Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

[Referred]Web Broswer hijacked. Ad-aware log below

Started by zabu61 , Apr 23 2005 08:23 PM

  • Please log in to reply

#1
zabu61
Posted 23 April 2005 - 08:23 PM

zabu61

    New Member

  • Member
  • Pip
  • 7 posts
PC Windows XP home edition sp2, attempting spyware reovery - successfully removed smiley central / mywebsearch. igetnet hanging on.

ADaware logs:

Ad-Aware SE Build 1.05
Logfile Created on:Saturday, April 23, 2005 3:22:31 PM
Created with Ad-Aware SE Personal, free for private use.
Using definitions file:SE1R40 20.04.2005
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

References detected during the scan:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Alexa(TAC index:5):11 total references
CoolSavings(TAC index:5):10 total references
Hi-Wire(TAC index:4):18 total references
IGetNet(TAC index:8):19 total references
MRU List(TAC index:0):16 total references
Possible Browser Hijack attempt(TAC index:3):18 total references
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Definition File:
=========================
Definitions File Loaded:
Reference Number : SE1R40 20.04.2005
Internal build : 47
File location : C:\Program Files\Lavasoft\Ad-Aware SE Personal\defs.ref
File size : 461235 Bytes
Total size : 1395231 Bytes
Signature data size : 1364710 Bytes
Reference data size : 30009 Bytes
Signatures total : 38921
Fingerprints total : 813
Fingerprints size : 29073 Bytes
Target categories : 15
Target families : 650


Memory + processor status:
==========================
Number of processors : 1
Processor architecture : Intel Pentium IV
Memory available:70 %
Total physical memory:654640 kb
Available physical memory:454612 kb
Total page file size:1599992 kb
Available on page file:1468752 kb
Total virtual memory:2097024 kb
Available virtual memory:2044888 kb
OS:Microsoft Windows XP Home Edition (Build 2600)

Ad-Aware SE Settings
===========================
Set : Search for negligible risk entries
Set : Move deleted files to Recycle Bin
Set : Safe mode (always request confirmation)
Set : Scan active processes
Set : Scan registry
Set : Deep-scan registry
Set : Scan my IE Favorites for banned URLs
Set : Scan within archives
Set : Scan my Hosts file

Extended Ad-Aware SE Settings
===========================
Set : Unload recognized processes & modules during scan
Set : Obtain command line of scanned processes
Set : Scan registry for all users instead of current user only
Set : Always try to unload modules before deletion
Set : During removal, unload Explorer and IE if necessary
Set : Let Windows remove files in use at next reboot
Set : Delete quarantined objects after restoring
Set : Write-protect system files after repair (Hosts file, etc.)
Set : Include basic Ad-Aware settings in log file
Set : Include additional Ad-Aware settings in log file
Set : Include reference summary in log file
Set : Include alternate data stream details in log file
Set : Play sound at scan completion if scan locates critical objects


4-23-2005 3:22:31 PM - Scan started. (Custom mode)

Listing running processes
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

#:1 [smss.exe]
ModuleName : \SystemRoot\System32\smss.exe
Command Line : n/a
ProcessID : 380
ThreadCreationTime : 4-23-2005 7:13:19 PM
BasePriority : Normal


#:2 [csrss.exe]
ModuleName : \??\C:\WINDOWS\system32\csrss.exe
Command Line : C:\WINDOWS\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,3072,512 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ProfileControl=Off MaxRequestTh
ProcessID : 428
ThreadCreationTime : 4-23-2005 7:13:21 PM
BasePriority : Normal


#:3 [winlogon.exe]
ModuleName : \??\C:\WINDOWS\system32\winlogon.exe
Command Line : winlogon.exe
ProcessID : 452
ThreadCreationTime : 4-23-2005 7:13:22 PM
BasePriority : High


#:4 [services.exe]
ModuleName : C:\WINDOWS\system32\services.exe
Command Line : C:\WINDOWS\system32\services.exe
ProcessID : 496
ThreadCreationTime : 4-23-2005 7:13:22 PM
BasePriority : Normal
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Services and Controller app
InternalName : services.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : services.exe

#:5 [lsass.exe]
ModuleName : C:\WINDOWS\system32\lsass.exe
Command Line : C:\WINDOWS\system32\lsass.exe
ProcessID : 508
ThreadCreationTime : 4-23-2005 7:13:22 PM
BasePriority : Normal
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : LSA Shell (Export Version)
InternalName : lsass.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : lsass.exe

#:6 [svchost.exe]
ModuleName : C:\WINDOWS\system32\svchost.exe
Command Line : C:\WINDOWS\system32\svchost -k DcomLaunch
ProcessID : 656
ThreadCreationTime : 4-23-2005 7:13:24 PM
BasePriority : Normal
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:7 [svchost.exe]
ModuleName : C:\WINDOWS\system32\svchost.exe
Command Line : C:\WINDOWS\system32\svchost -k rpcss
ProcessID : 748
ThreadCreationTime : 4-23-2005 7:14:46 PM
BasePriority : Normal
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:8 [svchost.exe]
ModuleName : C:\WINDOWS\System32\svchost.exe
Command Line : C:\WINDOWS\System32\svchost.exe -k netsvcs
ProcessID : 776
ThreadCreationTime : 4-23-2005 7:14:46 PM
BasePriority : Normal
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:9 [svchost.exe]
ModuleName : C:\WINDOWS\System32\svchost.exe
Command Line : C:\WINDOWS\System32\svchost.exe -k NetworkService
ProcessID : 880
ThreadCreationTime : 4-23-2005 7:14:47 PM
BasePriority : Normal
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:10 [svchost.exe]
ModuleName : C:\WINDOWS\System32\svchost.exe
Command Line : C:\WINDOWS\System32\svchost.exe -k LocalService
ProcessID : 916
ThreadCreationTime : 4-23-2005 7:14:50 PM
BasePriority : Normal
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:11 [spoolsv.exe]
ModuleName : C:\WINDOWS\system32\spoolsv.exe
Command Line : C:\WINDOWS\system32\spoolsv.exe
ProcessID : 1012
ThreadCreationTime : 4-23-2005 7:14:55 PM
BasePriority : Normal
FileVersion : 5.1.2600.0 (XPClient.010817-1148)
ProductVersion : 5.1.2600.0
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Spooler SubSystem App
InternalName : spoolsv.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : spoolsv.exe

#:12 [explorer.exe]
ModuleName : C:\WINDOWS\Explorer.EXE
Command Line : C:\WINDOWS\Explorer.EXE
ProcessID : 1208
ThreadCreationTime : 4-23-2005 7:15:02 PM
BasePriority : Normal
FileVersion : 6.00.2600.0000 (xpclient.010817-1148)
ProductVersion : 6.00.2600.0000
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Windows Explorer
InternalName : explorer
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : EXPLORER.EXE

#:13 [ati2evxx.exe]
ModuleName : C:\WINDOWS\System32\Ati2evxx.exe
Command Line : C:\WINDOWS\System32\Ati2evxx.exe
ProcessID : 1276
ThreadCreationTime : 4-23-2005 7:15:05 PM
BasePriority : Normal


#:14 [directcd.exe]
ModuleName : C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
Command Line : "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
ProcessID : 1556
ThreadCreationTime : 4-23-2005 7:15:26 PM
BasePriority : Normal
FileVersion : 5.3.4.21
ProductVersion : 5.3.4.21
ProductName : DirectCD
CompanyName : Roxio
FileDescription : DirectCD Application
InternalName : DirectCD
LegalCopyright : Copyright © 2001,2002, Roxio, Inc.
OriginalFilename : Directcd.exe

