My pc is infected with: Trojan.Startpage.M, MHTMLRedir.Exploit, DSO Exploit, Trojan-Spy.HTML.Smitfraud.c ========== Ad-aware SE, first results: 751 New Critical Objects 19 Neglibible Objects 6 Families of Threats, rated 1-10: AdvertBar - 5 - (1 object) Alexa - 5 - (8 objects) Claria - 7 - (7 objects) Hi-Wire - 4 - (43 objects) MRU List - no threat - (19 objects) Tracking Cookie - 3 - (692 objects) Objects removed total: 838 Total Ad-aware scans: 3 Objects in ignore list: 0 Objects quarantined: 1540 ========== CWShredder: **** Run Keys **** RUN: [ScanRegistry] c:\windows\scanregw.exe /autorun RUN: [SystemTray] SysTray.Exe RUN: [Compaq Internet Setup] C:\Compaq\Internet\InetWizard.exe /RUN RUN: [Watch Dog Program] C:\COMPAQ\INTERNET\WATCHDOG.EXE RUN: [Aureal A3D Interactive Audio Init] A3dInit.exe RUN: [EACLEAN] C:\Program Files\Compaq\Easy Access Button Support\eaclean.exe /NORESTART RUN: [CPQEASYACC] C:\PROGRAM FILES\COMPAQ\EASY ACCESS BUTTON SUPPORT\Cpqeaui.exe RUN: [AtiCwd32] Aticwd32.exe RUN: [AtiKey] Atitask.exe RUN: [Norton Auto-Protect] C:\PROGRA~1\NORTON~1\NAVAPW32.EXE /LOADQUIET RUN: [CPQSTUTFIX] C:\Windows\stutfix.exe RUN: [LoadQM] loadqm.exe RUN: [CPQ BackWeb Monitor] C:\CPQS\TOOLS\BackMon2.exe RUN: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER RUN: [WindowsFY] C:\WP.EXE **** Browser Helper Objects **** BHO: [] C:\Program Files\Spybot - Search & Destroy\SDHelper.dll **** IE Toolbars **** TOOLBAR: [&Radio] C:\WINDOWS\SYSTEM\MSDXM.OCX **** IE Extensions **** IEExt: [Real.com] IEExt: [Messenger] C:\Program Files\Messenger\MSMSGS.EXE IEExt: [Microsoft AntiSpyware helper] C:\Program Files\Messenger\MSMSGS.EXE **** Hosts File Entries **** **** IE Settings **** Default Page: http://www.msn.com Default Search: http://home.microsoft.com/access/allinone.asp Local Page: C:\WINDOWS\SYSTEM\blank.htm Search Bar: http://www.aol.com/netfind/refer/microsoft.ie4.html Search Page: http://search.presario.net/scripts/redirectors/presario/srchredir.dll?c=2c98&s=search&i=enu **** IE Context Menu (Right click) **** **** Layered Service Providers **** **** Blocked Control Panel Items **** BLOCKED: [] **** Downloaded Program Files **** Microsoft XML Parser for Java [file://c:\windows\Java\classes\xmldso.cab] DirectAnimation Java Classes [file://C:\WINDOWS\dajava.cab] DirectAnimation Java Classes [file://C:\WINDOWS\dajava.cab] DirectAnimation Java Classes [file://C:\WINDOWS\dajava.cab] DirectAnimation Java Classes [file://C:\WINDOWS\dajava.cab] DirectAnimation Java Classes [file://C:\WINDOWS\dajava.cab] DirectAnimation Java Classes [file://C:\WINDOWS\dajava.cab] DirectAnimation Java Classes [file://C:\WINDOWS\dajava.cab] DirectAnimation Java Classes [file://C:\WINDOWS\dajava.cab] DirectAnimation Java Classes [file://C:\WINDOWS\dajava.cab] DirectAnimation Java Classes [file://C:\WINDOWS\dajava.cab] DirectAnimation Java Classes [file://C:\WINDOWS\dajava.cab] ========== Spybot S&D: Note: I ran this program twice. Backups created after fixing problems the first time: Alexa Related: What's Related link, C:\WINDOWS\Web\RELATED.HTM (Replace file, nothing done) GAIN.Gator: Module Usage, (Registry key, nothing done) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/Windows/Downloaded Program Files/IEGator.dll GAIN.Gator: Shared DLL (1 apps) (Registry value, nothing done) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\SharedDlls\C:\WINDOWS\Downloaded Program Files\IEGator.dll DSO Exploit: Data source object exploit (Registry change, nothing done) HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zone\0\1004!=W=3 Note: I next ran a separate program called RegistryFix v3.0 (unregistered version from registryfix.com). Note: I updated Spybot S&D files and ran it again : Success! Permanent Internet Explorer Immunity... Warning: 1493 bad products already blocked, 211 additional protections possible. Please immunize. Permanently running bad download blocker for Internet Explorer. Immunization has finished. 