Removal of items found by PestScan

Discussion in 'adware, spyware & hijack cleaning' started by sno, May 5, 2004.

Thread Status:
Not open for further replies.
  1. sno

    sno Registered Member

    Joined:
    May 5, 2004
    Posts:
    6
    Location:
    MN. USA
    Hello,
    I hope this is the right place for my inquiery..
    I ran the PestScan free online scan and the results showed 30 items, of which the top item was Kazaa and reads like this:
    "KaZaA-P2P", when expanded these are the items that show:
    C\Windows\System32\p2p networking
    C\Windows\System32\p2p networking\p2p networking.exe
    C\Windows\System32\p2p networking\marshal.dll
    hkey_local_machine\software\p2p networking
    hkey_local_machine\software\microsoft\windows\currentversion\uninstall\p2p networking
    hkey_local_machine\software\microsoft\windows\currentversion\app -management\arpcache\p2p networking
    hkey_local_machine\software\kazaa
    hkey_local_machine\software\classes\clsid\(cc7a6223-3759-4075-8cea-971f5cfc0ed2)
    hkey_local_machine\software\classes\clsid\(c91e8926-d4be-4685-99f4-0d99b96bac0
    hkey_current_user\software\p2p networking
    hkey_current_user\software\kazaa
    hkey_classes_root\clsid\cc7a6623-3759-4075-8cea-97f5c0ed2}
    hkey_classes_root\clsid\c91e8926-d4be-4685-99f4-od996b96bac0}

    ...and the other items are:
    "Gator -Adware"
    c:\documents and settings\all users\start menu\start programs\gain

    "Gain -Adware"
    C:\Documents And Settings\All Users\Start Menu\Programs\precisiontime
    C:\Documents And Settings\All Users\Start Menu\Programs\gain
    c:\documents and settings\all users\start menu\start programs\precisiontime

    "Claria -Adware"
    *C:\Program Files\common files\gmt
    *C:\Program Files\common files\cmeii

    "HT Patch -Browser Helper Object"
    C:\WINDOWS\htpatch.exe

    "Zedo Spyware Cookie"
    C:\Documents And Settings\(name withheld)\Cookies\

    "WurldMedia.com -Spyware Cookie"
    C:\Documents And Settings\(namewithheld\Cookies\
    "TribalFusion.com -Spyware Cookie"
    C:\Documents And Settings\
    "TrafficMarketplace -Spyware Cookie"
    C:\Documents And Settings\(name withheld)\Cookies\

    "Server.iad.LivePerson -Spyware Cookie"
    C:\Documents And Settings\(name withheld)\Cookies\

    "Mediaplex.com -Spyware Cookie"
    C:\Documents And Settings\(name withheld)\Cookies\(]

    "HitBox.com -Tracking cookie"
    C:\Documents And Settings\(name withheld)\Cookies\(

    "DoubleClick -Spyware Cookie"
    C:\Documents And Settings\

    "AtlasDmt.com -Spyware Cookie"
    C:\Documents And Settings\(name withheld)\Cookies\

    "Adserver.com -Tracking cookie"
    C:\Documents And Settings\
    ,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,
    I've been all day at my pc trying to understand the full measures in removing these from my system "manually", (don't want to pay for the removal..yet) as I see, it must be done from the registry and I'm not sure I want to go there..I've only had a computer for a year and havn't become familiar enough.
    After the PestScan, they showed a small window with the results but I was unable to highlight any of them for copying to anything so I typed each result for this post and for future reference, (couldn't get printscreen to work)
    I realize that not 'all' of these are mucking up my system, but I suspect the top 2 or 3 need to be removed. I had tried uninstalling Kazaa a long time ago, and thought it was gone (I've never used it, my son did maybe twice) and I got roped-into clicking on a "You must check your clock" -or something to that effect many months ago and thats how the Gator got in, I've had this "Timer Recording Manager -No Timer Recording" icon in my task bar/start-up bar (lower right) that I think doesn't belong there.
    I am hoping that someone here can see these scan results and give me an idea of what to do next, if anything.
    I have noticed some slogging in IE6, Yahoo mail sometimes takes several seconds to page-up, I consistantly get the "no internet connection>try again" deal..(an annoyance), some weird behavior (sometimes) in PhotoshopElements, and a few other inconsistancies here and there, (sorry I can't be more technical)
    I had a Norton AV folder in my browser window, (below the address bar) along with 2 others; Snapshot Marqee and PhotoAlbum that I never used, and suddenly they have dissapeared.
    I apologize for my lengthy post, and I am weary of this by now but I hope I have included all the pertinant info you need to help with this,
    WinXP/Home/Sp1 /IE6 /DSL
    NortonAV/Sytem Doctor/Utilities 6.0.20g
    SpyHunter (latest version w/pop-up protection)
    Ad-Aware 6.0
    ZoneAlarm 4.5.594
    -EVERYTHING is kept up-dated

