Advertising
FileDescription : bargains
InternalName : ADP
LegalCopyright : Copyright © 2003-2005. eXact Advertising, LLC. All Rights Reserved.
OriginalFilename : bargains.exe

BargainBuddy Object Recognized!
Type : File
Data : ad.dat
TAC Rating : 8
Category : Malware
Comment :
Object : c:\program files\navisearch\

BargainBuddy Object Recognized!
Type : File
Data : Uninstall.exe
TAC Rating : 8
Category : Malware
Comment :
Object : c:\program files\navisearch\
FileVersion : 8.0.3.9
ProductName : NaviSearch
CompanyName : eXact Advertising
FileDescription : NAVISearch Module
LegalCopyright : Copyright © 2003, 2004. eXact Advertising, LLC. All Rights Reserved.
LegalTrademarks : Copyright © 2003, 2004. eXact Advertising, LLC. All Rights Reserved.
Comments : NaviSearch Module

BargainBuddy Object Recognized!
Type : File
Data : nls.exe
TAC Rating : 8
Category : Malware
Comment :
Object : c:\program files\navisearch\bin\
FileVersion : 1, 0, 0, 5
ProductVersion : 1, 0, 0, 5
ProductName : NAVISearch Module
CompanyName : eXact Advertising
FileDescription : NLS Module
InternalName : NLS
LegalCopyright : Copyright © 2003, 2004. eXact Advertising, LLC. All Rights Reserved.
OriginalFilename : nls.exe

BargainBuddy Object Recognized!
Type : File
Data : bbchk.exe
TAC Rating : 8
Category : Malware
Comment :
Object : c:\windows\system32\
FileVersion : 5.101.1663.1
ProductVersion : 5.101.1663.1
ProductName : Microsoft(R) Windows NT(R) Operating System
CompanyName : Microsoft Corporation
FileDescription : ECM ChkTrust
InternalName : CHKTRUST.EXE
LegalCopyright : Copyright (C) Microsoft Corp. 1981-1997
OriginalFilename : CHKTRUST.EXE

BargainBuddy Object Recognized!
Type : File
Data : exclean.exe
TAC Rating : 8
Category : Malware
Comment :
Object : c:\windows\system32\

BargainBuddy Object Recognized!
Type : File
Data : bb_auto_wider.swf
TAC Rating : 8
Category : Malware
Comment :
Object : c:\temp\

BargainBuddy Object Recognized!
Type : File
Data : bb_click_wider.swf
TAC Rating : 8
Category : Malware
Comment :
Object : c:\temp\

BargainBuddy Object Recognized!
Type : File
Data : bb_welcome.html
TAC Rating : 8
Category : Malware
Comment :
Object : c:\temp\

BargainBuddy Object Recognized!
Type : File
Data : bb_welcome1.swf
TAC Rating : 8
Category : Malware
Comment :
Object : c:\temp\

BargainBuddy Object Recognized!
Type : File
Data : blank.gif
TAC Rating : 8
Category : Malware
Comment :
Object : c:\temp\

BargainBuddy Object Recognized!
Type : File
Data : icon.gif
TAC Rating : 8
Category : Malware
Comment :
Object : c:\temp\

BargainBuddy Object Recognized!
Type : File
Data : logo.gif
TAC Rating : 8
Category : Malware
Comment :
Object : c:\temp\

Conditional scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 49
Objects found so far: 75

11:43:15 PM Scan Complete

Summary Of This Scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Total scanning time:00:25:54.475
Objects scanned:105433
Objects identified:88
Objects ignored:1
New critical objects:87


YIKES!!! What a load eh? Still not done, next up, Spybot scan:


--- Report generated: 2005-08-17 00:13 ---

eXact Advertising.BargainsBuddy: Root class (Registry key, fixed)
HKEY_CLASSES_ROOT\TypeLib\{4EB7BBE8-2E15-424B-9DDB-2CDB9516E2A3}

