PWS.Tanspy and other trojans....

[shark74]

Dear Forum users/experts

I spent the last week or so trying to clean my PC from trojans identified by NoAdware scan:

Mirar Toolbar,
Trojan.PWS.Tanspy
Hijacker.internetexplorerzonehijack
Gemius

I have followed various steps on how to get PC clean from other forums relating to specific infections, and have also followed the steps of IANG startup, and Hijackthis log auto analyser, ran Panda, Kaspersky, and MicroPC cillin. Kaspersky, Panda picked up some viruses, which I cleaned, and this morning I ran MicroPC Cillin and it picked up two BHO, and cleaned my machine. Subsequently ran PC cillin again and it said my machine is clean.
I did a AVG scan and it says my machine is clean. I just ran a HJT auto log and it looks clean.
But noadware still giving me the above infections...
Can anybody give some advise, are these false positives?

Any advise on my HJT:
Logfile of HijackThis v1.99.1
Scan saved at 15:30, on 2007-09-27
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\Microsoft ActiveSync\Wcescomm.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Copernic Desktop Search 2\DesktopSearchService.exe
C:\PROGRA~1\MICROS~3\rapimgr.exe
C:\Program Files\zabkat\xplorer2_lite\xplorer2.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Executive Software\Diskeeper\DkService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\foobar2000\foobar2000.exe
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\HJT\HijackThis.exe
C:\Program Files\Mozilla Firefox\firefox.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://mail.google.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Copernic Desktop Search 2 - {968631B6-4729-440D-9BF4-251F5593EC9A} - C:\Program Files\Copernic Desktop Search 2\DesktopSearchBand201013011.dll
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\Wcescomm.exe"
O4 - HKCU\..\Run: [MobileConnect.EXE] C:\Program Files\Vodafone\Vodafone Mobile Connect\Bin\MobileConnect.EXE
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [Copernic Desktop Search 2] "C:\Program Files\Copernic Desktop Search 2\DesktopSearchService.exe" /tray
O4 - Startup: xplorer2 (2).lnk = C:\Program Files\zabkat\xplorer2_lite\xplorer2.exe
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/micr...?1184673192703
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/micr...?1184672964593
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl-esd.sun.com/update/1.6...ws-i586-jc.cab
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\Diskeeper\DkService.exe

thanks a stack!

[jholland1964]

I would guess that these are false positives. Noadware is not a program we recommend here. I have no idea what version of this program you are using but at one time it was listed on Rogue/Suspect Anti-Spyware List as a rogue program and not recommended. It was removed from that list in 2004, but that doesn't mean it is a recommended program, just that it has been de-listed and it is NOT on their list of recommended programs. Scroll down towards the bottom of that site to see their recommendation of trustworthy programs. The main reason it was listed originally was false positives and the use of aggressive, deceptive advertising including exploitation of the name "ad-aware". AdAware IS a reputable program but that is not the program you are using. If I were you I would UNINSTALL it totally and not use it again.

The programs we, and most other reputable computer forums recommend, are noted here PROTECT YOURSELF FROM MALWARE: Tools & Tips

I don't see much to fix in the log. I do not see a firewall on the system, unless you are using the built in Windows Firewall.

This entry maybe, unless YOU SET this yourself to open a blank page as your start page.
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm

I also am not familiar with this program listed in the Start Up items;
O4 - Startup: xplorer2 (2).lnk = C:\Program Files\zabkat\xplorer2_lite\xplorer2.exe

I really want to caution you about using HiJackThis as a fixer program, it is NOT. This is customarily a program requested and then analyzed by a person helping another and there are many steps taken in analyzing log entries. It really should not be used for fixes unless directed by others. Also, if you used the Hijackthis log auto analyser on THIS board, it is NOT recommended as noted in this sticky
at the top of the page IMPORTANT: HiJackThis Analyzer Information
This is way out of date and was not intended for usage as instruction on what to fix anyway, it was to be used as a guide ONLY. Meaning any entries noted in red should be INVESTIGATED, period, and not an instruction to remove something. Many items which end up being listed in red are legitimate files, programs etc., and should NOT be removed. The ENTIRE HJT log must be looked at before removal advice is given for anything.

[pheonix73]

One thing I noticed that Judy says to disable most of the time,is the spybot tea timer.This can be a resource hog on most systems.Other then that my dime is spent,so keep with it and if you have any more problems we are always here to help in any way we can.

[shark74]

Thanks for the replies..
Will execute Noadware, and tea timer.
All the best!