#:15 [gwmdmmsg.exe]
ModuleName : C:\WINDOWS\GWMDMMSG.exe
Command Line : "C:\WINDOWS\GWMDMMSG.exe"
ProcessID : 1604
ThreadCreationTime : 4-23-2005 7:15:27 PM
BasePriority : Normal
FileVersion : 3.3.24 01/30/2002 15:24:37
ProductVersion : 3.3.24 01/30/2002 15:24:37
ProductName : GTW Modem Messaging Applet
CompanyName : GTW
FileDescription : Modem Messaging Applet
InternalName : smdmstat.exe
LegalCopyright : Copyright © GTW 1998-2000
OriginalFilename : smdmstat.exe

#:16 [devldr32.exe]
ModuleName : C:\WINDOWS\System32\devldr32.exe
Command Line : C:\WINDOWS\System32\devldr32.exe
ProcessID : 1684
ThreadCreationTime : 4-23-2005 7:15:29 PM
BasePriority : Normal
FileVersion : 1, 0, 0, 17
ProductVersion : 1, 0, 0, 17
ProductName : Creative Ring3 NT Inteface
CompanyName : Creative Technology Ltd.
FileDescription : DevLdr32
InternalName : DevLdr
LegalCopyright : Copyright © Creative Technology Ltd. 1998-2001
OriginalFilename : DevLdr32.exe

#:17 [mm_tray.exe]
ModuleName : C:\Program Files\MusicMatch\MusicMatch Jukebox\mm_tray.exe
Command Line : "C:\Program Files\MusicMatch\MusicMatch Jukebox\mm_tray.exe"
ProcessID : 1768
ThreadCreationTime : 4-23-2005 7:15:32 PM
BasePriority : Normal
FileVersion : 8.00.0101
ProductVersion : 8.00.0101
ProductName : MUSICMATCH JUKEBOX
CompanyName : MUSICMATCH, Inc.
FileDescription : mm_tray
InternalName : mm_tray
LegalCopyright : Copyright © MUSICMATCH 1998-2003
LegalTrademarks :
OriginalFilename : mm_tray.exe

#:18 [netmeter.exe]
ModuleName : C:\PROGRA~1\NETRAT~1\NetMeter\NetMeter.exe
Command Line : "C:\PROGRA~1\NETRAT~1\NetMeter\NetMeter.exe"
ProcessID : 1792
ThreadCreationTime : 4-23-2005 7:15:34 PM
BasePriority : Normal
FileVersion : 4.52.30.0r
ProductVersion : 4.52.30.0r
ProductName : NetMeter
CompanyName : NetRatings, Inc.
FileDescription : NetMeter
LegalCopyright : Copyright © 2003 NetRatings, Inc.
OriginalFilename : netmeter.exe

#:19 [realsched.exe]
ModuleName : C:\Program Files\Common Files\Real\Update_OB\realsched.exe
Command Line : "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
ProcessID : 1804
ThreadCreationTime : 4-23-2005 7:15:34 PM
BasePriority : Normal
FileVersion : 0.1.0.3208
ProductVersion : 0.1.0.3208
ProductName : RealPlayer (32-bit)
CompanyName : RealNetworks, Inc.
FileDescription : RealNetworks Scheduler
InternalName : schedapp
LegalCopyright : Copyright © RealNetworks, Inc. 1995-2004
LegalTrademarks : RealAudio™ is a trademark of RealNetworks, Inc.
OriginalFilename : realsched.exe

#:20 [msmsgs.exe]
ModuleName : C:\Program Files\Messenger\msmsgs.exe
Command Line : "C:\Program Files\Messenger\msmsgs.exe" /background
ProcessID : 1856
ThreadCreationTime : 4-23-2005 7:15:37 PM
BasePriority : Normal
FileVersion : 4.0.0155
ProductVersion : Version 4.0
ProductName : Messenger
CompanyName : Microsoft Corporation
FileDescription : Messenger Client
InternalName : msmsgs
LegalCopyright : Copyright © Microsoft Corporation 1997-2001
LegalTrademarks : Microsoft® is a registered trademark of Microsoft Corporation in the U.S. and/or other countries.
OriginalFilename : msmsgs.exe

#:21 [it_cpquickstart.exe]
ModuleName : C:\Program Files\InterTrust\InterRights Point\Program\it_cpquickstart.exe
Command Line : "C:\Program Files\InterTrust\InterRights Point\Program\it_cpquickstart.exe"
ProcessID : 1952
ThreadCreationTime : 4-23-2005 7:15:54 PM
BasePriority : Normal
FileVersion : 1.3.1.1214
ProductVersion : 1.3.1
ProductName : InterTrust system tray icon
CompanyName : InterTrust Technologies Corp.
FileDescription : InterTrust system tray icon
InternalName : InterTrust system tray icon
LegalCopyright : Copyright 1997-2000 InterTrust Technologies Corporation. All rights reserved.
OriginalFilename : it_CPQuickStart.exe

#:22 [wkcalrem.exe]
ModuleName : C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
Command Line : "C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe"
ProcessID : 1968
ThreadCreationTime : 4-23-2005 7:15:56 PM
BasePriority : Normal
FileVersion : 6.00.1828.1
ProductVersion : 6.00.1828.1
ProductName : Microsoft® Works 6.0
CompanyName : Microsoft® Corporation
FileDescription : Microsoft® Works Calendar Reminder Service
InternalName : WkCalRem
LegalCopyright : Copyright © Microsoft Corporation 1987-2000. All rights reserved.
OriginalFilename : WKCALREM.EXE

#:23 [wpabaln.exe]
ModuleName : C:\WINDOWS\System32\wpabaln.exe
Command Line : C:\WINDOWS\System32\wpabaln.exe 30
ProcessID : 1296
ThreadCreationTime : 4-23-2005 7:17:02 PM
BasePriority : Normal
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Windows WPA Balloon Reminder
InternalName : WPABALN.EXE
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : WPABALN.EXE

#:24 [ad-aware.exe]
ModuleName : C:\Program Files\Lavasoft\Ad-Aware SE Personal\Ad-Aware.exe
Command Line : "C:\Program Files\Lavasoft\Ad-Aware SE Personal\Ad-Aware.exe"
ProcessID : 1932
ThreadCreationTime : 4-23-2005 7:18:08 PM
BasePriority : Normal
FileVersion : 6.2.0.206
ProductVersion : VI.Second Edition
ProductName : Lavasoft Ad-Aware SE
CompanyName : Lavasoft Sweden
FileDescription : Ad-Aware SE Core application
InternalName : Ad-Aware.exe
LegalCopyright : Copyright © Lavasoft Sweden
OriginalFilename : Ad-Aware.exe
Comments : All Rights Reserved

Memory scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 0


Started registry scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

CoolSavings Object Recognized!
Type : Regkey
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : clsid\{549f957e-2f89-11d6-8cfe-00c04f52b225}

CoolSavings Object Recognized!
Type : RegValue
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : clsid\{549f957e-2f89-11d6-8cfe-00c04f52b225}
Value :

CoolSavings Object Recognized!
Type : Regkey
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : cpnmgr.cmv5

CoolSavings Object Recognized!
Type : RegValue
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : cpnmgr.cmv5
Value :

CoolSavings Object Recognized!
Type : Regkey
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : cpnmgr.cmv5.3

CoolSavings Object Recognized!
Type : RegValue
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : cpnmgr.cmv5.3
Value :

CoolSavings Object Recognized!
Type : Regkey
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : typelib\{549f9571-2f89-11d6-8cfe-00c04f52b225}

Hi-Wire Object Recognized!
Type : Regkey
Data :
Category : Misc
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : clsid\{28f00b04-dc4e-11d3-abec-005004a44eeb}

Hi-Wire Object Recognized!
Type : RegValue
Data :
Category : Misc
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : clsid\{28f00b04-dc4e-11d3-abec-005004a44eeb}
Value :

Hi-Wire Object Recognized!
Type : Regkey
Data :
Category : Misc
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : clsid\{28f00b20-dc4e-11d3-abec-005004a44eeb}

Hi-Wire Object Recognized!
Type : RegValue
Data :
Category : Misc
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : clsid\{28f00b20-dc4e-11d3-abec-005004a44eeb}
Value :