1704 bad products are now blocked. Spybot backed up files: Alexa Related: What's Related link, C:\WINDOWS\Web\RELATED.HTM (Replace file, nothing done) GAIN.Gator: Module Usage, (Registry key, nothing done) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/Windows/Downloaded Program Files/IEGator.dll GAIN.Gator: Shared DLL (1 apps) (Registry value, nothing done) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\SharedDlls\C:\WINDOWS\Downloaded Program Files\IEGator.dll ========== Note: I ran Ad-aware's update. These are the second results: 32 New Critical Objects: 0 Processes Identified 0 Modules Identified 1 Registry Keys Identified 2 Registry Values Identified 28 Files Identified 1 Folders Identified 6 Negligible Objects Logfile: Ad-Aware SE Build 1.05 Logfile Created on:Monday, May 02, 2005 8:19:17 PM Created with Ad-Aware SE Personal, free for private use. Using definitions file:SE1R42 28.04.2005 »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» References detected during the scan: »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» Alexa(TAC index:5):1 total references MRU List(TAC index:0):6 total references Security iGuard(TAC index:9):3 total references Tracking Cookie(TAC index:3):28 total references »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» Definition File: ========================= Definitions File Loaded: Reference Number : SE1R8 13.09.2004 Internal build : 12 File location : C:\PROGRAM FILES\LAVASOFT\AD-AWARE SE PERSONAL\defs.ref File size : 344723 Bytes Total size : 1092481 Bytes Signature data size : 1068971 Bytes Reference data size : 22998 Bytes Signatures total : 30122 Fingerprints total : 154 Fingerprints size : 7129 Bytes Target categories : 15 Target families : 560 5-2-2005 8:01:00 PM Performing WebUpdate... Installing Update... Definitions File Loaded: Reference Number : SE1R42 28.04.2005 Internal build : 49 File location : C:\PROGRAM FILES\LAVASOFT\AD-AWARE SE PERSONAL\defs.ref File size : 466557 Bytes Total size : 1403889 Bytes Signature data size : 1373297 Bytes Reference data size : 30080 Bytes Signatures total : 39226 Fingerprints total : 836 Fingerprints size : 28245 Bytes Target categories : 15 Target families : 654 5-2-2005 8:03:00 PM Success Update successfully downloaded and installed. Memory + processor status: ========================== Number of processors : 1 Processor architecture : Intel Pentium II Memory available:0 % Total physical memory:64956 kb Available physical memory:0 kb Total page file size:2032192 kb Available on page file:1917608 kb Total virtual memory:2093056 kb Available virtual memory:2044096 kb OS: Ad-Aware SE Settings =========================== Set : Search for negligible risk entries Set : Move deleted files to Recycle Bin Set : Safe mode (always request confirmation) Set : Scan active processes Set : Scan registry Set : Deep-scan registry Set : Scan my IE Favorites for banned URLs Set : Scan within archives Set : Scan my Hosts file Extended Ad-Aware SE Settings =========================== Set : Unload recognized processes & modules during scan Set : Obtain command line of scanned processes Set : Scan registry for all users instead of current user only Set : Always try to unload modules before deletion Set : Let Windows remove files in use at next reboot Set : Delete quarantined objects after restoring Set : Write-protect system files after repair (Hosts file, etc.) Set : Include basic Ad-Aware settings in log file Set : Include additional Ad-Aware settings in log file Set : Include reference summary in log file Set : Include alternate data stream details in log file Set : Play sound at scan completion if scan locates critical objects 5-2-2005 8:19:19 PM - Scan started. (Custom mode) Listing running processes »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» #:1 [KERNEL32.DLL] ModuleName : C:\WINDOWS\SYSTEM\KERNEL32.DLL Command Line : n/a ProcessID : 4293905963 Threads : 7 Priority : High FileVersion : 4.10.1998 ProductVersion : 4.10.1998 ProductName : Microsoft(R) Windows(R) Operating System CompanyName : Microsoft Corporation FileDescription : Win32 Kernel core component InternalName : KERNEL32 LegalCopyright : Copyright (C) Microsoft Corp. 1991-1998 OriginalFilename : KERNEL32.DLL #:2 [MSGSRV32.EXE] ModuleName : C:\WINDOWS\SYSTEM\MSGSRV32.EXE Command Line : n/a ProcessID : 4294839923 Threads : 1 Priority : Normal FileVersion : 4.10.1998 ProductVersion : 4.10.1998 ProductName : Microsoft(R) Windows(R) Operating System CompanyName : Microsoft Corporation FileDescription : Windows 32-bit VxD Message Server InternalName : MSGSRV32 LegalCopyright : Copyright (C) Microsoft Corp. 1992-1998 OriginalFilename : MSGSRV32.EXE #:3 [MPREXE.EXE] ModuleName : C:\WINDOWS\SYSTEM\MPREXE.EXE Command Line : C:\WINDOWS\SYSTEM\MPREXE.EXE ProcessID : 4294837219 Threads : 1 Priority : Normal FileVersion : 4.10.1998 ProductVersion : 4.10.1998 ProductName : Microsoft(R) Windows(R) Operating System CompanyName : Microsoft Corporation FileDescription : WIN32 Network Interface Service Process InternalName : MPREXE LegalCopyright : Copyright (C) Microsoft Corp. 1993-1998 OriginalFilename : MPREXE.EXE #:4 [SA3DSRV.EXE] ModuleName : C:\WINDOWS\SYSTEM\SA3DSRV.EXE Command Line : sa3dsrv.exe ProcessID : 4294867491 Threads : 3 Priority : Realtime FileVersion : 4.05.009d ProductVersion : 4.05.009d ProductName : Aureal A3D for Compaq CompanyName : Aureal Semiconductor FileDescription : SoftA3D Server InternalName : sa3dsrv LegalCopyright : Copyright © Aureal Semiconductor. 1997,98 OriginalFilename : SA3DSRV.EXE #:5 [DDHELP.EXE] ModuleName : C:\WINDOWS\SYSTEM\DDHELP.EXE Command Line : ddhelp.exe ProcessID : 4294888863 Threads : 6 Priority : Realtime FileVersion : 4.09.00.0900 ProductVersion : 4.09.00.0900 ProductName : Microsoft® DirectX for Windows® CompanyName : Microsoft Corporation FileDescription : Microsoft DirectX Helper InternalName : DDHelp.exe LegalCopyright : Copyright © Microsoft Corp. 1994-2002 OriginalFilename : DDHelp.exe #:6 [NAVAPW32.EXE] ModuleName : C:\PROGRAM FILES\NORTON ANTIVIRUS\NAVAPW32.EXE Command Line : "C:\PROGRAM FILES\Norton AntiVirus\NAVAPW32.EXE" ProcessID : 4294876291 Threads : 7 Priority : Normal FileVersion : 5.3.0.25 ProductVersion : 5.3.0.25 ProductName : Norton AntiVirus CompanyName : Symantec Corporation FileDescription : Norton AntiVirus Auto-Protect Agent InternalName : NAVAPW32 LegalCopyright : Copyright (C) Symantec Corporation 1991-1998 OriginalFilename : NAVAPW32.DLL #:7 [KB891711.EXE] ModuleName : c:\windows\SYSTEM\KB891711\KB891711.EXE Command Line : n/a ProcessID : 4294778719 Threads : 1 Priority : Normal FileVersion : 4.10.2223 ProductVersion : 4.10.2222 ProductName : Microsoft(R) Windows(R) Operating System CompanyName : Microsoft Corporation FileDescription : Windows KB891711 component InternalName : KB891711 LegalCopyright : Copyright (C) Microsoft Corp. 1991-2005 OriginalFilename : KB891711.EXE #:8 [MSTASK.EXE] ModuleName : C:\WINDOWS\SYSTEM\MSTASK.EXE Command Line : mstask.exe ProcessID : 4294775919 Threads : 2 Priority : Normal FileVersion : 4.71.1972.1 ProductVersion : 4.71.1972.1 ProductName : Microsoft® Windows® Task Scheduler CompanyName : Microsoft Corporation FileDescription : Task Scheduler Engine InternalName : TaskScheduler LegalCopyright : Copyright (C) Microsoft Corp. 2000 OriginalFilename : mstask.exe #:9 [mmtask.tsk] ModuleName : C:\WINDOWS\SYSTEM\mmtask.tsk Command Line : n/a ProcessID : 4294791487 Threads : 1 Priority : Normal FileVersion : 4.03.1998 ProductVersion : 4.03.1998 ProductName : Microsoft Windows CompanyName : Microsoft Corporation FileDescription : Multimedia background task support module InternalName : mmtask.tsk LegalCopyright : Copyright © Microsoft Corp. 1991-1998 OriginalFilename : mmtask.tsk #:10 [EXPLORER.EXE] ModuleName : C:\WINDOWS\EXPLORER.EXE Command Line : C:\WINDOWS\Explorer.exe ProcessID : 4294797899 Threads : 15 Priority : Normal FileVersion : 4.72.3110.1 ProductVersion : 4.72.3110.1 ProductName : Microsoft(R) Windows NT(R) Operating System CompanyName : Microsoft Corporation FileDescription : Windows Explorer InternalName : explorer LegalCopyright : Copyright (C) Microsoft Corp. 1981-1997 OriginalFilename : EXPLORER.EXE #:11 [SYSTRAY.EXE] ModuleName : C:\WINDOWS\SYSTEM\SYSTRAY.EXE Command Line : "C:\WINDOWS\SYSTEM\SysTray.Exe" ProcessID : 4294811403 Threads : 1 Priority : Normal FileVersion : 4.10.1998 ProductVersion : 4.10.1998 ProductName : Microsoft(R) Windows(R) Operating System CompanyName : Microsoft Corporation FileDescription : System Tray Applet InternalName : SYSTRAY LegalCopyright : Copyright (C) Microsoft Corp. 1993-1998 OriginalFilename : SYSTRAY.EXE #:12 [WATCHDOG.EXE] ModuleName : C:\COMPAQ\INTERNET\WATCHDOG.EXE Command Line : "C:\COMPAQ\INTERNET\WATCHDOG.EXE" ProcessID : 4294832215 Threads : 1 Priority : Normal FileVersion : 1, 0, 0, 3 ProductVersion : 1, 0, 0, 3 ProductName : WATCHDOG Application CompanyName : Compaq Computer Corp. FileDescription : WATCHDOG MFC Application InternalName : WATCHDOG LegalCopyright : Copyright © 1997 Compaq Computer Corp. OriginalFilename : WATCHDOG.EXE #:13 [CPQEAUI.EXE] ModuleName : C:\PROGRAM FILES\COMPAQ\EASY ACCESS BUTTON SUPPORT\CPQEAUI.EXE Command Line : "C:\PROGRAM FILES\COMPAQ\EASY ACCESS BUTTON SUPPORT\Cpqeaui.exe" ProcessID : 4294821003 Threads : 1 Priority : Normal FileVersion : 3.00.023 ProductVersion : 3.00.023 ProductName : Compaq Easy Access Button Support CompanyName : Compaq Computer Corporation FileDescription : Easy Access Software User Interface Component InternalName : cpqeaui LegalCopyright : Copyright (C) 1997, 1998 OriginalFilename : cpqeaui.exe #:14 [ATICWD32.EXE] ModuleName : C:\WINDOWS\SYSTEM\ATICWD32.EXE Command Line : "C:\WINDOWS\SYSTEM\Aticwd32.exe" ProcessID : 4294710007 Threads : 1 Priority : Normal FileVersion : 4.10.2339 ProductVersion : 4.10.2339 ProductName : ATI Technologies Inc. CompanyName : ATI Technologies Inc. FileDescription : ATI Common Windows Display Driver Extension InternalName : ATICWD32 LegalCopyright : Copyright © ATI Technologies Inc., 1998 OriginalFilename : ATICWD32.EXE #:15 [ATITASK.EXE] ModuleName : C:\WINDOWS\SYSTEM\ATITASK.EXE Command Line : "C:\WINDOWS\SYSTEM\Atitask.exe" ProcessID : 4294828119 Threads : 1 Priority : Normal FileVersion : 4.10.2304 ProductVersion : 4.10.2304 ProductName : ATI Technologies, Inc. CompanyName : ATI Technologies, Inc. FileDescription : ATI Task Application InternalName : AtiTask LegalCopyright : Copyright © ATI Technologies Inc. 1998 OriginalFilename : AtiTask #:16 [BTTNSERV.EXE] ModuleName : C:\PROGRAM FILES\COMPAQ\EASY ACCESS BUTTON SUPPORT\BTTNSERV.EXE Command Line : "C:\PROGRAM FILES\COMPAQ\EASY ACCESS BUTTON SUPPORT\BTTNSERV.EXE" -Embedding ProcessID : 4294719135 Threads : 2 Priority : Normal FileVersion : 3.00.007 ProductVersion : 3.00.007 ProductName : BttnSvr Module CompanyName : Compaq Computer Corporation FileDescription : Buton Server InternalName : BttnSvr LegalCopyright : Copyright 1997-1998 OriginalFilename : BttnSvr.exe #:17 [STUTFIX.EXE] ModuleName : C:\WINDOWS\STUTFIX.EXE Command Line : "C:\Windows\stutfix.exe" ProcessID : 4294730507 Threads : 1 Priority : Normal FileVersion : 1.00.000 ProductVersion : 1.00.000 ProductName : StutFix CompanyName : Compaq Computer Corporation FileDescription : Fixes Audo stutter problems for ESS Maestro InternalName : StutFix LegalCopyright : Copyright (C) 1998, Compaq Computer Corporation OriginalFilename : StutFix.EXE Comments : Fixes Audo stutter problems for ESS Maestro #:18 [LOADQM.EXE] ModuleName : C:\WINDOWS\LOADQM.EXE Command Line : "C:\WINDOWS\loadqm.exe" ProcessID : 4294741063 Threads : 3 Priority : Normal FileVersion : 5.4.1103.3 ProductVersion : 5.4.1103.3 ProductName : QMgr Loader CompanyName : Microsoft Corporation FileDescription : Microsoft QMgr InternalName : LOADQM.EXE LegalCopyright : Copyright (C) Microsoft Corp. 1981-1999 OriginalFilename : LOADQM.EXE #:19 [REALPLAY.EXE] ModuleName : C:\PROGRAM FILES\REAL\REALPLAYER\REALPLAY.EXE Command Line : "C:\Program Files\Real\RealPlayer\RealPlay.exe" SYSTEMBOOTHIDEPLAYER ProcessID : 4294750443 Threads : 6 Priority : Normal FileVersion : 6.0.9.584 ProductVersion : 6.0.9.584 ProductName : RealPlayer (32-bit) CompanyName : RealNetworks, Inc. FileDescription : RealPlayer InternalName : REALPLAY LegalCopyright : Copyright © RealNetworks, Inc. 1995-2000 LegalTrademarks : RealAudio(tm) is a trademark of RealNetworks, Inc. OriginalFilename : REALPLAY.EXE #:20 [AOLTRAY.EXE] ModuleName : C:\PROGRAM FILES\AMERICA ONLINE 8.0A\AOLTRAY.EXE