    Thank you so much!
    -sno
     
    Last edited: May 6, 2004
  2. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
  3. sno

    sno Registered Member

    Joined:
    May 5, 2004
    Posts:
    6
    Location:
    MN. USA
    Here ya go..

    system
    Thank you Pieter for your response in my earlier "Removing PestScan finds.." post, I apologize for being one more person you have to tell how to post here :rolleyes:
    After the scan with Adaware, 41 items were brought up that all had the Symantic/Enigma names attached to them. This also happened earlier in the week after a "Spyhunter" scan to which I just removed everything and all my Spyhunter stuff dissapeared, I was able to download it all back though. This time with the Adaware scan I've put them in quarantine. I do use Symantic's NAV/Syst Dr. and Spyhunter, and have used Adaware for several months and I've never seen "items" with my own antivirus company name name on them. I've not included that log-file here thinking the HijackThis log may be sufficient enough.
    Also, tonight the font size in my Yahoo page is HUGE all of a sudden, and I couldn't get Adobe Photoshop to operate right.

    I should clarify- in my original post; https://www.wilderssecurity.com/showthread.php?p=172004
    I wondered about the files that Pestscan brought up, and if these are hurting my system per-say, or what I should do with them.

    Could you please look at these Hijack log files and tell me what to do next?
    Thank you again, your consideration is greatly appreciated!

    WinXP/Home/Sp1 /IE6 /DSL
    NortonAV/Sytem Doctor/Utilities 6.0.20g
    SpyHunter 1.5.81
    Ad-Aware 6.0
    ZoneAlarm 4.5.594
    >everything always updated<

    Logfile of HijackThis v1.97.7
    Scan saved at 10:52:28 PM, on 5/6/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\Program Files\Norton Utilities\NPROTECT.EXE
    C:\WINDOWS\htpatch.exe
    C:\WINDOWS\AGRSMMSG.exe
    C:\WINDOWS\System32\ezSP_Px.exe
    C:\WINDOWS\System32\WScript.exe
    C:\WINDOWS\System32\P2P Networking\P2P Networking.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
    C:\Program Files\Speed Disk\nopdb.exe
    C:\Program Files\Enigma Software Group\SpyHunter\PopupBlocker\EnigmaPopupStop.exe
    C:\Program Files\MSN Messenger\MsnMsgr.Exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Sony\VAIO Media Music Server\SSSvr.exe
    C:\Program Files\sony\giga pocket\usbsircs.exe
    C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
    C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
    C:\Program Files\Sony\Photo Server 20\appsrv\PicAppSrv.exe
    C:\Program Files\Sony\giga pocket\GPVSvr.exe
    C:\Program Files\Microsoft Broadband Networking\MSBNTray.exe
    C:\Program Files\Norton Utilities\SYSDOC32.EXE
    C:\Program Files\Sony\giga pocket\ReserveModule.exe
    C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\sv_httpd.exe
    C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\SV_Httpd.exe
    C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\SV_Httpd.exe
    C:\Program Files\Sony\VAIO Action Setup\VAServ.exe
    C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\UPnPFramework.exe
    C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\UPnPFramework.exe
    C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\UPnPFramework.exe
    C:\Program Files\sony\giga pocket\gps.exe
    C:\PROGRA~1\Sony\GIGAPO~1\Sgpcom.exe
    C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
    C:\WINDOWS\system32\ZoneLabs\vsmon.exe
    C:\WINDOWS\System32\HPZipm12.exe
    C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
    c:\progra~1\Support.com\client\bin\tgcmd.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Program Files\Outlook Express\msimn.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\WINDOWS\system32\clipbrd.exe
    C:\WINDOWS\system32\netdde.exe
    C:\WINDOWS\system32\clipsrv.exe
    C:\Documents and Settings\Suzanne Tromburg\Local Settings\Temp\Temporary Directory 2 for hijackthis1977[1].zip\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.sony.com/vaiopeople
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.sony.com/vaiopeople
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O4 - HKLM\..\Run: [HTpatch] C:\WINDOWS\htpatch.exe
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
    O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
    O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
    O4 - HKLM\..\Run: [ZTgServerSwitch] c:\program files\support.com\client\lserver\server.vbs
    O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
    O4 - HKLM\..\Run: [P2P Networking] C:\WINDOWS\System32\P2P Networking\P2P Networking.exe /AUTOSTART
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
    O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~2\AdvTools\ADVCHK.EXE
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [wexhsne] rundll32 C:\WINDOWS\System32:wexhsne.dll,Init 1
    O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
    O4 - HKLM\..\Run: [SpyHunter] C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter.exe
    O4 - HKLM\..\Run: [EnigmaPopupStop] C:\Program Files\Enigma Software Group\SpyHunter\PopupBlocker\EnigmaPopupStop.exe
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
    O4 - HKLM\..\RunOnce: [*wexhsne] rundll32 C:\WINDOWS\System32:wexhsne.dll,Init 1
    O4 - Global Startup: Adobe Gamma Loader.lnk = ?
    O4 - Global Startup: Billminder.lnk = C:\Program Files\Quicken\billmind.exe
    O4 - Global Startup: Giga Pocket Remocon Driver.lnk = ?
    O4 - Global Startup: hp psc 2000 Series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
    O4 - Global Startup: hpoddt01.exe.lnk = ?
    O4 - Global Startup: Microsoft Broadband Networking.lnk = ?
    O4 - Global Startup: Norton System Doctor.lnk = C:\Program Files\Norton Utilities\SYSDOC32.EXE
    O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
    O4 - Global Startup: Quicken Startup.lnk = C:\Program Files\Quicken\QWDLLS.EXE
    O4 - Global Startup: Timer Recording Manager.lnk = C:\Program Files\Sony\giga pocket\ReserveModule.exe
    O4 - Global Startup: VAIO Action Setup (Server).lnk = ?
    O9 - Extra button: AIM (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
    O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople
    O16 - DPF: ppctlcab - http://www.pestscan.com/scanner/ppctlcab.cab
    O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://imgfarm.com/images/nocache/funwebproducts/SmileyCentralInitialSetup1.0.0.5.cab
    O16 - DPF: {2253F320-AB68-4A07-917D-4F12D8884A06} (ChainCast VMR Client Proxy) - http://www.streamaudio.com/download/ccpm_0237.cab
    O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
    O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://www.pestscan.com/scanner/axscanner.cab
    O16 - DPF: {67E0EF28-6DC3-4F95-8011-EF8EF00033EA} - http://www.muul.com/urlhistory/HistoryCom.cab
    O16 - DPF: {A305FBA3-4A87-483D-A53B-138F9F635357} (PCInfo.CMClass) - http://ciscdb.sel.sony.com/support/pops/mdldetect/PCInfo.CAB
    O16 - DPF: {C3DFA998-A486-11D4-AA25-00C04F72DAEB} (MSN Photo Upload Tool) - http://sc.groups.msn.com/controls/PhotoUC/MsnPUpld.cab
    O16 - DPF: {C7B05B62-C8D7-438C-840B-4994DAAA8EEE} - http://webpdp.gator.com/4/download/pdpplugin_5094_bundle3v0p10.cab
    O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/activedata/SymAData.dll
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/activedata/ActiveData.cab
    O16 - DPF: {FF054BED-D972-4215-897E-726C3488DDBB} (sonyctl.sonycm) - http://supportcentral4.sel.sony.com/sdccommon/download/sonyctl.CAB1
     