Hi-Wire Object Recognized!
Type : Regkey
Data :
Category : Misc
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : clsid\{28f00b21-dc4e-11d3-abec-005004a44eeb}

Hi-Wire Object Recognized!
Type : RegValue
Data :
Category : Misc
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : clsid\{28f00b21-dc4e-11d3-abec-005004a44eeb}
Value :

Hi-Wire Object Recognized!
Type : Regkey
Data :
Category : Misc
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : hiwire.configurator

Hi-Wire Object Recognized!
Type : RegValue
Data :
Category : Misc
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : hiwire.configurator
Value :

Hi-Wire Object Recognized!
Type : Regkey
Data :
Category : Misc
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : hiwire.configurator.1

Hi-Wire Object Recognized!
Type : RegValue
Data :
Category : Misc
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : hiwire.configurator.1
Value :

Hi-Wire Object Recognized!
Type : Regkey
Data :
Category : Misc
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : hiwire.transportcenter

Hi-Wire Object Recognized!
Type : RegValue
Data :
Category : Misc
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : hiwire.transportcenter
Value :

Hi-Wire Object Recognized!
Type : Regkey
Data :
Category : Misc
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : hiwire.transportcenter.1

Hi-Wire Object Recognized!
Type : RegValue
Data :
Category : Misc
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : hiwire.transportcenter.1
Value :

Hi-Wire Object Recognized!
Type : Regkey
Data :
Category : Misc
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : hiwire.userregrequest

Hi-Wire Object Recognized!
Type : RegValue
Data :
Category : Misc
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : hiwire.userregrequest
Value :

Hi-Wire Object Recognized!
Type : Regkey
Data :
Category : Misc
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : hiwire.userregrequest.1

Hi-Wire Object Recognized!
Type : RegValue
Data :
Category : Misc
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : hiwire.userregrequest.1
Value :

IGetNet Object Recognized!
Type : Regkey
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : bho.clsurlsearch

IGetNet Object Recognized!
Type : RegValue
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : bho.clsurlsearch
Value :

IGetNet Object Recognized!
Type : Regkey
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : clsid\{60e78cac-e9a7-4302-b9ee-8582ede22fbf}

IGetNet Object Recognized!
Type : RegValue
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : clsid\{60e78cac-e9a7-4302-b9ee-8582ede22fbf}
Value :

IGetNet Object Recognized!
Type : Regkey
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : clsid\{676058e4-89bd-11d6-8a8c-0050ba8452c0}

IGetNet Object Recognized!
Type : RegValue
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : clsid\{676058e4-89bd-11d6-8a8c-0050ba8452c0}
Value :

IGetNet Object Recognized!
Type : Regkey
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : interface\{226a045e-fd4e-4632-b51d-a112bd8254e5}

IGetNet Object Recognized!
Type : RegValue
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : interface\{226a045e-fd4e-4632-b51d-a112bd8254e5}
Value :

IGetNet Object Recognized!
Type : Regkey
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : rsp.bizlgk

IGetNet Object Recognized!
Type : RegValue
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : rsp.bizlgk
Value :

IGetNet Object Recognized!
Type : Regkey
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : typelib\{676058db-89bd-11d6-8a8c-0050ba8452c0}

IGetNet Object Recognized!
Type : Regkey
Data :
Category : Data Miner
Comment : IGN
Rootkey : HKEY_CLASSES_ROOT
Object : typelib\{acba087f-1547-41de-8e9e-3f0963ce4bef}

IGetNet Object Recognized!
Type : Regkey
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_USERS
Object : .DEFAULT\software\vb and vba program settings\ie rsp

IGetNet Object Recognized!
Type : Regkey
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-18\software\vb and vba program settings\ie rsp

Alexa Object Recognized!
Type : Regkey
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\internet explorer\extensions\{c95fe080-8f5d-11d2-a20b-00aa003c157a}

Alexa Object Recognized!
Type : RegValue
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\internet explorer\extensions\{c95fe080-8f5d-11d2-a20b-00aa003c157a}
Value : MenuText

Alexa Object Recognized!
Type : RegValue
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\internet explorer\extensions\{c95fe080-8f5d-11d2-a20b-00aa003c157a}
Value : MenuStatusBar

Alexa Object Recognized!
Type : RegValue
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\internet explorer\extensions\{c95fe080-8f5d-11d2-a20b-00aa003c157a}
Value : Script

Alexa Object Recognized!
Type : RegValue
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\internet explorer\extensions\{c95fe080-8f5d-11d2-a20b-00aa003c157a}
Value : clsid

Alexa Object Recognized!
Type : RegValue
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\internet explorer\extensions\{c95fe080-8f5d-11d2-a20b-00aa003c157a}
Value : Icon

Alexa Object Recognized!
Type : RegValue
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\internet explorer\extensions\{c95fe080-8f5d-11d2-a20b-00aa003c157a}
Value : HotIcon

Alexa Object Recognized!
Type : RegValue
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\internet explorer\extensions\{c95fe080-8f5d-11d2-a20b-00aa003c157a}
Value : ButtonText

CoolSavings Object Recognized!
Type : Regkey
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\code store database\distribution units\{549f957e-2f89-11d6-8cfe-00c04f52b225}

CoolSavings Object Recognized!
Type : RegValue
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\code store database\distribution units\{549f957e-2f89-11d6-8cfe-00c04f52b225}
Value : SystemComponent

CoolSavings Object Recognized!
Type : RegValue
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\code store database\distribution units\{549f957e-2f89-11d6-8cfe-00c04f52b225}
Value : Installer

IGetNet Object Recognized!
Type : Regkey
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\windows\currentversion\explorer\browser helper objects\{60e78cac-e9a7-4302-b9ee-8582ede22fbf}

IGetNet Object Recognized!
Type : RegValue
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\windows\currentversion\explorer\browser helper objects\{60e78cac-e9a7-4302-b9ee-8582ede22fbf}
Value :

Alexa Object Recognized!
Type : RegValue
Data :
Category : Data Miner
Comment : "{c95fe080-8f5d-11d2-a20b-00aa003c157a}"
Rootkey : HKEY_USERS
Object : .DEFAULT\software\microsoft\internet explorer\extensions\cmdmapping
Value : {c95fe080-8f5d-11d2-a20b-00aa003c157a}

Alexa Object Recognized!
Type : RegValue
Data :
Category : Data Miner
Comment : "{c95fe080-8f5d-11d2-a20b-00aa003c157a}"
Rootkey : HKEY_USERS
Object : S-1-5-18\software\microsoft\internet explorer\extensions\cmdmapping
Value : {c95fe080-8f5d-11d2-a20b-00aa003c157a}

Alexa Object Recognized!
Type : RegValue
Data :
Category : Data Miner
Comment : "{c95fe080-8f5d-11d2-a20b-00aa003c157a}"
Rootkey : HKEY_USERS
Object : S-1-5-21-343818398-1935655697-1060284298-1005\software\microsoft\internet explorer\extensions\cmdmapping
Value : {c95fe080-8f5d-11d2-a20b-00aa003c157a}

IGetNet Object Recognized!
Type : RegValue
Data :
Category : Data Miner
Comment : "WinStart001.EXE"
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\windows\currentversion\run
Value : WinStart001.EXE

Registry Scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 56
Objects found so far: 56


Started deep registry scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Possible Browser Hijack attempt Object Recognized!
Type : Regkey
Data : Software\Microsoft\Windows\CurrentVersion\Uninstall\GameHouse Solitaire Deluxe "http://www.gamehouse.com"
Category : Data Miner
Comment : (http://www.gamehouse.com)
Rootkey : HKEY_LOCAL_MACHINE
Object : Software\Microsoft\Windows\CurrentVersion\Uninstall\GameHouse Solitaire Deluxe