Command Line : "C:\Program Files\America Online 8.0a\aoltray.exe" -check ProcessID : 4294666851 Threads : 1 Priority : Normal FileVersion : 8.00.000 ProductVersion : 8.00.000 ProductName : America Online CompanyName : America Online, Inc. FileDescription : AOL Tray Icon InternalName : AolTray LegalCopyright : Copyright (C) America Online, Inc. 1999 - 2003 #:21 [BACKWEB.EXE] ModuleName : C:\CPQS\BACKWEB\PROGRAM\BACKWEB.EXE Command Line : C:\CPQS\BACKWEB\PROGRAM\BACKWEB.EXE -Embedding ProcessID : 4294595771 Threads : 9 Priority : Normal FileVersion : 4.0 ProductVersion : 4.0 ProductName : BackWeb CompanyName : BackWeb Technologies Inc. FileDescription : BackWeb InternalName : BackWeb LegalCopyright : Copyright © 1996-1997 OriginalFilename : BACKWEB.EXE #:22 [WAOL.EXE] ModuleName : C:\PROGRAM FILES\AMERICA ONLINE 8.0A\WAOL.EXE Command Line : n/a ProcessID : 4294660019 Threads : 29 Priority : Normal #:23 [SHELLMON.EXE] ModuleName : C:\PROGRAM FILES\AMERICA ONLINE 8.0A\SHELLMON.EXE Command Line : n/a ProcessID : 4294728887 Threads : 1 Priority : Normal #:24 [SPOOL32.EXE] ModuleName : C:\WINDOWS\SYSTEM\SPOOL32.EXE Command Line : C:\WINDOWS\SYSTEM\spool32.exe ProcessID : 4294724627 Threads : 2 Priority : Normal FileVersion : 4.10.1998 ProductVersion : 4.10.1998 ProductName : Microsoft(R) Windows(R) Operating System CompanyName : Microsoft Corporation FileDescription : Spooler Sub System Process InternalName : spool32 LegalCopyright : Copyright (C) Microsoft Corp. 1994 - 1998 OriginalFilename : spool32.exe #:25 [AOLWBSPD.EXE] ModuleName : C:\PROGRAM FILES\AMERICA ONLINE 8.0A\AOLWBSPD.EXE Command Line : n/a ProcessID : 4294562579 Threads : 3 Priority : Normal FileVersion : 1, 0, 5, 0 ProductVersion : [v1.1-5] On Mon 03/01/2004 15:39:43.96 ProductName : AOL TopSpeed(TM) CompanyName : America Online Inc FileDescription : AOL TopSpeed(TM) InternalName : AOL TopSpeed(TM) LegalCopyright : Copyright © America Online 2003 LegalTrademarks : AOL TopSpeed(TM) OriginalFilename : aolwbspd.exe #:26 [RNAAPP.EXE] ModuleName : C:\WINDOWS\SYSTEM\RNAAPP.EXE Command Line : rnaapp.exe -l ProcessID : 4294492807 Threads : 3 Priority : Normal FileVersion : 4.10.1998 ProductVersion : 4.10.1998 ProductName : Microsoft(R) Windows(R) Operating System CompanyName : Microsoft Corporation FileDescription : Dial-Up Networking Application InternalName : RNAAPP LegalCopyright : Copyright (C) Microsoft Corp. 1992-1998 OriginalFilename : RNAAPP.EXE #:27 [TAPISRV.EXE] ModuleName : C:\WINDOWS\SYSTEM\TAPISRV.EXE Command Line : tapisrv.exe ProcessID : 4294500911 Threads : 6 Priority : Normal FileVersion : 4.10.2000 ProductVersion : 4.10.1998 ProductName : Microsoft(R) Windows(R) Operating System CompanyName : Microsoft Corporation FileDescription : Microsoft® Windows(TM) Telephony Server InternalName : Telephony Service LegalCopyright : Copyright (C) Microsoft Corp. 1994-1998 OriginalFilename : TAPISRV.EXE #:28 [AD-AWARE.EXE] ModuleName : C:\PROGRAM FILES\LAVASOFT\AD-AWARE SE PERSONAL\AD-AWARE.EXE Command Line : "C:\Program Files\Lavasoft\Ad-Aware SE Personal\Ad-Aware.exe" ProcessID : 4294364255 Threads : 3 Priority : Normal FileVersion : 6.2.0.206 ProductVersion : VI.Second Edition ProductName : Lavasoft Ad-Aware SE CompanyName : Lavasoft Sweden FileDescription : Ad-Aware SE Core application InternalName : Ad-Aware.exe LegalCopyright : Copyright © Lavasoft Sweden OriginalFilename : Ad-Aware.exe Comments : All Rights Reserved Memory scan result: »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» New critical objects: 0 Objects found so far: 0 Started registry scan »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» Security iGuard Object Recognized! Type : Regkey Data : Category : Malware Comment : Rootkey : HKEY_LOCAL_MACHINE Object : software\rex-services Security iGuard Object Recognized! Type : RegValue Data : Category : Malware Comment : Rootkey : HKEY_LOCAL_MACHINE Object : software\rex-services Value : MGuid Alexa Object Recognized! Type : RegValue Data : Category : Data Miner Comment : "{c95fe080-8f5d-11d2-a20b-00aa003c157a}" Rootkey : HKEY_USERS Object : .DEFAULT\software\microsoft\internet