AproposMedia: Uninstall settings (Registry key, fixed)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AproposClient

Tango: Settings (Registry key, fixed)
HKEY_LOCAL_MACHINE\SOFTWARE\AutoLoader

PeopleOnPage: Global settings (Registry key, fixed)
HKEY_LOCAL_MACHINE\Software\Envolo

AdRoarPlugin: Settings (Registry key, fixed)
HKEY_USERS\S-1-5-21-1060284298-1957994488-1708537768-1003\Software\AdRoarPlugin

Exact Advertising.BargainsBuddy: Interface (Registry key, fixed)
HKEY_CLASSES_ROOT\Interface\{8EEE58D5-130E-4CBD-9C83-35A0564E1357}

Exact Advertising.BargainsBuddy: Interface (Registry key, fixed)
HKEY_CLASSES_ROOT\Interface\{C6906A23-4717-4E1F-B6FD-F06EBED11357}

Exact Advertising.BargainsBuddy: Interface (Registry key, fixed)
HKEY_CLASSES_ROOT\Interface\{8EEE58D5-130E-4CBD-9C83-35A0564E2468}

Exact Advertising.BargainsBuddy: Interface (Registry key, fixed)
HKEY_CLASSES_ROOT\Interface\{C6906A23-4717-4E1F-B6FD-F06EBED12468}

Exact Advertising.BargainsBuddy: Autorun settings (BullsEye Network) (Registry value, fixed)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\BullsEye Network

Exact Advertising.BargainsBuddy: Type library (Registry key, fixed)
HKEY_CLASSES_ROOT\TypeLib\{4EB7BBE8-2E15-424B-9DDB-2CDB9516C2E3}

Exact Advertising.BargainsBuddy: Class ID (Registry key, fixed)
HKEY_CLASSES_ROOT\CLSID\{F4E04583-354E-4076-BE7D-ED6A80FD66DA}

Exact Advertising.BargainsBuddy: Interface (Registry key, fixed)
HKEY_CLASSES_ROOT\Interface\{8EEE58D5-130E-4CBD-9C83-35A0564E5678}

Exact Advertising.BargainsBuddy: Interface (Registry key, fixed)
HKEY_CLASSES_ROOT\Interface\{C6906A23-4717-4E1F-B6FD-F06EBED15678}

Exact Advertising.BargainsBuddy: Type library (Registry key, fixed)
HKEY_CLASSES_ROOT\TypeLib\{4EB7BBE8-2E15-424B-9DDB-2CDB9516B2C3}

Exact Advertising.BargainsBuddy: Settings (Registry key, fixed)
HKEY_LOCAL_MACHINE\SOFTWARE\Bargains

Exact Advertising.BargainsBuddy: Root class (Registry key, fixed)
HKEY_LOCAL_MACHINE\Software\Classes\NLS.UrlCatcher.1

Exact Advertising.BargainsBuddy: Settings (Registry key, fixed)
HKEY_LOCAL_MACHINE\SOFTWARE\NaviSearch

MyWay.MyBar: Class ID (Registry key, fixed)
HKEY_CLASSES_ROOT\CLSID\{014DA6C9-189F-421a-88CD-07CFE51CFF10}


MS\AS got its turn to find what was leftover:

Spyware Scan Details
Start Date: 8/16/2005 8:53:52 PM
End Date: 8/16/2005 10:25:17 PM
Total Time: 1 hrs 31 mins 25 secs

Detected Threats

Transponder.ABetterInternet Adware more information...
Details: ABetterInternet displays advertisements based on the Web sites you visit.
Status: Removed
High threat - High-risk items have a large potential for harm, such as loss of computer control, and should be removed unless knowingly installed.

Infected folders detected
c:\documents and settings\temerc.temerc-higi1780\local settings\temp\drtemp


Transponder.ABetterInternet.Aurora Adware more information...
Status: Removed
High threat - High-risk items have a large potential for harm, such as loss of computer control, and should be removed unless knowingly installed.

Infected registry keys/values detected
HKEY_CURRENT_USER\Software\aurora
HKEY_CURRENT_USER\Software\aurora AUI3d5OfSDist 175|1|0|0|THIN-175-1-X-X.EXE


BroadcastPC.C Adware more information...
Status: Removed
Elevated threat - Elevated-risk items have some potential for harm. Users should review such programs and remove them if unwanted.

Infected files detected
c:\program files\tvs\tvs_b.exe
c:\program files\tvs\tvs_ln.exe


ICanNews Adware more information...
Details: ICanNews is an adware program that logs keywords typed in web searches and creates shortcuts and displays advertisements.
Status: Removed
Elevated threat - Elevated-risk items have some potential for harm. Users should review such programs and remove them if unwanted.

Infected files detected
c:\documents and settings\temerc.temerc-higi1780\local settings\temporary internet files\content.ie5\wzff2g91\activex[1].ocx


And finally, my eWido scan:

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 9:12:26 AM, 8/17/2005
+ Report-Checksum: C0DAFA6E

+ Scan result:

HKLM\SOFTWARE\AutoLoader -> Spyware.AproposMedia : Cleaned with backup
HKLM\SOFTWARE\AutoLoader\EnvoloAutoUpdater -> Spyware.AproposMedia : Cleaned with backup
HKLM\SOFTWARE\Bargains -> Spyware.BargainBuddy : Cleaned with backup
HKLM\SOFTWARE\Classes\ADP.UrlCatcher -> Spyware.BargainBuddy : Cleaned with backup
HKLM\SOFTWARE\Classes\ADP.UrlCatcher\CLSID -> Spyware.BargainBuddy : Cleaned with backup
HKLM\SOFTWARE\Classes\AppID\{0DC5CD7C-F653-4417-AA43-D457BE3A9622} -> Spyware.BookedSpace : Cleaned with backup
HKLM\SOFTWARE\Classes\BookedSpace.Extension -> Spyware.BookedSpace : Cleaned with backup
HKLM\SOFTWARE\Classes\BookedSpace.Extension\CLSID -> Spyware.BookedSpace : Cleaned with backup
HKLM\SOFTWARE\Classes\BookedSpace.Extension\CurVer -> Spyware.BookedSpace : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{0019C3E2-DD48-4A6D-ABCD-8D32436323D9} -> Spyware.BookedSpace : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{AEECBFDA-12FA-4881-BDCE-8C3E1CE4B344} -> Spyware.BargainBuddy : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{F4E04583-354E-4076-BE7D-ED6A80FD66DA} -> Spyware.BargainBuddy : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{05080E6B-A88A-4CFD-8C3D-9B2557670B6E} -> Spyware.BookedSpace : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{8EEE58D5-130E-4CBD-9C83-35A0564E1357} -> Spyware.NaviSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{8EEE58D5-130E-4CBD-9C83-35A0564E5678} -> Spyware.BargainBuddy : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{B548B7D8-3D03-4AED-A6A1-4251FAD00C10} -> Spyware.AproposMedia : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{B99A727F-0782-4A71-BCC2-6E1E66414904} -> Spyware.AproposMedia : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{BC333116-6EA1-40A1-9D07-ECB192DB8CEA} -> Spyware.AproposMedia : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{C6906A23-4717-4E1F-B6FD-F06EBED11357} -> Spyware.NaviSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{C6906A23-4717-4E1F-B6FD-F06EBED15678} -> Spyware.BargainBuddy : Cleaned with backup
HKLM\SOFTWARE\Classes\NLS.UrlCatcher -> Spyware.NaviSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\NLS.UrlCatcher\CLSID -> Spyware.NaviSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\TypeLib\{0DC5CD7C-F653-4417-AA43-D457BE3A9622} -> Spyware.BookedSpace : Cleaned with backup
HKLM\SOFTWARE\Classes\TypeLib\{4EB7BBE8-2E15-424B-9DDB-2CDB9516B2C3} -> Spyware.NaviSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\TypeLib\{4EB7BBE8-2E15-424B-9DDB-2CDB9516C2E3} -> Spyware.NaviSearch : Cleaned with backup
HKLM\SOFTWARE\eXactUtil -> Spyware.BargainBuddy : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Internet Explorer\Main\ins -> Spyware.WebRebates : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AEECBFDA-12FA-4881-BDCE-8C3E1CE4B344} -> Spyware.BargainBuddy : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{F4E04583-354E-4076-BE7D-ED6A80FD66DA} -> Spyware.BargainBuddy : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\BargainBuddy -> Spyware.BargainBuddy : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\NaviSearch -> Spyware.NaviSearch : Cleaned with backup
HKLM\SOFTWARE\Mvu -> Spyware.Delfin : Cleaned with backup
HKLM\SOFTWARE\NaviSearch -> Spyware.NaviSearch : Cleaned with backup
HKU\S-1-5-21-1060284298-1957994488-1708537768-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{CE188402-6EE7-4022-8868-AB25173A3E14} -> Spyware.BargainBuddy : Cleaned with backup
[508] C:\WINDOWS\system32\actodisc.dll -> Spyware.Look2Me : Error during cleaning
[1300] C:\WINDOWS\system32\pfnppagn.dll -> Spyware.Look2Me : Error during cleaning
[1512] C:\WINDOWS\system32\pfnppagn.dll -> Spyware.Look2Me : Error during cleaning

[2936] C:\Program Files\NaviSearch\bin\nls.exe -> Spyware.BargainBuddy : Cleaned with backup
[2944] C:\Program Files\BullsEye Network\bin\bargains.exe -> Spyware.BargainBuddy : Cleaned with backup
C:\Documents and Settings\TeMerc.TEMERC-HIGI1780\Local Settings\Temp\b.com -> TrojanDropper.Agent.pb : Cleaned with backup
C:\Documents and Settings\TeMerc.TEMERC-HIGI1780\Local Settings\Temporary Internet Files\Content.IE5\6HELOJ61\AppWrap[1].exe -> TrojanDropper.Agent.pb : Cleaned with backup
C:\Documents and Settings\TeMerc.TEMERC-HIGI1780\Local Settings\Temporary Internet Files\Content.IE5\6HELOJ61\AppWrap[2].exe -> TrojanDropper.Agent.pb : Cleaned with backup
C:\Documents and Settings\TeMerc.TEMERC-HIGI1780\Local Settings\Temporary Internet Files\Content.IE5\KXMNO12R\AppWrap[1].exe -> TrojanDropper.Agent.pb : Cleaned with backup
C:\Documents and Settings\TeMerc.TEMERC-HIGI1780\Local Settings\Temporary Internet Files\Content.IE5\Q58J4X0R\AppWrap[2].exe -> TrojanDropper.Agent.pb : Cleaned with backup
C:\Documents and Settings\TeMerc.TEMERC-HIGI1780\Local Settings\Temporary Internet Files\Content.IE5\UJ0B4RYB\AppWrap[1].exe -> TrojanDropper.Agent.pb : Cleaned with backup
C:\Documents and Settings\TeMerc.TEMERC-HIGI1780\Local Settings\Temporary Internet Files\Content.IE5\WFYNUOWE\Installer[1].exe -> Spyware.Look2Me : Cleaned with backup
C:\Documents and Settings\TeMerc.TEMERC-HIGI1780\Local Settings\Temporary Internet Files\Content.IE5\WR6HKX41\AppWrap[1].exe -> TrojanDropper.Agent.pb : Cleaned with backup
C:\Program Files\BullsEye Network\bin\adv.exe -> Spyware.BargainBuddy : Cleaned with backup
C:\Program Files\BullsEye Network\bin\adx.exe -> Spyware.BargainBuddy : Cleaned with backup
C:\Program Files\BullsEye Network\bin\bargains.exe -> Spyware.BargainBuddy : Cleaned with backup
C:\Program Files\MyGlobalSearch\bar\1.bin\M9PLUGIN.DLL -> Spyware.MyWebSearch : Cleaned with backup
C:\Program Files\MyGlobalSearch\bar\1.bin\NPMYGLSH.DLL -> Spyware.MyWebSearch : Cleaned with backup
C:\Program Files\NaviSearch\bin\nls.exe -> Spyware.BargainBuddy : Cleaned with backup
C:\WINDOWS\cfgmgr52\EECH1.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\cfgmgr52\SPZ3.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\exdl.exe -> Spyware.BargainBuddy : Cleaned with backup
C:\WINDOWS\system\UpdInst.exe -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\awi2dvaa.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\bbchk.exe -> Spyware.BargainBuddy : Cleaned with backup
C:\WINDOWS\system32\exdl.exe -> Spyware.BargainBuddy : Cleaned with backup
C:\WINDOWS\system32\exdl1.exe -> Spyware.BargainBuddy : Cleaned with backup
C:\WINDOWS\system32\exdl2.exe -> Spyware.BargainBuddy : Cleaned with backup
C:\WINDOWS\system32\exul.exe -> Spyware.BargainBuddy : Cleaned with backup
C:\WINDOWS\system32\exul1.exe -> Spyware.BargainBuddy : Cleaned with backup
C:\WINDOWS\system32\guard.tmp -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\ntpiop.exe -> TrojanDownloader.Agent.ro : Cleaned with backup
C:\WINDOWS\system32\wqcsapi.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\xrsp3res.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\Temp\b.com -> TrojanDropper.Agent.pb : Cleaned with backup


::Report End


It was after running all the above, which btw, I had to do offline, as staying online just kept getting me more popups and prolly DLing more malwares, that I began to see a pattern with my HJT logs, perhaps you saw the hint above? ;)

Tomorrow or the day after, I'll finish up with what I wound up doing to clean me all up.

User avatar
Phantom Bronco
Countermeasures Agent
Countermeasures Agent
Posts: 63
Joined: Sun Jul 03, 2005 12:56 am
experience: I can do more than turn on PC
PC time: Over an hour a day, give or take
Contact:

Postby Phantom Bronco » Thu Aug 18, 2005 8:32 am

Thanks Temerc. Great information, you do a wonderful service, and I learn a lot by confirming and/or rejecting my ideas and such about this bad =+\ stuff that's out there. I look forward to future posts! ^^<

User avatar
JeanInMontana
Posts: 2570
Joined: Wed Feb 02, 2005 9:47 am
Gender: Female
experience: I know the functions, OS settings, registry tweaks and more
PC time: More than 4 hours a day
Location: South Central Montana USA
Contact:

Postby JeanInMontana » Thu Aug 18, 2005 8:36 pm

I'm surprised you still had Bargain Buddy by the time you got to eWido. Why didn't Ad-Aware take it all when it found it the first time? Then SS&D found more???
Image Image

User avatar
TeMerc
Site Admin
Site Admin
Posts: 15995
Joined: Fri Jan 28, 2005 5:16 pm
Area Of Expertise: Security
experience: I know the functions, OS settings, registry tweaks and more
PC time: What else is there in life?
Location: PHX, AZ
Contact:

Postby TeMerc » Fri Aug 19, 2005 12:20 am

Well, part of the problem Jean, was that I was still hooked up to the net, so, until I realised what I have told countless users to do: 'Physically disconnect from Internet', I'm thnking the files were calling home every chance they got. That look2me was the last of the nasties to go.

And, as part of me not disconnectiong, I had some new stuff, that didn't show up in first HJT log.

More on that this weekend, in Part II. 8)
Image


Return to “TeMerc Test Box”

Who is online

Users browsing this forum: No registered users and 1 guest