Possible Browser Hijack attempt Object Recognized!
Type : RegValue
Data : Software\Microsoft\Windows\CurrentVersion\Uninstall\GameHouse Solitaire Deluxe "http://www.gamehouse.com"
Category : Data Miner
Comment : (http://www.gamehouse.com)
Rootkey : HKEY_LOCAL_MACHINE
Object : Software\Microsoft\Windows\CurrentVersion\Uninstall\GameHouse Solitaire Deluxe
Value : DisplayName

Possible Browser Hijack attempt Object Recognized!
Type : RegValue
Data : Software\Microsoft\Windows\CurrentVersion\Uninstall\GameHouse Solitaire Deluxe "http://www.gamehouse.com"
Category : Data Miner
Comment : (http://www.gamehouse.com)
Rootkey : HKEY_LOCAL_MACHINE
Object : Software\Microsoft\Windows\CurrentVersion\Uninstall\GameHouse Solitaire Deluxe
Value : UninstallString

Possible Browser Hijack attempt Object Recognized!
Type : RegValue
Data : Software\Microsoft\Windows\CurrentVersion\Uninstall\GameHouse Solitaire Deluxe "http://www.gamehouse.com"
Category : Data Miner
Comment : (http://www.gamehouse.com)
Rootkey : HKEY_LOCAL_MACHINE
Object : Software\Microsoft\Windows\CurrentVersion\Uninstall\GameHouse Solitaire Deluxe
Value : HelpLink

Possible Browser Hijack attempt Object Recognized!
Type : RegValue
Data : Software\Microsoft\Windows\CurrentVersion\Uninstall\GameHouse Solitaire Deluxe "http://www.gamehouse.com"
Category : Data Miner
Comment : (http://www.gamehouse.com)
Rootkey : HKEY_LOCAL_MACHINE
Object : Software\Microsoft\Windows\CurrentVersion\Uninstall\GameHouse Solitaire Deluxe
Value : Publisher

Possible Browser Hijack attempt Object Recognized!
Type : RegValue
Data : Software\Microsoft\Windows\CurrentVersion\Uninstall\GameHouse Solitaire Deluxe "http://www.gamehouse.com"
Category : Data Miner
Comment : (http://www.gamehouse.com)
Rootkey : HKEY_LOCAL_MACHINE
Object : Software\Microsoft\Windows\CurrentVersion\Uninstall\GameHouse Solitaire Deluxe
Value : URLInfoAbout

Possible Browser Hijack attempt Object Recognized!
Type : RegValue
Data : Software\Microsoft\Windows\CurrentVersion\Uninstall\GameHouse Solitaire Deluxe "http://www.gamehouse.com"
Category : Data Miner
Comment : (http://www.gamehouse.com)
Rootkey : HKEY_LOCAL_MACHINE
Object : Software\Microsoft\Windows\CurrentVersion\Uninstall\GameHouse Solitaire Deluxe
Value : Contact

Possible Browser Hijack attempt Object Recognized!
Type : RegValue
Data : Software\Microsoft\Windows\CurrentVersion\Uninstall\GameHouse Solitaire Deluxe "http://www.gamehouse.com"
Category : Data Miner
Comment : (http://www.gamehouse.com)
Rootkey : HKEY_LOCAL_MACHINE
Object : Software\Microsoft\Windows\CurrentVersion\Uninstall\GameHouse Solitaire Deluxe
Value : Comments

Possible Browser Hijack attempt Object Recognized!
Type : RegValue
Data : Software\Microsoft\Windows\CurrentVersion\Uninstall\GameHouse Solitaire Deluxe "http://www.gamehouse.com"
Category : Data Miner
Comment : (http://www.gamehouse.com)
Rootkey : HKEY_LOCAL_MACHINE
Object : Software\Microsoft\Windows\CurrentVersion\Uninstall\GameHouse Solitaire Deluxe
Value : DisplayIcon

Possible Browser Hijack attempt Object Recognized!
Type : Regkey
Data : Software\Microsoft\Windows\CurrentVersion\Uninstall\Super GameHouse Solitaire "http://www.gamehouse.com"
Category : Data Miner
Comment : (http://www.gamehouse.com)
Rootkey : HKEY_LOCAL_MACHINE
Object : Software\Microsoft\Windows\CurrentVersion\Uninstall\Super GameHouse Solitaire

Possible Browser Hijack attempt Object Recognized!
Type : RegValue
Data : Software\Microsoft\Windows\CurrentVersion\Uninstall\Super GameHouse Solitaire "http://www.gamehouse.com"
Category : Data Miner
Comment : (http://www.gamehouse.com)
Rootkey : HKEY_LOCAL_MACHINE
Object : Software\Microsoft\Windows\CurrentVersion\Uninstall\Super GameHouse Solitaire
Value : DisplayName

Possible Browser Hijack attempt Object Recognized!
Type : RegValue
Data : Software\Microsoft\Windows\CurrentVersion\Uninstall\Super GameHouse Solitaire "http://www.gamehouse.com"
Category : Data Miner
Comment : (http://www.gamehouse.com)
Rootkey : HKEY_LOCAL_MACHINE
Object : Software\Microsoft\Windows\CurrentVersion\Uninstall\Super GameHouse Solitaire
Value : UninstallString

Possible Browser Hijack attempt Object Recognized!
Type : RegValue
Data : Software\Microsoft\Windows\CurrentVersion\Uninstall\Super GameHouse Solitaire "http://www.gamehouse.com"
Category : Data Miner
Comment : (http://www.gamehouse.com)
Rootkey : HKEY_LOCAL_MACHINE
Object : Software\Microsoft\Windows\CurrentVersion\Uninstall\Super GameHouse Solitaire
Value : HelpLink

Possible Browser Hijack attempt Object Recognized!
Type : RegValue
Data : Software\Microsoft\Windows\CurrentVersion\Uninstall\Super GameHouse Solitaire "http://www.gamehouse.com"
Category : Data Miner
Comment : (http://www.gamehouse.com)
Rootkey : HKEY_LOCAL_MACHINE
Object : Software\Microsoft\Windows\CurrentVersion\Uninstall\Super GameHouse Solitaire
Value : Publisher

Possible Browser Hijack attempt Object Recognized!
Type : RegValue
Data : Software\Microsoft\Windows\CurrentVersion\Uninstall\Super GameHouse Solitaire "http://www.gamehouse.com"
Category : Data Miner
Comment : (http://www.gamehouse.com)
Rootkey : HKEY_LOCAL_MACHINE
Object : Software\Microsoft\Windows\CurrentVersion\Uninstall\Super GameHouse Solitaire
Value : URLInfoAbout

Possible Browser Hijack attempt Object Recognized!
Type : RegValue
Data : Software\Microsoft\Windows\CurrentVersion\Uninstall\Super GameHouse Solitaire "http://www.gamehouse.com"
Category : Data Miner
Comment : (http://www.gamehouse.com)
Rootkey : HKEY_LOCAL_MACHINE
Object : Software\Microsoft\Windows\CurrentVersion\Uninstall\Super GameHouse Solitaire
Value : Contact

Possible Browser Hijack attempt Object Recognized!
Type : RegValue
Data : Software\Microsoft\Windows\CurrentVersion\Uninstall\Super GameHouse Solitaire "http://www.gamehouse.com"
Category : Data Miner
Comment : (http://www.gamehouse.com)
Rootkey : HKEY_LOCAL_MACHINE
Object : Software\Microsoft\Windows\CurrentVersion\Uninstall\Super GameHouse Solitaire
Value : Comments

Possible Browser Hijack attempt Object Recognized!
Type : RegValue
Data : Software\Microsoft\Windows\CurrentVersion\Uninstall\Super GameHouse Solitaire "http://www.gamehouse.com"
Category : Data Miner
Comment : (http://www.gamehouse.com)
Rootkey : HKEY_LOCAL_MACHINE
Object : Software\Microsoft\Windows\CurrentVersion\Uninstall\Super GameHouse Solitaire
Value : DisplayIcon