explorer\extensions\cmdmapping Value : {c95fe080-8f5d-11d2-a20b-00aa003c157a} Registry Scan result: »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» New critical objects: 3 Objects found so far: 3 Started deep registry scan »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» Deep registry scan result: »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» New critical objects: 0 Objects found so far: 3 MRU List Object Recognized! Location: : software\microsoft\directdraw\mostrecentapplication Description : most recent application to use microsoft directdraw MRU List Object Recognized! Location: : .DEFAULT\software\microsoft\internet explorer Description : last download directory used in microsoft internet explorer MRU List Object Recognized! Location: : .DEFAULT\software\microsoft\windows\currentversion\applets\wordpad\recent file list Description : list of recent files opened using wordpad MRU List Object Recognized! Location: : .DEFAULT\software\microsoft\windows\currentversion\explorer\doc find spec mru Description : list of recently used search terms for locating files using the microsoft windows operating system MRU List Object Recognized! Location: : .DEFAULT\software\microsoft\windows\currentversion\explorer\runmru Description : mru list for items opened in start | run MRU List Object Recognized! Location: : .DEFAULT\software\microsoft\windows media\wmsdk\general Description : windows media sdk Started Tracking Cookie scan »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» Tracking Cookie Object Recognized! Type : IECache Entry Data : anyuser@tribalfusion[1].txt Category : Data Miner Comment : Hits:3 Value : Cookie:anyuser@tribalfusion.com/ Expires : 12-31-2037 8:00:00 PM LastSync : Hits:3 UseCount : 0 Hits : 3 Tracking Cookie Object Recognized! Type : IECache Entry Data : anyuser@atdmt[2].txt Category : Data Miner Comment : Hits:3 Value : Cookie:anyuser@atdmt.com/ Expires : 4-30-2010 8:00:00 PM LastSync : Hits:3 UseCount : 0 Hits : 3 Tracking Cookie Object Recognized! Type : IECache Entry Data : anyuser@fastclick[1].txt Category : Data Miner Comment : Hits:10 Value : Cookie:anyuser@fastclick.net/ Expires : 4-22-2007 10:11:14 AM LastSync : Hits:10 UseCount : 0 Hits : 10 Tracking Cookie Object Recognized! Type : IECache Entry Data : anyuser@doubleclick[1].txt Category : Data Miner Comment : Hits:4 Value : Cookie:anyuser@doubleclick.net/ Expires : 5-1-2008 10:15:28 AM LastSync : Hits:4 UseCount : 0 Hits : 4 Tracking Cookie Object Recognized! Type : IECache Entry Data : anyuser@bluestreak[1].txt Category : Data Miner Comment : Hits:1 Value : Cookie:anyuser@bluestreak.com/ Expires : 4-30-2015 6:12:22 AM LastSync : Hits:1 UseCount : 0 Hits : 1 Tracking Cookie Object Recognized! Type : IECache Entry Data : anyuser@specificclick[1].txt Category : Data Miner Comment : Value : C:\WINDOWS\Cookies\\anyuser@specificclick[1].txt Tracking Cookie Object Recognized! Type : IECache Entry Data : anyuser@bs.serving-sys[2].txt Category : Data Miner Comment : Value : C:\WINDOWS\Cookies\\anyuser@bs.serving-sys[2].txt Tracking Cookie Object Recognized! Type : IECache Entry Data : anyuser@tickle[1].txt Category : Data Miner Comment : Value : C:\WINDOWS\Cookies\\anyuser@tickle[1].txt Tracking Cookie Object Recognized! Type : IECache Entry Data : anyuser@bs.serving-sys[3].txt Category : Data Miner Comment : Value : C:\WINDOWS\Cookies\\anyuser@bs.serving-sys[3].txt Tracking Cookie Object Recognized! Type : IECache Entry Data : anyuser@www.123count[2].txt Category : Data Miner Comment : Value : C:\WINDOWS\Cookies\\anyuser@www.123count[2].txt Tracking Cookie Object Recognized! Type : IECache Entry Data : anyuser@bs.serving-sys[4].txt Category : Data Miner Comment : Value : C:\WINDOWS\Cookies\\anyuser@bs.serving-sys[4].txt Tracking Cookie Object Recognized! Type : IECache Entry Data : anyuser@tickle[3].txt Category : Data Miner Comment : Value : C:\WINDOWS\Cookies\\anyuser@tickle[3].txt Tracking Cookie Object Recognized! Type : IECache Entry Data : dona lee cain@specificclick[1].txt Category : Data Miner Comment : Value : C:\WINDOWS\Cookies\\dona