    Last edited: May 7, 2004
  4. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    Not sure if you will like my answer, but I would uninstall SpyHunter and P2P Networking in Add/Remove Software.

    Then there is one real nasty to take care off:
    Click "Start" > "Run" > type or copy&paste rundll32 C:\WINDOWS\System32:wexhsne.dll,Uninstall > "OK"

    Enigma does not have a very good name, because of their aggressive tactics to sell their software and their lacking detection of real threats versus flagging innocent programs as spyware.

    Regards,

    Pieter
     
  5. sno

    sno Registered Member

    Joined:
    May 5, 2004
    Posts:
    6
    Location:
    MN. USA
    1system
    Hi again,
    Unfortunately I've paid the $30.00 for the Symantic stuff, I have never had a problem until the recent discovery of Enigma/Symantic names in the scan-logs. I have been using BOTH Adaware and Spyhunter and they seem to come up with the same files in their scans, this latest scan-log malady needs to be addressed with Symantic/Adaware which I will do..

    You have directed me to remove the p2p networking which I did want to be rid of, could you clarify; what is "wexhsne.dll?", does that refer to the Symantic un-install? or the p2p? Both??
    I'm willing to go in and do this to get rid of p2p, but not sure I want to un-install a program I paid for, especially since my NortonAV came with the package.
    Thanks Pieter!!
    -sno
     
  6. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    Hi sno,

    wexhsne.dll is described here
    https://www.wilderssecurity.com/showpost.php?p=99532&postcount=8

    Symantecs NAV is a fully trustworthy program and has nothing to do with P2P Networking which gets installed with filesharing programs (KaZaa and the likes.)

    SpyHunter is a spyware remover that lacks the quality IMO of the free alternatives AdAware and Spybot S&D. On top of that it uses marketing techniques that are at least questionable.

    Regards,

    Pieter
     
Thread Status:
Not open for further replies.