Deep registry scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 18
Objects found so far: 74

MRU List Object Recognized!
Location: : C:\Documents and Settings\Norman\recent
Description : list of recently opened documents


MRU List Object Recognized!
Location: : S-1-5-21-343818398-1935655697-1060284298-1005\software\microsoft\windows\currentversion\explorer\runmru
Description : mru list for items opened in start | run


MRU List Object Recognized!
Location: : S-1-5-21-343818398-1935655697-1060284298-1005\software\microsoft\windows\currentversion\explorer\comdlg32\opensavemru
Description : list of recently saved files, stored according to file extension


MRU List Object Recognized!
Location: : S-1-5-21-343818398-1935655697-1060284298-1005\software\microsoft\windows\currentversion\explorer\comdlg32\lastvisitedmru
Description : list of recent programs opened


MRU List Object Recognized!
Location: : S-1-5-21-343818398-1935655697-1060284298-1005\software\microsoft\windows\currentversion\explorer\recentdocs
Description : list of recent documents opened


MRU List Object Recognized!
Location: : software\microsoft\directdraw\mostrecentapplication
Description : most recent application to use microsoft directdraw


MRU List Object Recognized!
Location: : software\microsoft\direct3d\mostrecentapplication
Description : most recent application to use microsoft direct3d


MRU List Object Recognized!
Location: : software\musicmatch
Description : download location of the musicmatch installer


MRU List Object Recognized!
Location: : S-1-5-21-343818398-1935655697-1060284298-1005\software\microsoft\windows\currentversion\applets\regedit
Description : last key accessed using the microsoft registry editor


MRU List Object Recognized!
Location: : .DEFAULT\software\microsoft\mediaplayer\preferences
Description : last playlist loaded in microsoft windows media player


MRU List Object Recognized!
Location: : S-1-5-18\software\microsoft\mediaplayer\preferences
Description : last playlist loaded in microsoft windows media player


MRU List Object Recognized!
Location: : software\musicmatch\musicmatch jukebox\4.0\mmradio
Description : information on the last station listened to using musicmatch radio


MRU List Object Recognized!
Location: : software\musicmatch\musicmatch jukebox\4.0\fileconv
Description : file conversion location settings in musicmatch jukebox


MRU List Object Recognized!
Location: : software\microsoft\direct3d\mostrecentapplication
Description : most recent application to use microsoft direct X


MRU List Object Recognized!
Location: : .DEFAULT\software\microsoft\windows media\wmsdk\general
Description : windows media sdk


MRU List Object Recognized!
Location: : S-1-5-18\software\microsoft\windows media\wmsdk\general
Description : windows media sdk



Started Tracking Cookie scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»


Tracking cookie scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 90



Deep scanning and examining files (C:)
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Disk Scan Result for C:\
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 90


Scanning Hosts file......
Hosts file location:"C:\WINDOWS\system32\drivers\etc\hosts".
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Hosts file scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
129 entries scanned.
New critical objects:0
Objects found so far: 90




Performing conditional scans...
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

IGetNet Object Recognized!
Type : Regkey
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : interface\{f6fbfe07-ca76-438e-b34e-4f4dc41f0123}

IGetNet Object Recognized!
Type : RegValue
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : interface\{f6fbfe07-ca76-438e-b34e-4f4dc41f0123}
Value :

Conditional scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 2
Objects found so far: 92

3:38:06 PM Scan Complete

Summary Of This Scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Total scanning time:00:15:34.944
Objects scanned:160805
Objects identified:76
Objects ignored:0
New critical objects:76
  • 0

Advertisements

#2
Guest_Andy_veal_*
Posted 24 April 2005 - 03:38 AM

Guest_Andy_veal_*
  • Guest
In order to assist you, we need to see the log from an Ad-Aware SE 1.05 full system scan.

Important Note! Before performing a scan, be sure that you have the most recent definitions file by using WebUpdate. (Click on the Globe icon, Click connect, Click OK, Click Finish.) At this current point * SE1R40 20.04.2005 * is the most recent definition file.

Ad-Aware SE comes preconfigured with default options so we need you to make only one change. Please deselect "Search for negligible risk entries" as negligible risk entries (MRU's) are not considered to be a threat. This option can be changed when choosing your scan type.

Select "Perform Full System Scan" and press "Next". When the scan has completed, click "Show Logfile".

Please copy/paste the complete log file here using the reply button. Don't quarantine or remove anything at this time, just post a complete logfile. This sometimes takes 2-3 posts to get it all posted. You will know you are at the end when you see the "Summary of this scan" information has been posted.

When you have posted your log here, Team Lavasoft can advise on what to do next.

Please post back if you have any questions or other problems.

Good luck

Andy
  • 0

#3
zabu61
Posted 24 April 2005 - 05:48 AM

zabu61

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
Another note, I had to manually sign on and donwload the updates and apply them. This computer cannot connect and download.

More info: Cannot connet via IE or Firefox; neither can WPA (windows acitivation - it was reinvoked after the infestation got so bad I had to do a repair install of XP, but I digress); yet IP is correctly configured (can ping, have DHCP addr, DNS assigned, can nslookup to the dns servers ok) and Yahoo messenger can connect.

Weird.

But I do have the latest updates and am running full scan now.

Thanks, will update asap.
  • 0

#4
zabu61
Posted 24 April 2005 - 06:04 AM

zabu61

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
New FULL scan log:


Ad-Aware SE Build 1.05
Logfile Created on:Sunday, April 24, 2005 7:41:55 AM
Created with Ad-Aware SE Personal, free for private use.
Using definitions file:SE1R40 20.04.2005
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

References detected during the scan:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
MRU List(TAC index:0):6 total references
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Definition File:
=========================
Definitions File Loaded:
Reference Number : SE1R40 20.04.2005
Internal build : 47
File location : C:\Program Files\Lavasoft\Ad-Aware SE Personal\defs.ref
File size : 461235 Bytes
Total size : 1395231 Bytes
Signature data size : 1364710 Bytes
Reference data size : 30009 Bytes
Signatures total : 38921
Fingerprints total : 813
Fingerprints size : 29073 Bytes
Target categories : 15
Target families : 650


Memory + processor status:
==========================
Number of processors : 1
Processor architecture : Intel Pentium IV
Memory available:61 %
Total physical memory:654640 kb
Available physical memory:396988 kb
Total page file size:1599992 kb
Available on page file:1416496 kb
Total virtual memory:2097024 kb
Available virtual memory:2040864 kb
OS:Microsoft Windows XP Home Edition (Build 2600)

Ad-Aware SE Settings
===========================
Set : Search for negligible risk entries
Set : Safe mode (always request confirmation)
Set : Scan active processes
Set : Scan registry
Set : Deep-scan registry
Set : Scan my IE Favorites for banned URLs
Set : Scan within archives
Set : Scan my Hosts file

Extended Ad-Aware SE Settings
===========================
Set : Unload recognized processes & modules during scan
Set : Obtain command line of scanned processes
Set : Scan registry for all users instead of current user only
Set : Always try to unload modules before deletion
Set : During removal, unload Explorer and IE if necessary
Set : Let Windows remove files in use at next reboot
Set : Delete quarantined objects after restoring
Set : Write-protect system files after repair (Hosts file, etc.)
Set : Include basic Ad-Aware settings in log file
Set : Include additional Ad-Aware settings in log file
Set : Include reference summary in log file
Set : Include alternate data stream details in log file
Set : Play sound at scan completion if scan locates critical objects


4-24-2005 7:41:55 AM - Scan started. (Full System Scan)

MRU List Object Recognized!
Location: : S-1-5-21-343818398-1935655697-1060284298-1005\software\microsoft\windows\currentversion\explorer\runmru
Description : mru list for items opened in start | run


MRU List Object Recognized!
Location: : S-1-5-21-343818398-1935655697-1060284298-1005\software\microsoft\windows\currentversion\explorer\comdlg32\opensavemru
Description : list of recently saved files, stored according to file extension