lee cain@specificclick[1].txt Tracking Cookie Object Recognized! Type : IECache Entry Data : anyuser@www.123count[3].txt Category : Data Miner Comment : Value : C:\WINDOWS\Cookies\\anyuser@www.123count[3].txt Tracking cookie scan result: »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» New critical objects: 14 Objects found so far: 23 Deep scanning and examining files (C:) »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» Tracking Cookie Object Recognized! Type : IECache Entry Data : anyuser@specificclick[1].txt Category : Data Miner Comment : Value : C:\WINDOWS\Cookies\anyuser@specificclick[1].txt Tracking Cookie Object Recognized! Type : IECache Entry Data : anyuser@bs.serving-sys[2].txt Category : Data Miner Comment : Value : C:\WINDOWS\Cookies\anyuser@bs.serving-sys[2].txt Tracking Cookie Object Recognized! Type : IECache Entry Data : anyuser@tickle[1].txt Category : Data Miner Comment : Value : C:\WINDOWS\Cookies\anyuser@tickle[1].txt Tracking Cookie Object Recognized! Type : IECache Entry Data : anyuser@bs.serving-sys[3].txt Category : Data Miner Comment : Value : C:\WINDOWS\Cookies\anyuser@bs.serving-sys[3].txt Tracking Cookie Object Recognized! Type : IECache Entry Data : anyuser@www.123count[2].txt Category : Data Miner Comment : Value : C:\WINDOWS\Cookies\anyuser@www.123count[2].txt Tracking Cookie Object Recognized! Type : IECache Entry Data : anyuser@bs.serving-sys[4].txt Category : Data Miner Comment : Value : C:\WINDOWS\Cookies\anyuser@bs.serving-sys[4].txt Tracking Cookie Object Recognized! Type : IECache Entry Data : anyuser@tickle[3].txt Category : Data Miner Comment : Value : C:\WINDOWS\Cookies\anyuser@tickle[3].txt Tracking Cookie Object Recognized! Type : IECache Entry Data : dona lee cain@specificclick[1].txt Category : Data Miner Comment : Value : C:\WINDOWS\Cookies\dona lee cain@specificclick[1].txt Tracking Cookie Object Recognized! Type : IECache Entry Data : anyuser@www.123count[3].txt Category : Data Miner Comment : Value : C:\WINDOWS\Cookies\anyuser@www.123count[3].txt Tracking Cookie Object Recognized! Type : IECache Entry Data : anyuser@doubleclick[1].txt Category : Data Miner Comment : Value : C:\WINDOWS\Cookies\anyuser@doubleclick[1].txt Tracking Cookie Object Recognized! Type : IECache Entry Data : anyuser@bluestreak[1].txt Category : Data Miner Comment : Value : C:\WINDOWS\Cookies\anyuser@bluestreak[1].txt Tracking Cookie Object Recognized! Type : IECache Entry Data : anyuser@atdmt[2].txt Category : Data Miner Comment : Value : C:\WINDOWS\Cookies\anyuser@atdmt[2].txt Tracking Cookie Object Recognized! Type : IECache Entry Data : anyuser@fastclick[1].txt Category : Data Miner Comment : Value : C:\WINDOWS\Cookies\anyuser@fastclick[1].txt Tracking Cookie Object Recognized! Type : IECache Entry Data : anyuser@tribalfusion[1].txt Category : Data Miner Comment : Value : C:\WINDOWS\Cookies\anyuser@tribalfusion[1].txt Disk Scan Result for C:\ »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» New critical objects: 0 Objects found so far: 37 Scanning Hosts file...... Hosts file location:"C:\WINDOWS\hosts". »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» Hosts file scan result: »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» 1 entries scanned. New critical objects:0 Objects found so far: 37 Performing conditional scans... »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» Security iGuard Object Recognized! Type : Folder Category : Malware Comment : Object : C:\WINDOWS\Application Data\Rex-Services Conditional scan result: »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» New critical objects: 1 Objects found so far: 38 8:30:45 PM Scan Complete Summary Of This Scan »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» Total scanning time:00:11:26.20 Objects scanned:73182 Objects identified:32 Objects ignored:0 New critical objects:32 QUARANTINED and Removed bad files ========== Logfile of HijackThis v1.99.1 Scan saved at 3:16:32 PM, on 5/3/2005 Platform: Windows 98 Gold (Win9x 4.10.1998) MSIE: Internet Explorer v5.00 (5.00.2314.1000) Running processes: C:\WINDOWS\SYSTEM\KERNEL32.DLL C:\WINDOWS\SYSTEM\MSGSRV32.EXE C:\WINDOWS\SYSTEM\MPREXE.EXE C:\WINDOWS\SYSTEM\SA3DSRV.EXE C:\WINDOWS\SYSTEM\DDHELP.EXE C:\PROGRAM FILES\NORTON ANTIVIRUS\NAVAPW32.EXE c:\windows\SYSTEM\KB891711\KB891711.EXE C:\WINDOWS\SYSTEM\MSTASK.EXE C:\WINDOWS\SYSTEM\mmtask.tsk C:\WINDOWS\EXPLORER.EXE C:\WINDOWS\SYSTEM\SYSTRAY.EXE C:\COMPAQ\INTERNET\WATCHDOG.EXE C:\PROGRAM FILES\COMPAQ\EASY ACCESS BUTTON SUPPORT\CPQEAUI.EXE C:\WINDOWS\SYSTEM\ATICWD32.EXE C:\WINDOWS\SYSTEM\ATITASK.EXE C:\PROGRAM FILES\COMPAQ\EASY ACCESS BUTTON SUPPORT\BTTNSERV.EXE C:\WINDOWS\STUTFIX.EXE C:\WINDOWS\LOADQM.EXE C:\PROGRAM FILES\REAL\REALPLAYER\REALPLAY.EXE C:\PROGRAM FILES\AMERICA ONLINE 8.0A\AOLTRAY.EXE C:\CPQS\BACKWEB\PROGRAM\BACKWEB.EXE C:\PROGRAM FILES\HIJACKTHIS\HIJACKTHIS.EXE R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://search.presario.net/scripts/redirectors/presario/srchredir.dll?c=2c98&s=search&i=enu R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.presario.net/scripts/redirectors/presario/srchredir.dll?c=2c98&s=search&i=enu R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://search.presario.net/scripts/redirectors/presario/srchredir.dll?c=2c98&s=search&i=enu R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = O1 - Hosts: 64.91.255.87 www.dcsresearch.com O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun O4 - HKLM\..\Run: [SystemTray] SysTray.Exe O4 - HKLM\..\Run: [Compaq Internet Setup] C:\Compaq\Internet\InetWizard.exe /RUN O4 - HKLM\..\Run: [Watch Dog Program] C:\COMPAQ\INTERNET\WATCHDOG.EXE O4 - HKLM\..\Run: [Aureal A3D Interactive Audio Init] A3dInit.exe O4 - HKLM\..\Run: [EACLEAN] C:\Program Files\Compaq\Easy Access Button Support\eaclean.exe /NORESTART O4 - HKLM\..\Run: [CPQEASYACC] C:\PROGRAM FILES\COMPAQ\EASY ACCESS BUTTON SUPPORT\Cpqeaui.exe O4 - HKLM\..\Run: [AtiCwd32] Aticwd32.exe O4 - HKLM\..\Run: [AtiKey] Atitask.exe O4 - HKLM\..\Run: [Norton Auto-Protect] C:\PROGRA~1\NORTON~1\NAVAPW32.EXE /LOADQUIET O4 - HKLM\..\Run: [CPQSTUTFIX] C:\Windows\stutfix.exe O4 - HKLM\..\Run: [LoadQM] loadqm.exe O4 - HKLM\..\Run: [CPQ BackWeb Monitor] C:\CPQS\TOOLS\BackMon2.exe O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme O4 - HKLM\..\RunServices: [Aureal A3D Interactive Audio] sa3dsrv.exe O4 - HKLM\..\RunServices: [EncMonitor] C:\Program Files\Encompass\Monitor.exe O4 - HKLM\..\RunServices: [HC Reminder] hc.exe O4 - HKLM\..\RunServices: [KB891711] c:\windows\SYSTEM\KB891711\KB891711.EXE O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe O4 - HKCU\..\Run: [Windows Registry Repair Pro] C:\PROGRAM FILES\3B SOFTWARE\WINDOWS REGISTRY REPAIR PRO\REGISTRYREPAIRPRO.EXE 4 O4 - Startup: KEYMACRO.DLL O4 - Startup: BackWeb.LNK = C:\CPQS\BackWeb\Program\UserProf.EXE O4 - Startup: America Online 8.0 Tray Icon.lnk = C:\Program Files\America Online 8.0a\aoltray.exe O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE O9 - Extra button: Microsoft AntiSpyware helper - {0633FBC0-B425-11D9-9D6C-0008C7223F97} - (no file) (HKCU) O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {0633FBC0-B425-11D9-9D6C-0008C7223F97} - (no file) (HKCU) O12 - Plugin for .mp3: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin3.dll O12 - Plugin for .mid: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin2.dll O12 - Plugin for .mpeg: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin3.dll O12 - Plugin for .tiff: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin5.dll O12 - Plugin for .mov: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll O16 - DPF: {7AEB674E-4089-11D1-93F0-00A0241763CD} (CouponDown Class) - http://www5.coolsavings.com/download/CouponX.cab O16 - DPF: {861DB4B6-3838-11D2-8E50-002018200E57} (MrSIDI Control) - http://images.myfamily.net/isfiles/downloads/MrSIDI.cab O16 - DPF: {75565ED2-1560-4F15-B841-20358DE6A0D1} (ImageControl Class) - http://c.ancestry.com/cab/ImageViewer/MFImgVwr.cab O16 - DPF: {10000000-1000-0000-1000-000000000000} - mhtml:file://C:\ARCHIVE.MHT!http://ras.moonri.com/l.exe O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com/computercheckup/qdiagcc.cab O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = aoldsl.net