MRU List Object Recognized!
Location: : S-1-5-21-343818398-1935655697-1060284298-1005\software\microsoft\windows\currentversion\explorer\comdlg32\lastvisitedmru
Description : list of recent programs opened


MRU List Object Recognized!
Location: : software\microsoft\directdraw\mostrecentapplication
Description : most recent application to use microsoft directdraw


MRU List Object Recognized!
Location: : S-1-5-21-343818398-1935655697-1060284298-1005\software\microsoft\windows\currentversion\applets\regedit
Description : last key accessed using the microsoft registry editor


MRU List Object Recognized!
Location: : software\musicmatch\musicmatch jukebox\4.0\mmradio
Description : information on the last station listened to using musicmatch radio


Listing running processes
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

#:1 [smss.exe]
ModuleName : \SystemRoot\System32\smss.exe
Command Line : n/a
ProcessID : 376
ThreadCreationTime : 4-24-2005 11:34:04 AM
BasePriority : Normal


#:2 [csrss.exe]
ModuleName : \??\C:\WINDOWS\system32\csrss.exe
Command Line : C:\WINDOWS\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,3072,512 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ProfileControl=Off MaxRequestTh
ProcessID : 424
ThreadCreationTime : 4-24-2005 11:34:06 AM
BasePriority : Normal


#:3 [winlogon.exe]
ModuleName : \??\C:\WINDOWS\system32\winlogon.exe
Command Line : winlogon.exe
ProcessID : 448
ThreadCreationTime : 4-24-2005 11:34:07 AM
BasePriority : High


#:4 [services.exe]
ModuleName : C:\WINDOWS\system32\services.exe
Command Line : C:\WINDOWS\system32\services.exe
ProcessID : 492
ThreadCreationTime : 4-24-2005 11:34:07 AM
BasePriority : Normal
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Services and Controller app
InternalName : services.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : services.exe

#:5 [lsass.exe]
ModuleName : C:\WINDOWS\system32\lsass.exe
Command Line : C:\WINDOWS\system32\lsass.exe
ProcessID : 504
ThreadCreationTime : 4-24-2005 11:34:07 AM
BasePriority : Normal
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : LSA Shell (Export Version)
InternalName : lsass.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : lsass.exe

#:6 [svchost.exe]
ModuleName : C:\WINDOWS\system32\svchost.exe
Command Line : C:\WINDOWS\system32\svchost -k DcomLaunch
ProcessID : 652
ThreadCreationTime : 4-24-2005 11:34:08 AM
BasePriority : Normal
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:7 [svchost.exe]
ModuleName : C:\WINDOWS\system32\svchost.exe
Command Line : C:\WINDOWS\system32\svchost -k rpcss
ProcessID : 744
ThreadCreationTime : 4-24-2005 11:35:30 AM
BasePriority : Normal
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:8 [svchost.exe]
ModuleName : C:\WINDOWS\System32\svchost.exe
Command Line : C:\WINDOWS\System32\svchost.exe -k netsvcs
ProcessID : 780
ThreadCreationTime : 4-24-2005 11:35:30 AM
BasePriority : Normal
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:9 [svchost.exe]
ModuleName : C:\WINDOWS\System32\svchost.exe
Command Line : C:\WINDOWS\System32\svchost.exe -k NetworkService
ProcessID : 876
ThreadCreationTime : 4-24-2005 11:35:31 AM
BasePriority : Normal
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:10 [svchost.exe]
ModuleName : C:\WINDOWS\System32\svchost.exe
Command Line : C:\WINDOWS\System32\svchost.exe -k LocalService
ProcessID : 904
ThreadCreationTime : 4-24-2005 11:35:33 AM
BasePriority : Normal
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:11 [spoolsv.exe]
ModuleName : C:\WINDOWS\system32\spoolsv.exe
Command Line : C:\WINDOWS\system32\spoolsv.exe
ProcessID : 1012
ThreadCreationTime : 4-24-2005 11:35:33 AM
BasePriority : Normal
FileVersion : 5.1.2600.0 (XPClient.010817-1148)
ProductVersion : 5.1.2600.0
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Spooler SubSystem App
InternalName : spoolsv.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : spoolsv.exe

#:12 [ati2evxx.exe]
ModuleName : C:\WINDOWS\System32\Ati2evxx.exe
Command Line : C:\WINDOWS\System32\Ati2evxx.exe
ProcessID : 1120
ThreadCreationTime : 4-24-2005 11:35:41 AM
BasePriority : Normal


#:13 [explorer.exe]
ModuleName : C:\WINDOWS\Explorer.EXE
Command Line : C:\WINDOWS\Explorer.EXE
ProcessID : 1452
ThreadCreationTime : 4-24-2005 11:35:55 AM
BasePriority : Normal
FileVersion : 6.00.2600.0000 (xpclient.010817-1148)
ProductVersion : 6.00.2600.0000
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Windows Explorer
InternalName : explorer
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : EXPLORER.EXE

#:14 [directcd.exe]
ModuleName : C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
Command Line : "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
ProcessID : 1600
ThreadCreationTime : 4-24-2005 11:36:06 AM
BasePriority : Normal
FileVersion : 5.3.4.21
ProductVersion : 5.3.4.21
ProductName : DirectCD
CompanyName : Roxio
FileDescription : DirectCD Application
InternalName : DirectCD
LegalCopyright : Copyright © 2001,2002, Roxio, Inc.
OriginalFilename : Directcd.exe

#:15 [gwmdmmsg.exe]
ModuleName : C:\WINDOWS\GWMDMMSG.exe
Command Line : "C:\WINDOWS\GWMDMMSG.exe"
ProcessID : 1616
ThreadCreationTime : 4-24-2005 11:36:06 AM
BasePriority : Normal
FileVersion : 3.3.24 01/30/2002 15:24:37
ProductVersion : 3.3.24 01/30/2002 15:24:37
ProductName : GTW Modem Messaging Applet
CompanyName : GTW
FileDescription : Modem Messaging Applet
InternalName : smdmstat.exe
LegalCopyright : Copyright © GTW 1998-2000
OriginalFilename : smdmstat.exe

#:16 [devldr32.exe]
ModuleName : C:\WINDOWS\System32\devldr32.exe
Command Line : C:\WINDOWS\System32\devldr32.exe
ProcessID : 1736
ThreadCreationTime : 4-24-2005 11:36:13 AM
BasePriority : Normal
FileVersion : 1, 0, 0, 17
ProductVersion : 1, 0, 0, 17
ProductName : Creative Ring3 NT Inteface
CompanyName : Creative Technology Ltd.
FileDescription : DevLdr32
InternalName : DevLdr
LegalCopyright : Copyright © Creative Technology Ltd. 1998-2001
OriginalFilename : DevLdr32.exe

#:17 [mm_tray.exe]
ModuleName : C:\Program Files\MusicMatch\MusicMatch Jukebox\mm_tray.exe
Command Line : "C:\Program Files\MusicMatch\MusicMatch Jukebox\mm_tray.exe"
ProcessID : 1744
ThreadCreationTime : 4-24-2005 11:36:13 AM
BasePriority : Normal
FileVersion : 8.00.0101
ProductVersion : 8.00.0101
ProductName : MUSICMATCH JUKEBOX
CompanyName : MUSICMATCH, Inc.
FileDescription : mm_tray
InternalName : mm_tray
LegalCopyright : Copyright © MUSICMATCH 1998-2003
LegalTrademarks :
OriginalFilename : mm_tray.exe

#:18 [qttask.exe]
ModuleName : C:\Program Files\QuickTime\qttask.exe
Command Line : "C:\Program Files\QuickTime\qttask.exe" -atboottime
ProcessID : 1752
ThreadCreationTime : 4-24-2005 11:36:13 AM
BasePriority : Normal
FileVersion : 6.3
ProductVersion : QuickTime 6.3
ProductName : QuickTime
CompanyName : Apple Computer, Inc.
InternalName : QuickTime Task
LegalCopyright : © Apple Computer, Inc. 2001-2003
OriginalFilename : QTTask.exe

#:19 [netmeter.exe]
ModuleName : C:\PROGRA~1\NETRAT~1\NetMeter\NetMeter.exe
Command Line : "C:\PROGRA~1\NETRAT~1\NetMeter\NetMeter.exe"
ProcessID : 1776
ThreadCreationTime : 4-24-2005 11:36:14 AM
BasePriority : Normal
FileVersion : 4.52.30.0r
ProductVersion : 4.52.30.0r
ProductName : NetMeter
CompanyName : NetRatings, Inc.
FileDescription : NetMeter
LegalCopyright : Copyright © 2003 NetRatings, Inc.
OriginalFilename : netmeter.exe

#:20 [realsched.exe]
ModuleName : C:\Program Files\Common Files\Real\Update_OB\realsched.exe
Command Line : "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
ProcessID : 1796
ThreadCreationTime : 4-24-2005 11:36:16 AM
BasePriority : Normal
FileVersion : 0.1.0.3208
ProductVersion : 0.1.0.3208
ProductName : RealPlayer (32-bit)
CompanyName : RealNetworks, Inc.
FileDescription : RealNetworks Scheduler
InternalName : schedapp
LegalCopyright : Copyright © RealNetworks, Inc. 1995-2004
LegalTrademarks : RealAudio™ is a trademark of RealNetworks, Inc.
OriginalFilename : realsched.exe

#:21 [msmsgs.exe]
ModuleName : C:\Program Files\Messenger\msmsgs.exe
Command Line : "C:\Program Files\Messenger\msmsgs.exe" /background
ProcessID : 1848
ThreadCreationTime : 4-24-2005 11:36:19 AM
BasePriority : Normal
FileVersion : 4.0.0155
ProductVersion : Version 4.0
ProductName : Messenger
CompanyName : Microsoft Corporation
FileDescription : Messenger Client
InternalName : msmsgs
LegalCopyright : Copyright © Microsoft Corporation 1997-2001
LegalTrademarks : Microsoft® is a registered trademark of Microsoft Corporation in the U.S. and/or other countries.
OriginalFilename : msmsgs.exe

#:22 [ypager.exe]
ModuleName : C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe
Command Line : "C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe" -quiet
ProcessID : 1864
ThreadCreationTime : 4-24-2005 11:36:21 AM
BasePriority : Normal
FileVersion : 6,0,0,1750
ProductVersion : 6,0,0,1750
ProductName : Yahoo! Messenger
CompanyName : Yahoo! Inc.
FileDescription : Yahoo! Messenger
InternalName : Yahoo! Messengerr
LegalCopyright : Copyright 1998-2004
OriginalFilename : YPager.exe

#:23 [it_cpquickstart.exe]
ModuleName : C:\Program Files\InterTrust\InterRights Point\Program\it_cpquickstart.exe
Command Line : "C:\Program Files\InterTrust\InterRights Point\Program\it_cpquickstart.exe"
ProcessID : 168
ThreadCreationTime : 4-24-2005 11:36:52 AM
BasePriority : Normal
FileVersion : 1.3.1.1214
ProductVersion : 1.3.1
ProductName : InterTrust system tray icon
CompanyName : InterTrust Technologies Corp.
FileDescription : InterTrust system tray icon
InternalName : InterTrust system tray icon
LegalCopyright : Copyright 1997-2000 InterTrust Technologies Corporation. All rights reserved.
OriginalFilename : it_CPQuickStart.exe

#:24 [wkcalrem.exe]
ModuleName : C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
Command Line : "C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe"
ProcessID : 360
ThreadCreationTime : 4-24-2005 11:36:57 AM
BasePriority : Normal
FileVersion : 6.00.1828.1
ProductVersion : 6.00.1828.1
ProductName : Microsoft® Works 6.0
CompanyName : Microsoft® Corporation
FileDescription : Microsoft® Works Calendar Reminder Service
InternalName : WkCalRem
LegalCopyright : Copyright © Microsoft Corporation 1987-2000. All rights reserved.
OriginalFilename : WKCALREM.EXE

#:25 [spysub.exe]
ModuleName : C:\Program Files\interMute\SpySubtract\SpySub.exe
Command Line : "C:\Program Files\interMute\SpySubtract\SpySub.exe" -autostart
ProcessID : 400
ThreadCreationTime : 4-24-2005 11:36:59 AM
BasePriority : Normal
FileVersion : 1, 0, 1, 49
ProductVersion : 2.60
ProductName : SpySubtract
CompanyName : InterMute, Inc.
FileDescription : SpySubtract Program EXE
InternalName : SpySub.exe
LegalCopyright : Copyright © 2004 InterMute, Inc. All rights reserved.
OriginalFilename : SpySub.exe

#:26 [wpabaln.exe]
ModuleName : C:\WINDOWS\System32\wpabaln.exe
Command Line : C:\WINDOWS\System32\wpabaln.exe 30
ProcessID : 1704
ThreadCreationTime : 4-24-2005 11:37:55 AM
BasePriority : Normal
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Windows WPA Balloon Reminder
InternalName : WPABALN.EXE
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : WPABALN.EXE

#:27 [ad-aware.exe]
ModuleName : C:\Program Files\Lavasoft\Ad-Aware SE Personal\Ad-Aware.exe
Command Line : "C:\Program Files\Lavasoft\Ad-Aware SE Personal\Ad-Aware.exe"
ProcessID : 356
ThreadCreationTime : 4-24-2005 11:40:10 AM
BasePriority : Normal
FileVersion : 6.2.0.206
ProductVersion : VI.Second Edition
ProductName : Lavasoft Ad-Aware SE
CompanyName : Lavasoft Sweden
FileDescription : Ad-Aware SE Core application
InternalName : Ad-Aware.exe
LegalCopyright : Copyright © Lavasoft Sweden
OriginalFilename : Ad-Aware.exe
Comments : All Rights Reserved

Memory scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 6


Started registry scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Registry Scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 6


Started deep registry scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Deep registry scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 6


Started Tracking Cookie scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»


Tracking cookie scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 6



Deep scanning and examining files (C:)
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Disk Scan Result for C:\
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 6


Scanning Hosts file......
Hosts file location:"C:\WINDOWS\system32\drivers\etc\hosts".
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Hosts file scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
129 entries scanned.
New critical objects:0
Objects found so far: 6




Performing conditional scans...
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Conditional scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 6

7:58:44 AM Scan Complete

Summary Of This Scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Total scanning time:00:16:48.540
Objects scanned:161534
Objects identified:0
Objects ignored:0
New critical objects:0
  • 0

#5
Rawe
Posted 24 April 2005 - 06:17 AM

Rawe

    Visiting Staff

  • Member
  • PipPipPipPipPipPipPip
  • 4,746 posts
Hi.
Mru's aren't considered as a threat.
Download this tool, and run it also.
http://www.filehippo...2/download.html
(Ccleaner that is.)
After cleaned mru's, run a full system scan with ad-aware and i'm pretty sure that it will come up clean..
If not, post a new log and someone of our excellent Ad-aware expert's will take a look.

- Rawe :tazz:
  • 0

#6
zabu61
Posted 24 April 2005 - 06:35 AM

zabu61

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
downloaded, ran it (analyze first) it wants to delete adaware and spybot files as well as other user files (as I said I am doing this for a friend)

This seems a tad aggressive and non-discriminating.
  • 0

#7
Guest_Andy_veal_*
Posted 24 April 2005 - 04:39 PM

Guest_Andy_veal_*
  • Guest

Hosts file scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
129 entries scanned.
New critical objects:0
Objects found so far: 6


If your system is running a program which changes the hosts file or you have added listings to the hosts file then there is no need to check further. Otherwise, please download the "Host File Viewer" by Option^Explicit. It is a 65K program which will allow you to find/view/open/read/edit/restore to default settings your HOST file. Instructions are on the display screen of the program. Select the option to restore to default settings.
http://members.acces...sFileReader.zip
  • 0

#8
Guest_Andy_veal_*
Posted 24 April 2005 - 05:04 PM

Guest_Andy_veal_*
  • Guest
Please follow the instructions located in Step Five: Posting a Hijack This Log. Post your HJT log as a reply to this thread, which has been relocated to the Malware Removal Forum for providing you with further assistance.

Kindly note that it is very busy in the Malware Removal Forum, so there may be a delay in receiving a reply. Please also note that HJT logfiles are reviewed on a first come/first served basis.
  • 0

#9
zabu61
Posted 03 May 2005 - 08:00 PM

zabu61

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
HIJACK-THIS LOG Attached below.
Symptom: cannot reach internet using browsers (ie 6, firefox), though yahoo messenger connects; updates of adaware, spybot, windows activation can NOT.

RESULTS OF FOLLOWING STANDARD, REQUIRED STEPS:
-Ran winsockxpfix, no effect.
-adaware reports clean (manual update applied)
-cwshredder reports cleaning cws.smartsearch, cws.Hiddendll
-spybot reports no threats found (manual update applied)
-avg reports no viruses (manual update applied)
-Cannot reach trend housecall due to internet comm failure
-tds-3 reports Adware OTXMedia (dll) in c:\windows\downloaded program files\otxmedia.dll (manually deleted)
-cannot reach windows update due to internet comm failure

HIJACK THIS LOG FOLLOWS
Logfile of HijackThis v1.99.1
Scan saved at 9:02:36 PM, on 5/3/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINDOWS\GWMDMMSG.exe
C:\PROGRA~1\NETRAT~1\NetMeter\NetMeter.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\devldr32.exe
C:\Program Files\InterTrust\InterRights Point\Program\it_cpquickstart.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\WINDOWS\System32\wpabaln.exe
C:\hjt\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.yahoo.com/search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapp...rch/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://search.yahoo.com/search?p=%s
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Optimum Online
O2 - BHO: MyWebSearch Search Assistant BHO - {00A6FAF1-072E-44cf-8957-5838F569A31D} - C:\Program Files\MyWebSearch\SrchAstt\1.bin\MWSSRCAS.DLL (file missing)
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Common\ycomp5_1_6_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: mwsBar BHO - {07B18EA1-A523-4961-B6BB-170DE4475CCA} - C:\Program Files\MyWebSearch\bar\1.bin\MWSBAR.DLL (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Common\ycomp5_1_6_0.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [AdaptecDirectCD] C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MusicMatch\MusicMatch Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NetMeter] C:\PROGRA~1\NETRAT~1\NetMeter\NetMeter.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [winshost.exe] C:\WINDOWS\System32\winshost.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe -quiet
O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKCU\..\Run: [winshost.exe] C:\WINDOWS\System32\winshost.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Install Pending Files.LNK = C:\Program Files\SIFXINST\SIFXINST.EXE
O4 - Global Startup: InterTrust Quick Start.lnk = C:\Program Files\InterTrust\InterRights Point\Program\it_cpquickstart.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O4 - Global Startup: SpySubtract.lnk = C:\Program Files\interMute\SpySubtract\SpySub.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\googletoolbar.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\googletoolbar.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\googletoolbar.dll/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\googletoolbar.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\googletoolbar.dll/cmtrans.html
O9 - Extra button: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra 'Tools' menuitem: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll
O9 - Extra button: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O9 - Extra 'Tools' menuitem: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O10 - Unknown file in Winsock LSP: c:\windows\system32\nmtracer.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nmtracer.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nmtracer.dll
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://imgfarm.com/i...etup1.0.0.6.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {4C226336-4032-489F-9674-67E74225979B} (OTXMovie Class) - http://www.otxresear...ia/OTXMedia.dll
O16 - DPF: {739E8D90-2F4C-43AD-A1B8-66C356FCEA35} (RunExeActiveX.RunExe) - hcp://system/RunExeActiveX.CAB
O16 - DPF: {92CA8ACC-4E99-4A2A-93F1-B2C5CADC8613} (NMInstall Control) - http://a14.g.akamai.....0_SILENT_2.cab
O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} (cpbrkpie Control) - http://a19.g.akamai....23/cpbrkpie.cab
O16 - DPF: {99CDFD87-F97A-42E1-9C13-D18220D90AD1} (StartFirstControl.CheckFirst) - hcp://system/StartFirstControl.CAB
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.c.../ymmapi_416.dll
O16 - DPF: {B991DA79-51F7-4011-98D2-1F2592E82A56} (ACNPlayer2 Class) - http://204.118.132.1.../ACNePlayer.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.s...ta/SymAData.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.s.../ActiveData.cab
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Symantec Proxy Service (ccPxySvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\ccPxySvc.exe
O23 - Service: IRP - Unknown owner - C:\Program Files\InterTrust\InterRights Point\program\itcnserv.exe" -s (file missing)
O23 - Service: IRPMonitor - Unknown owner - C:\Program Files\InterTrust\InterRights Point\program\itcnmon.exe" -s -l (file missing)
O23 - Service: PictureTaker - LANovation - C:\WINDOWS\System32\PCTKRNT.SYS
O23 - Service: Pml Driver HPH11 - HP - C:\WINDOWS\System32\HPHipm11.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
  • 0

#10
Kat
Posted 05 May 2005 - 08:44 PM

Kat

    Retired

  • Retired Staff
  • 19,711 posts
  • MVP
A malicious .DLL file is disrupting the LSP chain on your computer. We need to get rid of it.

1. Please download LSPFix from here.
2. Run the LSPFix.exe that you have just finished downloading.
3. Check the I know what I'm doing box.
4. In the Keep box you should see one or more instances of nmtracer.dll
5. Select every instance of nmtracer.dll and move each one to the Remove box by clicking the >> button.
6. When you are done click Finish>>.

Scan the computer here:
http://www.ewido.net/en/
Let it do a full run, than copy the log. Past it to a blank Notepad file and save it to post here

Post back with a fresh HJT log and the Ewido scan result, and we'll go from there!
  • 0

#11
zabu61
Posted 05 May 2005 - 09:23 PM

zabu61

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
;) I had started to despair because I hve someone waiting on my reply so started to fiddle. The nmtracer.dll I had suspected and had run an uninstall for nielsen (which the friend had *signed up* for) to remove it, so those are not there. I am running a fresh HJT log for where I am now. I have removed many baddies that I had researched on my own, so this may be a case of doing too much too soon.

MY SINCERE APOLOGIES.

New HJT log on its way very shortly.

--zabu61 :tazz:
  • 0

#12
Kat
Posted 06 May 2005 - 01:29 AM

Kat

    Retired

  • Retired Staff
  • 19,711 posts
  • MVP
this was received from user earlier this evening:

I am blue screening. Quick overview -- removed many items, still no comm. lsp no doubt, but then I said, better return back to where we were, reinserting the O16 nminstal line. blue screen after that. I have also made a mod to the reg remocving the windows shared files entries for nmtracer.dll and nminstall.dll


As I told you earlier, I am very uncomfortable with fishing around in the registry. I am honestly not sure at this point exactly how to proceed. You need to post the fresh HJT log as soon as you can, and I am going to pm a good friend of mine who is one of *the* Spyware removal geniuses...and a registry expert too. Hang tight ,ok and I'll have him take a look.
  • 0

#13
Metallica
Posted 06 May 2005 - 01:37 AM

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 33,101 posts
Could you please post the exact error message of the BSOD?

I have never ever heard that restoring an ActiveX could lead to such results.
I suspect something else is going on.
Also try to describe as exact as possible what you removed and did.

Regards,
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP