Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Ad-Aware log- need help with virus

Started by dnkrm , Apr 27 2005 09:42 PM

  • This topic is locked This topic is locked

#1
dnkrm
Posted 27 April 2005 - 09:42 PM

dnkrm

    New Member

  • Member
  • Pip
  • 8 posts
Hey, over the past few days I have been trying to figure out what is wrong with my computer. I have now come to realize that I must have the infamous virus related to Dr. Watson debugger. Whenever I try to open some programs the computer locks and i have to end the dr. watson process in the task manager.

I have run Ad-aware and I had over 2000 objects found when i started! I have gotten rid most of them by running in safe mode per instructions found in other threads, right after running in safe mode I ran a full scan again in normal mode and the scan is below. Let me know what to do next. thanks


Ad-Aware SE Build 1.05
Logfile Created on:Wednesday, April 27, 2005 9:50:06 PM
Created with Ad-Aware SE Personal, free for private use.
Using definitions file:SE1R41 25.04.2005
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

References detected during the scan:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
180Solutions(TAC index:6):1 total references
CoolWebSearch(TAC index:10):14 total references
istbar(TAC index:7):25 total references
Rads01.Quadrogram(TAC index:6):32 total references
SCBAR(TAC index:3):1 total references
SecondThought(TAC index:4):6 total references
WhenU(TAC index:3):1 total references
VX2(TAC index:10):1 total references
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Ad-Aware SE Settings
===========================
Set : Safe mode (always request confirmation)
Set : Scan active processes
Set : Scan registry
Set : Deep-scan registry
Set : Scan my IE Favorites for banned URLs
Set : Scan my Hosts file

Extended Ad-Aware SE Settings
===========================
Set : Unload recognized processes & modules during scan
Set : Scan registry for all users instead of current user only
Set : During removal, unload Explorer and IE if necessary
Set : Let Windows remove files in use at next reboot
Set : Delete quarantined objects after restoring
Set : Include basic Ad-Aware settings in log file
Set : Include additional Ad-Aware settings in log file
Set : Include reference summary in log file
Set : Include alternate data stream details in log file
Set : Play sound at scan completion if scan locates critical objects


4/27/2005 9:50:06 PM - Scan started. (Full System Scan)

Listing running processes
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

#:1 [smss.exe]
FilePath : \SystemRoot\System32\
ProcessID : 412
ThreadCreationTime : 4/28/2005 2:49:16 AM
BasePriority : Normal


#:2 [winlogon.exe]
FilePath : \??\C:\WINDOWS\system32\
ProcessID : 492
ThreadCreationTime : 4/28/2005 2:49:19 AM
BasePriority : High


#:3 [services.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 536
ThreadCreationTime : 4/28/2005 2:49:19 AM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoftr Windowsr Operating System
CompanyName : Microsoft Corporation
FileDescription : Services and Controller app
InternalName : services.exe
LegalCopyright : c Microsoft Corporation. All rights reserved.
OriginalFilename : services.exe

#:4 [lsass.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 548
ThreadCreationTime : 4/28/2005 2:49:19 AM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoftr Windowsr Operating System
CompanyName : Microsoft Corporation
FileDescription : LSA Shell (Export Version)
InternalName : lsass.exe
LegalCopyright : c Microsoft Corporation. All rights reserved.
OriginalFilename : lsass.exe

#:5 [svchost.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 692
ThreadCreationTime : 4/28/2005 2:49:19 AM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoftr Windowsr Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : c Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:6 [svchost.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 776
ThreadCreationTime : 4/28/2005 2:49:20 AM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoftr Windowsr Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : c Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:7 [lexbces.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 1040
ThreadCreationTime : 4/28/2005 2:49:21 AM
BasePriority : Normal
FileVersion : 8.18
ProductVersion : 8.18
ProductName : MarkVision for Windows (32 bit)
CompanyName : Lexmark International, Inc.
FileDescription : LexBce Service
InternalName : LexBce Service
LegalCopyright : © 1993 - 2003 Lexmark International, Inc.
OriginalFilename : LexBceS.exe

#:8 [spoolsv.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 1064
ThreadCreationTime : 4/28/2005 2:49:21 AM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoftr Windowsr Operating System
CompanyName : Microsoft Corporation
FileDescription : Spooler SubSystem App
InternalName : spoolsv.exe
LegalCopyright : c Microsoft Corporation. All rights reserved.
OriginalFilename : spoolsv.exe

#:9 [lexpps.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 1148
ThreadCreationTime : 4/28/2005 2:49:21 AM
BasePriority : Normal
FileVersion : 8.18
ProductVersion : 8.18
ProductName : MarkVision for Windows (32 bit)
CompanyName : Lexmark International, Inc.
FileDescription : LEXPPS.EXE
InternalName : LEXPPS
LegalCopyright : © 1993 - 2003 Lexmark International, Inc.
OriginalFilename : LEXPPS.EXE
Comments : MarkVision for Windows '95 New P2P Server (32-bit)

#:10 [javage32.exe]
FilePath : C:\WINDOWS\
ProcessID : 1228
ThreadCreationTime : 4/28/2005 2:49:21 AM
BasePriority : Normal


VX2 Object Recognized!
Type : Process
Data : javage32.exe
Category : Malware
Comment : (CSI MATCH)
Object : C:\WINDOWS\


Warning! VX2 Object found in memory(C:\WINDOWS\javage32.exe)

Warning! "C:\WINDOWS\javage32.exe"Process could not be terminated!
Warning! "C:\WINDOWS\javage32.exe"Process could not be terminated!

#:11 [ccevtmgr.exe]
FilePath : C:\Program Files\Common Files\Symantec Shared\
ProcessID : 1240
ThreadCreationTime : 4/28/2005 2:49:23 AM
BasePriority : Normal
FileVersion : 1.00.37
ProductVersion : 1.00.37
ProductName : Event Manager
CompanyName : Symantec Corporation
FileDescription : Event Manager Service
InternalName : ccEvtMgr
LegalCopyright : Copyright © 2000-2002 Symantec Corporation. All rights reserved.
OriginalFilename : ccEvtMgr.exe

#:12 [navapsvc.exe]
FilePath : C:\Program Files\Norton AntiVirus\
ProcessID : 1288
ThreadCreationTime : 4/28/2005 2:49:23 AM
BasePriority : Normal
FileVersion : 9.05.1015
ProductVersion : 9.05.1015
ProductName : Norton AntiVirus
CompanyName : Symantec Corporation
FileDescription : Norton AntiVirus Auto-Protect Service
InternalName : NAVAPSVC
LegalCopyright : Copyright © 2000-2002 Symantec Corporation. All rights reserved.
OriginalFilename : NAVAPSVC.EXE

#:13 [svchost.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 1400
ThreadCreationTime : 4/28/2005 2:49:23 AM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoftr Windowsr Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : c Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:14 [wanmpsvc.exe]
FilePath : C:\WINDOWS\
ProcessID : 1468
ThreadCreationTime : 4/28/2005 2:49:23 AM
BasePriority : Normal
FileVersion : 7, 0, 0, 2
ProductVersion : 7, 0, 0, 2
ProductName : America Online
CompanyName : America Online, Inc.
FileDescription : Wan Miniport (ATW) Service
InternalName : WanMPSvc
LegalCopyright : Copyright c 2001 America Online, Inc.
OriginalFilename : WanMPSvc.exe

#:15 [explorer.exe]
FilePath : C:\WINDOWS\
ProcessID : 1996
ThreadCreationTime : 4/28/2005 2:49:35 AM
BasePriority : Normal
FileVersion : 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 6.00.2900.2180
ProductName : Microsoftr Windowsr Operating System
CompanyName : Microsoft Corporation
FileDescription : Windows Explorer
InternalName : explorer
LegalCopyright : c Microsoft Corporation. All rights reserved.
OriginalFilename : EXPLORER.EXE

#:16 [mhotkey.exe]
FilePath : C:\WINDOWS\
ProcessID : 196
ThreadCreationTime : 4/28/2005 2:49:37 AM
BasePriority : Normal
FileVersion : 2, 2, 2, 0
ProductVersion : 2, 2, 2, 0
ProductName : Chicony Multimedia Driver
CompanyName : Chicony
FileDescription : Chicony Multimedia Driver
InternalName : Multimedia Hotkey Driver
LegalCopyright : Copyright © 2001 Chicony
OriginalFilename : mHotkey.res

#:17 [ccapp.exe]
FilePath : C:\Program Files\Common Files\Symantec Shared\
ProcessID : 204
ThreadCreationTime : 4/28/2005 2:49:37 AM
BasePriority : Normal
FileVersion : 1.0.9.002
ProductVersion : 1.0.9.002
ProductName : Common Client
CompanyName : Symantec Corporation
FileDescription : Common Client CC App
InternalName : ccApp
LegalCopyright : Copyright © 2000-2002 Symantec Corporation. All rights reserved.
OriginalFilename : ccApp.exe

#:18 [hpqcmon.exe]
FilePath : C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\
ProcessID : 224
ThreadCreationTime : 4/28/2005 2:49:37 AM
BasePriority : Normal
FileVersion : 2.0.0.133
ProductVersion : 2.0.0.133
ProductName : HpqCmon Application
FileDescription : HpqCmon MFC Application
InternalName : HpqCmon
LegalCopyright : Copyright © 2001
OriginalFilename : HpqCmon.EXE

#:19 [hpgs2wnd.exe]
FilePath : C:\Program Files\Hewlett-Packard\HP Share-to-Web\
ProcessID : 232
ThreadCreationTime : 4/28/2005 2:49:37 AM
BasePriority : Normal
FileVersion : 2,3,0,0\ 162
ProductVersion : 2,3,0,0\ 162
ProductName : Hewlett-Packard hpgs2wnd
CompanyName : Hewlett-Packard
FileDescription : hpgs2wnd
InternalName : hpgs2wnd
LegalCopyright : Copyright c 2001
OriginalFilename : hpgs2wnd.exe

#:20 [crpm.exe]
FilePath : C:\WINDOWS\
ProcessID : 336
ThreadCreationTime : 4/28/2005 2:49:37 AM
BasePriority : Normal


CoolWebSearch Object Recognized!
Type : Process
Data : crpm.exe
Category : Malware
Comment : (CSI MATCH)
Object : C:\WINDOWS\


Warning! CoolWebSearch Object found in memory(C:\WINDOWS\crpm.exe)

"C:\WINDOWS\crpm.exe"Process terminated successfully
"C:\WINDOWS\crpm.exe"Process terminated successfully

#:21 [iexplore.exe]
FilePath : C:\Program Files\Internet Explorer\
ProcessID : 472
ThreadCreationTime : 4/28/2005 2:49:38 AM
BasePriority : Normal
FileVersion : 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 6.00.2900.2180
ProductName : Microsoftr Windowsr Operating System
CompanyName : Microsoft Corporation
FileDescription : Internet Explorer
InternalName : iexplore
LegalCopyright : c Microsoft Corporation. All rights reserved.
OriginalFilename : IEXPLORE.EXE

#:22 [hpgs2wnf.exe]
FilePath : c:\Program Files\Hewlett-Packard\HP Share-to-Web\
ProcessID : 868
ThreadCreationTime : 4/28/2005 2:49:38 AM
BasePriority : Normal
FileVersion : 2, 6, 0, 162
ProductVersion : 2, 6, 0, 162
ProductName : hpgs2wnf Module
FileDescription : hpgs2wnf Module
InternalName : hpgs2wnf
LegalCopyright : Copyright 2001
OriginalFilename : hpgs2wnf.EXE

#:23 [bigfix.exe]
FilePath : C:\Program Files\BigFix\
ProcessID : 980
ThreadCreationTime : 4/28/2005 2:49:39 AM
BasePriority : Normal
FileVersion : 1, 7, 6, 0
ProductVersion : 1, 7, 6, 0
ProductName : BigFix
CompanyName : BigFix Inc.
FileDescription : BigFix Client Application
InternalName : BigFix
LegalCopyright : Copyright c 2002
OriginalFilename : BigFix.exe

#:24 [quickdcf.exe]
FilePath : C:\Program Files\FinePixViewer\
ProcessID : 1112
ThreadCreationTime : 4/28/2005 2:49:39 AM
BasePriority : Normal
FileVersion : 4, 0, 0, 0
ProductVersion : 4, 0, 0, 0
ProductName : FinePixViewer
CompanyName : FUJI PHOTO FILM CO., LTD.
FileDescription : Exif Launcher
InternalName : QuickDCF
LegalCopyright : Copyright 2000-2003 FUJI PHOTO FILM CO.,LTD.
OriginalFilename : QuickDCF.exe

#:25 [ad-aware.exe]
FilePath : C:\Program Files\Lavasoft\Ad-Aware SE Personal\
ProcessID : 2056
ThreadCreationTime : 4/28/2005 2:49:51 AM
BasePriority : Normal
FileVersion : 6.2.0.206
ProductVersion : VI.Second Edition
ProductName : Lavasoft Ad-Aware SE
CompanyName : Lavasoft Sweden
FileDescription : Ad-Aware SE Core application
InternalName : Ad-Aware.exe
LegalCopyright : Copyright c Lavasoft Sweden
OriginalFilename : Ad-Aware.exe
Comments : All Rights Reserved

Memory scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 2
Objects found so far: 2


Started registry scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

CoolWebSearch Object Recognized!
Type : Regkey
Data :
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : clsid\{676575dd-4d46-911d-8037-9b10d6ee8bb5}

Registry Scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 1
Objects found so far: 3


Started deep registry scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Deep registry scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 3


Started Tracking Cookie scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»


Tracking cookie scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 3



Deep scanning and examining files (C:)
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

SCBAR Object Recognized!
Type : File
Data : A0087596.exe
Category : Data Miner
Comment :
Object : C:\System Volume Information\_restore{6858ADA2-A446-4103-A4FD-946787D11A04}\RP508\
FileVersion : 1.0.0.2
ProductVersion : 1.0.0.2


180Solutions Object Recognized!
Type : File
Data : A0087597.exe
Category : Data Miner
Comment :
Object : C:\System Volume Information\_restore{6858ADA2-A446-4103-A4FD-946787D11A04}\RP508\
FileVersion : 1, 0, 0, 1
ProductVersion : 1, 0, 0, 1
ProductName : version Application
FileDescription : version MFC Application
InternalName : version
LegalCopyright : Copyright © 2003
OriginalFilename : version.EXE


SecondThought Object Recognized!
Type : File
Data : A0087598.exe
Category : Malware
Comment :
Object : C:\System Volume Information\_restore{6858ADA2-A446-4103-A4FD-946787D11A04}\RP508\
FileVersion : 8.0.7.1
ProductVersion : 8.0.7.1
ProductName : STC Application
FileDescription : Second Thought
InternalName : STC
LegalCopyright : Copyright © 2003
OriginalFilename : STC.exe


WhenU Object Recognized!
Type : File
Data : A0087599.exe
Category : Misc
Comment :
Object : C:\System Volume Information\_restore{6858ADA2-A446-4103-A4FD-946787D11A04}\RP508\
FileVersion : 1, 6, 1, 3
ProductVersion : 1, 6, 1, 3
ProductName : Save! Setup
CompanyName : WhenU.com, Inc.
FileDescription : Save! Setup
InternalName : SaveInst
LegalCopyright : Copyright 2000
OriginalFilename : SaveInst.exe


istbar Object Recognized!
Type : File
Data : A0087600.exe
Category : Malware
Comment :
Object : C:\System Volume Information\_restore{6858ADA2-A446-4103-A4FD-946787D11A04}\RP508\



Rads01.Quadrogram Object Recognized!
Type : File
Data : A0087601.exe
Category : Malware
Comment :
Object : C:\System Volume Information\_restore{6858ADA2-A446-4103-A4FD-946787D11A04}\RP508\



istbar Object Recognized!
Type : File
Data : A0087602.exe
Category : Malware
Comment :
Object : C:\System Volume Information\_restore{6858ADA2-A446-4103-A4FD-946787D11A04}\RP508\



Rads01.Quadrogram Object Recognized!
Type : File
Data : A0087603.exe
Category : Malware
Comment :
Object : C:\System Volume Information\_restore{6858ADA2-A446-4103-A4FD-946787D11A04}\RP508\



istbar Object Recognized!
Type : File
Data : A0087604.exe
Category : Malware
Comment :
Object : C:\System Volume Information\_restore{6858ADA2-A446-4103-A4FD-946787D11A04}\RP508\



Rads01.Quadrogram Object Recognized!
Type : File
Data : A0087605.exe
Category : Malware
Comment :
Object : C:\System Volume Information\_restore{6858ADA2-A446-4103-A4FD-946787D11A04}\RP508\



Rads01.Quadrogram Object Recognized!
Type : File
Data : A0087606.exe
Category : Malware
Comment :
Object : C:\System Volume Information\_restore{6858ADA2-A446-4103-A4FD-946787D11A04}\RP508\



Rads01.Quadrogram Object Recognized!
Type : File
Data : A0087607.exe
Category : Malware
Comment :
Object : C:\System Volume Information\_restore{6858ADA2-A446-4103-A4FD-946787D11A04}\RP508\



Rads01.Quadrogram Object Recognized!
Type : File
Data : A0087608.exe
Category : Malware
Comment :
Object : C:\System Volume Information\_restore{6858ADA2-A446-4103-A4FD-946787D11A04}\RP508\



istbar Object Recognized!
Type : File
Data : A0087609.exe
Category : Malware
Comment :
Object : C:\System Volume Information\_restore{6858ADA2-A446-4103-A4FD-946787D11A04}\RP508\



SecondThought Object Recognized!
Type : File
Data : A0087610.exe
Category : Malware
Comment :
Object : C:\System Volume Information\_restore{6858ADA2-A446-4103-A4FD-946787D11A04}\RP508\



istbar Object Recognized!
Type : File
Data : A0087611.exe
Category : Malware
Comment :
Object : C:\System Volume Information\_restore{6858ADA2-A446-4103-A4FD-946787D11A04}\RP508\



Rads01.Quadrogram Object Recognized!
Type : File
Data : A0087612.exe
Category : Malware
Comment :
Object : C:\System Volume Information\_restore{6858ADA2-A446-4103-A4FD-946787D11A04}\RP508\



istbar Object Recognized!
Type : File
Data : A0087613.exe
Category : Malware
Comment :
Object : C:\System Volume Information\_restore{6858ADA2-A446-4103-A4FD-946787D11A04}\RP508\



Rads01.Quadrogram Object Recognized!
Type : File
Data : A0087614.exe
Category : Malware
Comment :
Object : C:\System Volume Information\_restore{6858ADA2-A446-4103-A4FD-946787D11A04}\RP508\



Rads01.Quadrogram Object Recognized!
Type : File
Data : A0087615.exe
Category : Malware
Comment :
Object : C:\System Volume Information\_restore{6858ADA2-A446-4103-A4FD-946787D11A04}\RP508\



istbar Object Recognized!
Type : File
Data : A0087616.exe
Category : Malware
Comment :
Object : C:\System Volume Information\_restore{6858ADA2-A446-4103-A4FD-946787D11A04}\RP508\



Rads01.Quadrogram Object Recognized!
Type : File
Data : A0087617.exe
Category : Malware
Comment :
Object : C:\System Volume Information\_restore{6858ADA2-A446-4103-A4FD-946787D11A04}\RP508\



Rads01.Quadrogram Object Recognized!
Type : File
Data : A0087618.exe
Category : Malware
Comment :
Object : C:\System Volume Information\_restore{6858ADA2-A446-4103-A4FD-946787D11A04}\RP508\



istbar Object Recognized!
Type : File
Data : A0087619.exe
Category : Malware
Comment :
Object : C:\System Volume Information\_restore{6858ADA2-A446-4103-A4FD-946787D11A04}\RP508\



Rads01.Quadrogram Object Recognized!
Type : File
Data : A0087620.exe
Category : Malware
Comment :
Object : C:\System Volume Information\_restore{6858ADA2-A446-4103-A4FD-946787D11A04}\RP508\



istbar Object Recognized!
Type : File
Data : A0087621.exe
Category : Malware
Comment :
Object : C:\System Volume Information\_restore{6858ADA2-A446-4103-A4FD-946787D11A04}\RP508\



Rads01.Quadrogram Object Recognized!
Type : File
Data : A0087622.exe
Category : Malware
Comment :
Object : C:\System Volume Information\_restore{6858ADA2-A446-4103-A4FD-946787D11A04}\RP508\



Rads01.Quadrogram Object Recognized!
Type : File
Data : A0087623.exe
Category : Malware
Comment :
Object : C:\System Volume Information\_restore{6858ADA2-A446-4103-A4FD-946787D11A04}\RP508\



Rads01.Quadrogram Object Recognized!
Type : File
Data : A0087624.exe
Category : Malware
Comment :
Object : C:\System Volume Information\_restore{6858ADA2-A446-4103-A4FD-946787D11A04}\RP508\



Rads01.Quadrogram Object Recognized!
Type : File
Data : A0087625.exe
Category : Malware
Comment :
Object : C:\System Volume Information\_restore{6858ADA2-A446-4103-A4FD-946787D11A04}\RP508\



istbar Object Recognized!
Type : File
Data : A0087626.exe
Category : Malware
Comment :
Object : C:\System Volume Information\_restore{6858ADA2-A446-4103-A4FD-946787D11A04}\RP508\



istbar Object Recognized!
Type : File
Data : A0087627.exe
Category : Malware
Comment :
Object : C:\System Volume Information\_restore{6858ADA2-A446-4103-A4FD-946787D11A04}\RP508\



SecondThought Object Recognized!
Type : File
Data : A0087628.dll
Category : Malware
Comment :
Object : C:\System Volume Information\_restore{6858ADA2-A446-4103-A4FD-946787D11A04}\RP508\
FileVersion : 8.0.7.7
ProductVersion : 8.0.7.7
InternalName : runpool.dll
OriginalFilename : runpool.dll


Rads01.Quadrogram Object Recognized!
Type : File
Data : A0087629.exe
Category : Malware
Comment :
Object : C:\System Volume Information\_restore{6858ADA2-A446-4103-A4FD-946787D11A04}\RP508\



istbar Object Recognized!
Type : File
Data : A0087630.exe
Category : Malware
Comment :
Object : C:\System Volume Information\_restore{6858ADA2-A446-4103-A4FD-946787D11A04}\RP508\



istbar Object Recognized!
Type : File
Data : A0087631.exe
Category : Malware
Comment :
Object : C:\System Volume Information\_restore{6858ADA2-A446-4103-A4FD-946787D11A04}\RP508\



istbar Object Recognized!
Type : File
Data : A0087632.exe
Category : Malware
Comment :
Object : C:\System Volume Information\_restore{6858ADA2-A446-4103-A4FD-946787D11A04}\RP508\



Rads01.Quadrogram Object Recognized!
Type : File
Data : A0087633.exe
Category : Malware
Comment :
Object : C:\System Volume Information\_restore{6858ADA2-A446-4103-A4FD-946787D11A04}\RP508\



istbar Object Recognized!
Type : File
Data : A0087634.exe
Category : Malware
Comment :
Object : C:\System Volume Information\_restore{6858ADA2-A446-4103-A4FD-946787D11A04}\RP508\



Rads01.Quadrogram Object Recognized!
Type : File
Data : A0087635.exe
Category : Malware
Comment :
Object : C:\System Volume Information\_restore{6858ADA2-A446-4103-A4FD-946787D11A04}\RP508\



istbar Object Recognized!
Type : File
Data : A0087636.exe
Category : Malware
Comment :
Object : C:\System Volume Information\_restore{6858ADA2-A446-4103-A4FD-946787D11A04}\RP508\



istbar Object Recognized!
Type : File
Data : A0087637.exe
Category : Malware
Comment :
Object : C:\System Volume Information\_restore{6858ADA2-A446-4103-A4FD-946787D11A04}\RP508\



SecondThought Object Recognized!
Type : File
Data : A0087638.dll
Category : Malware
Comment :
Object : C:\System Volume Information\_restore{6858ADA2-A446-4103-A4FD-946787D11A04}\RP508\
FileVersion : 1.0.0.1
ProductVersion : 1.0.0.1
ProductName : IdleUI Dynamic Link Library
FileDescription : IdleUI Dynamic Link Library
InternalName : IdleUI
LegalCopyright : Copyright © 2003
OriginalFilename : IdleUI.dll


istbar Object Recognized!
Type : File
Data : A0087639.exe
Category : Malware
Comment :
Object : C:\System Volume Information\_restore{6858ADA2-A446-4103-A4FD-946787D11A04}\RP508\



SecondThought Object Recognized!
Type : File
Data : A0087640.exe
Category : Malware
Comment :
Object : C:\System Volume Information\_restore{6858ADA2-A446-4103-A4FD-946787D11A04}\RP508\



Rads01.Quadrogram Object Recognized!
Type : File
Data : A0087641.exe
Category : Malware
Comment :
Object : C:\System Volume Information\_restore{6858ADA2-A446-4103-A4FD-946787D11A04}\RP508\



istbar Object Recognized!
Type : File
Data : A0087642.exe
Category : Malware
Comment :
Object : C:\System Volume Information\_restore{6858ADA2-A446-4103-A4FD-946787D11A04}\RP508\



Rads01.Quadrogram Object Recognized!
Type : File
Data : A0087643.exe
Category : Malware
Comment :
Object : C:\System Volume Information\_restore{6858ADA2-A446-4103-A4FD-946787D11A04}\RP508\



Rads01.Quadrogram Object Recognized!
Type : File
Data : A0087644.exe
Category : Malware
Comment :
Object : C:\System Volume Information\_restore{6858ADA2-A446-4103-A4FD-946787D11A04}\RP508\



istbar Object Recognized!
Type : File
Data : A0087645.exe
Category : Malware
Comment :
Object : C:\System Volume Information\_restore{6858ADA2-A446-4103-A4FD-946787D11A04}\RP508\



Rads01.Quadrogram Object Recognized!
Type : File
Data : A0087646.exe
Category : Malware
Comment :
Object : C:\System Volume Information\_restore{6858ADA2-A446-4103-A4FD-946787D11A04}\RP508\



Rads01.Quadrogram Object Recognized!
Type : File
Data : A0087647.exe
Category : Malware
Comment :
Object : C:\System Volume Information\_restore{6858ADA2-A446-4103-A4FD-946787D11A04}\RP508\



Rads01.Quadrogram Object Recognized!
Type : File
Data : A0087648.exe
Category : Malware
Comment :
Object : C:\System Volume Information\_restore{6858ADA2-A446-4103-A4FD-946787D11A04}\RP508\



istbar Object Recognized!
Type : File
Data : A0087649.exe
Category : Malware
Comment :
Object : C:\System Volume Information\_restore{6858ADA2-A446-4103-A4FD-946787D11A04}\RP508\



istbar Object Recognized!
Type : File
Data : A0087650.exe
Category : Malware
Comment :
Object : C:\System Volume Information\_restore{6858ADA2-A446-4103-A4FD-946787D11A04}\RP508\



Rads01.Quadrogram Object Recognized!
Type : File
Data : A0087651.exe
Category : Malware
Comment :
Object : C:\System Volume Information\_restore{6858ADA2-A446-4103-A4FD-946787D11A04}\RP508\



Rads01.Quadrogram Object Recognized!
Type : File
Data : A0087652.exe
Category : Malware
Comment :
Object : C:\System Volume Information\_restore{6858ADA2-A446-4103-A4FD-946787D11A04}\RP508\



SecondThought Object Recognized!
Type : File
Data : A0087653.exe
Category : Malware
Comment :
Object : C:\System Volume Information\_restore{6858ADA2-A446-4103-A4FD-946787D11A04}\RP508\
FileVersion : 8.0.7.2
ProductVersion : 8.0.7.2
ProductName : Loader
FileDescription : Loader
InternalName : loader
LegalCopyright : Copyright © 2003
OriginalFilename : loader.exe


istbar Object Recognized!
Type : File
Data : A0087654.exe
Category : Malware
Comment :
Object : C:\System Volume Information\_restore{6858ADA2-A446-4103-A4FD-946787D11A04}\RP508\



Rads01.Quadrogram Object Recognized!
Type : File
Data : A0087655.exe
Category : Malware
Comment :
Object : C:\System Volume Information\_restore{6858ADA2-A446-4103-A4FD-946787D11A04}\RP508\



Rads01.Quadrogram Object Recognized!
Type : File
Data : A0087656.exe
Category : Malware
Comment :
Object : C:\System Volume Information\_restore{6858ADA2-A446-4103-A4FD-946787D11A04}\RP508\



Rads01.Quadrogram Object Recognized!
Type : File
Data : A0087657.exe
Category : Malware
Comment :
Object : C:\System Volume Information\_restore{6858ADA2-A446-4103-A4FD-946787D11A04}\RP508\



istbar Object Recognized!
Type : File
Data : A0087658.exe
Category : Malware
Comment :
Object : C:\System Volume Information\_restore{6858ADA2-A446-4103-A4FD-946787D11A04}\RP508\



istbar Object Recognized!
Type : File
Data : A0087659.exe
Category : Malware
Comment :
Object : C:\System Volume Information\_restore{6858ADA2-A446-4103-A4FD-946787D11A04}\RP508\



Rads01.Quadrogram Object Recognized!
Type : File
Data : A0087660.exe
Category : Malware
Comment :
Object : C:\System Volume Information\_restore{6858ADA2-A446-4103-A4FD-946787D11A04}\RP508\



Rads01.Quadrogram Object Recognized!
Type : File
Data : A0087661.exe
Category : Malware
Comment :
Object : C:\System Volume Information\_restore{6858ADA2-A446-4103-A4FD-946787D11A04}\RP508\



Disk Scan Result for C:\
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 69


Performing conditional scans...
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

CoolWebSearch Object Recognized!
Type : Regkey
Data :
Category : Malware
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\windows\currentversion\uninstall\sw

CoolWebSearch Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\windows\currentversion\uninstall\sw
Value : DisplayName

CoolWebSearch Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\windows\currentversion\uninstall\sw
Value : UninstallString

CoolWebSearch Object Recognized!
Type : Regkey
Data :
Category : Malware
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\windows\currentversion\uninstall\se

CoolWebSearch Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\windows\currentversion\uninstall\se
Value : DisplayName

CoolWebSearch Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\windows\currentversion\uninstall\se
Value : UninstallString

CoolWebSearch Object Recognized!
Type : Regkey
Data :
Category : Malware
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\windows\currentversion\uninstall\hsa

CoolWebSearch Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\windows\currentversion\uninstall\hsa
Value : DisplayName

CoolWebSearch Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\windows\currentversion\uninstall\hsa
Value : UninstallString

CoolWebSearch Object Recognized!
Type : Regkey
Data :
Category : Malware
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\internet explorer\urlsearchhooks

CoolWebSearch Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\internet explorer\urlsearchhooks
Value : {0ABCE593-A2F9-DA6D-2B6D-D92E2B05E875}

CoolWebSearch Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\internet explorer\main
Value : Use Search Asst

Conditional scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 12
Objects found so far: 81

10:07:30 PM Scan Complete

Summary Of This Scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Total scanning time:00:17:24.172
Objects scanned:112223
Objects identified:81
Objects ignored:0
New critical objects:81
  • 0

Advertisements

#2
Rawe
Posted 27 April 2005 - 11:30 PM

Rawe

    Visiting Staff

  • Member
  • PipPipPipPipPipPipPip
  • 4,746 posts
Hi there.

Ad-aware has found object(s) on your computer

If you chose to clean your computer from what Ad-aware found, follow these instructions below…

Make sure that you are using the * SE1R41 25.04.2005 * definition file.


Open up Ad-Aware SE and click on the gear to access the Configuration menu. Make sure that this setting is applied.

Click on Tweak > Cleaning engine > UNcheck "Always try to unload modules before deletion".

Disconnect from the internet (for broadband/cable users, it is recommended that you disconnect the cable connection) and close all open browsers or other programs you have running.

Then boot into Safe Mode

To clean your machine, it is highly recommended that you clean the following directory contents (but not the directory folder);

Run CCleaner to assist in this process.
Download CCleaner (Setup: go to >options > settings > Uncheck "Only delete files in Windows Temp folders older than 48 hours" for cleaning malware files!)

* C:\Windows\Temp\
* C:\Documents and Settings\<Your Profile>\Local Settings\Temporary Internet Files\ <- This will delete all your cached internet content including cookies.
* C:\Documents and Settings\<Your Profile>\Local Settings\Temp\
* C:\Documents and Settings\<Any other users Profile>\Local Settings\Temporary Internet Files\
* C:\Documents and Settings\<Any other users Profile>\Local Settings\Temp\
* Empty your "Recycle Bin".

Run Ad-Aware SE from the command lines shown in the instructions shown below.

Click "Start" > select "Run" > type the text shown below (including the quotation marks and with the same spacing as shown)

"C:\Program Files\Lavasoft\Ad-Aware SE Professional\Ad-Aware.exe" /full +procnuke
(For the Professional version)

"C:\Program Files\Lavasoft\Ad-Aware SE Plus\Ad-Aware.exe" /full +procnuke
(For the Plus version)

"C:\Program Files\Lavasoft\Ad-Aware SE Personal\Ad-Aware.exe" +procnuke
(For the Personal version)


Click Ok.

Note; the path above is of the default installation location for Ad-aware SE, if this is different, adjust it to the location that you have installed it to.

When the scan has completed, select next. In the Scanning Results window, select the "Scan Summary"- tab. Check the box next to CoolWebSearch objects ONLY. Click next, Click Ok.

If problems are caused by deleting a family, just leave it.


Reboot your computer after removal, run a new "full system scan" and post the results as a reply. Don't open any programs or connect to the internet at this time.

Then copy & paste the complete log file here. Don't quarantine or remove anything at this time, just post a complete logfile. This can sometimes takes 2-3 posts to get it all posted, once the "Summary of this scan" information is shown, you have posted all of your logfile.

Also, keep in mind that when you are posting another logfile keep "Search for negligible risk entries" deselected as negligible risk entries (Mru's) aren't considered as a threat. This option can be changed when choosing your scan type.

Remember to post your fresh scanlog in THIS topic.

- Rawe :tazz:
  • 0

#3
dnkrm
Posted 28 April 2005 - 08:17 PM

dnkrm

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
Hey, thanks for your help. Alright, i did as you said. Only problem I had was when I tried to run Ad-aware from the run prompt. I would type in the command and hit run adn then nothing would happen for a second and then the safe mode prompt came up saying whether or not I want to run in safe mode. Anyway, I just ran ad-aware normally, selected the cool web search deleted it, rebooted, ran full scan which is below. let me know what to do next. thanks

Ad-Aware SE Build 1.05
Logfile Created on:Thursday, April 28, 2005 8:14:16 PM
Created with Ad-Aware SE Personal, free for private use.
Using definitions file:SE1R41 25.04.2005
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

References detected during the scan:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
180Solutions(TAC index:6):1 total references
CoolWebSearch(TAC index:10):13 total references
istbar(TAC index:7):25 total references
Rads01.Quadrogram(TAC index:6):32 total references
SCBAR(TAC index:3):1 total references
SecondThought(TAC index:4):6 total references
Tracking Cookie(TAC index:3):2 total references
WhenU(TAC index:3):1 total references
VX2(TAC index:10):1 total references
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Ad-Aware SE Settings
===========================
Set : Safe mode (always request confirmation)
Set : Scan active processes
Set : Scan registry
Set : Deep-scan registry
Set : Scan my IE Favorites for banned URLs
Set : Scan my Hosts file

Extended Ad-Aware SE Settings
===========================
Set : Unload recognized processes & modules during scan
Set : Scan registry for all users instead of current user only
Set : During removal, unload Explorer and IE if necessary
Set : Let Windows remove files in use at next reboot
Set : Delete quarantined objects after restoring
Set : Include basic Ad-Aware settings in log file
Set : Include additional Ad-Aware settings in log file
Set : Include reference summary in log file
Set : Include alternate data stream details in log file
Set : Play sound at scan completion if scan locates critical objects


4-28-2005 8:14:16 PM - Scan started. (Full System Scan)

Listing running processes
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

#:1 [smss.exe]
FilePath : \SystemRoot\System32\
ProcessID : 412
ThreadCreationTime : 4-29-2005 1:04:29 AM
BasePriority : Normal


#:2 [winlogon.exe]
FilePath : \??\C:\WINDOWS\system32\
ProcessID : 492
ThreadCreationTime : 4-29-2005 1:04:32 AM
BasePriority : High


#:3 [services.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 536
ThreadCreationTime : 4-29-2005 1:04:32 AM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Services and Controller app
InternalName : services.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : services.exe

#:4 [lsass.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 548
ThreadCreationTime : 4-29-2005 1:04:32 AM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : LSA Shell (Export Version)
InternalName : lsass.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : lsass.exe

#:5 [svchost.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 692
ThreadCreationTime : 4-29-2005 1:04:32 AM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:6 [svchost.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 780
ThreadCreationTime : 4-29-2005 1:04:33 AM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:7 [lexbces.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 1036
ThreadCreationTime : 4-29-2005 1:04:34 AM
BasePriority : Normal
FileVersion : 8.18
ProductVersion : 8.18
ProductName : MarkVision for Windows (32 bit)
CompanyName : Lexmark International, Inc.
FileDescription : LexBce Service
InternalName : LexBce Service
LegalCopyright : © 1993 - 2003 Lexmark International, Inc.
OriginalFilename : LexBceS.exe

#:8 [spoolsv.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 1060
ThreadCreationTime : 4-29-2005 1:04:34 AM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Spooler SubSystem App
InternalName : spoolsv.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : spoolsv.exe

#:9 [lexpps.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 1132
ThreadCreationTime : 4-29-2005 1:04:34 AM
BasePriority : Normal
FileVersion : 8.18
ProductVersion : 8.18
ProductName : MarkVision for Windows (32 bit)
CompanyName : Lexmark International, Inc.
FileDescription : LEXPPS.EXE
InternalName : LEXPPS
LegalCopyright : © 1993 - 2003 Lexmark International, Inc.
OriginalFilename : LEXPPS.EXE
Comments : MarkVision for Windows '95 New P2P Server (32-bit)

#:10 [javage32.exe]
FilePath : C:\WINDOWS\
ProcessID : 1156
ThreadCreationTime : 4-29-2005 1:04:34 AM
BasePriority : Normal


VX2 Object Recognized!
Type : Process
Data : javage32.exe
Category : Malware
Comment : (CSI MATCH)
Object : C:\WINDOWS\


Warning! VX2 Object found in memory(C:\WINDOWS\javage32.exe)

Warning! "C:\WINDOWS\javage32.exe"Process could not be terminated!
Warning! "C:\WINDOWS\javage32.exe"Process could not be terminated!

#:11 [ccevtmgr.exe]
FilePath : C:\Program Files\Common Files\Symantec Shared\
ProcessID : 1232
ThreadCreationTime : 4-29-2005 1:04:36 AM
BasePriority : Normal
FileVersion : 1.00.37
ProductVersion : 1.00.37
ProductName : Event Manager
CompanyName : Symantec Corporation
FileDescription : Event Manager Service
InternalName : ccEvtMgr
LegalCopyright : Copyright © 2000-2002 Symantec Corporation. All rights reserved.
OriginalFilename : ccEvtMgr.exe

#:12 [navapsvc.exe]
FilePath : C:\Program Files\Norton AntiVirus\
ProcessID : 1272
ThreadCreationTime : 4-29-2005 1:04:36 AM
BasePriority : Normal
FileVersion : 9.05.1015
ProductVersion : 9.05.1015
ProductName : Norton AntiVirus
CompanyName : Symantec Corporation
FileDescription : Norton AntiVirus Auto-Protect Service
InternalName : NAVAPSVC
LegalCopyright : Copyright © 2000-2002 Symantec Corporation. All rights reserved.
OriginalFilename : NAVAPSVC.EXE

#:13 [svchost.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 1432
ThreadCreationTime : 4-29-2005 1:04:37 AM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:14 [wanmpsvc.exe]
FilePath : C:\WINDOWS\
ProcessID : 1464
ThreadCreationTime : 4-29-2005 1:04:37 AM
BasePriority : Normal
FileVersion : 7, 0, 0, 2
ProductVersion : 7, 0, 0, 2
ProductName : America Online
CompanyName : America Online, Inc.
FileDescription : Wan Miniport (ATW) Service
InternalName : WanMPSvc
LegalCopyright : Copyright © 2001 America Online, Inc.
OriginalFilename : WanMPSvc.exe

#:15 [explorer.exe]
FilePath : C:\WINDOWS\
ProcessID : 828
ThreadCreationTime : 4-29-2005 1:13:18 AM
BasePriority : Normal
FileVersion : 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 6.00.2900.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Windows Explorer
InternalName : explorer
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : EXPLORER.EXE

#:16 [mhotkey.exe]
FilePath : C:\WINDOWS\
ProcessID : 1088
ThreadCreationTime : 4-29-2005 1:13:19 AM
BasePriority : Normal
FileVersion : 2, 2, 2, 0
ProductVersion : 2, 2, 2, 0
ProductName : Chicony Multimedia Driver
CompanyName : Chicony
FileDescription : Chicony Multimedia Driver
InternalName : Multimedia Hotkey Driver
LegalCopyright : Copyright © 2001 Chicony
OriginalFilename : mHotkey.res

#:17 [hpqcmon.exe]
FilePath : C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\
ProcessID : 1336
ThreadCreationTime : 4-29-2005 1:13:19 AM
BasePriority : Normal
FileVersion : 2.0.0.133
ProductVersion : 2.0.0.133
ProductName : HpqCmon Application
FileDescription : HpqCmon MFC Application
InternalName : HpqCmon
LegalCopyright : Copyright © 2001
OriginalFilename : HpqCmon.EXE

#:18 [hpgs2wnd.exe]
FilePath : C:\Program Files\Hewlett-Packard\HP Share-to-Web\
ProcessID : 1412
ThreadCreationTime : 4-29-2005 1:13:19 AM
BasePriority : Normal
FileVersion : 2,3,0,0\ 162
ProductVersion : 2,3,0,0\ 162
ProductName : Hewlett-Packard hpgs2wnd
CompanyName : Hewlett-Packard
FileDescription : hpgs2wnd
InternalName : hpgs2wnd
LegalCopyright : Copyright © 2001
OriginalFilename : hpgs2wnd.exe

#:19 [crpm.exe]
FilePath : C:\WINDOWS\
ProcessID : 1428
ThreadCreationTime : 4-29-2005 1:13:19 AM
BasePriority : Normal


CoolWebSearch Object Recognized!
Type : Process
Data : crpm.exe
Category : Malware
Comment : (CSI MATCH)
Object : C:\WINDOWS\


Warning! CoolWebSearch Object found in memory(C:\WINDOWS\crpm.exe)

"C:\WINDOWS\crpm.exe"Process terminated successfully
"C:\WINDOWS\crpm.exe"Process terminated successfully

#:20 [bigfix.exe]
FilePath : C:\Program Files\BigFix\
ProcessID : 1764
ThreadCreationTime : 4-29-2005 1:13:20 AM
BasePriority : Normal
FileVersion : 1, 7, 6, 0
ProductVersion : 1, 7, 6, 0
ProductName : BigFix
CompanyName : BigFix Inc.
FileDescription : BigFix Client Application
InternalName : BigFix
LegalCopyright : Copyright © 2002
OriginalFilename : BigFix.exe

#:21 [quickdcf.exe]
FilePath : C:\Program Files\FinePixViewer\
ProcessID : 1380
ThreadCreationTime : 4-29-2005 1:13:20 AM
BasePriority : Normal
FileVersion : 4, 0, 0, 0
ProductVersion : 4, 0, 0, 0
ProductName : FinePixViewer
CompanyName : FUJI PHOTO FILM CO., LTD.
FileDescription : Exif Launcher
InternalName : QuickDCF
LegalCopyright : Copyright 2000-2003 FUJI PHOTO FILM CO.,LTD.
OriginalFilename : QuickDCF.exe

#:22 [hpgs2wnf.exe]
FilePath : c:\Program Files\Hewlett-Packard\HP Share-to-Web\
ProcessID : 520
ThreadCreationTime : 4-29-2005 1:13:21 AM
BasePriority : Normal
FileVersion : 2, 6, 0, 162
ProductVersion : 2, 6, 0, 162
ProductName : hpgs2wnf Module
FileDescription : hpgs2wnf Module
InternalName : hpgs2wnf
LegalCopyright : Copyright 2001
OriginalFilename : hpgs2wnf.EXE

#:23 [iexplore.exe]
FilePath : C:\Program Files\Internet Explorer\
ProcessID : 188
ThreadCreationTime : 4-29-2005 1:13:22 AM
BasePriority : Normal
FileVersion : 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 6.00.2900.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Internet Explorer
InternalName : iexplore
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : IEXPLORE.EXE

#:24 [ad-aware.exe]
FilePath : C:\Program Files\Lavasoft\Ad-Aware SE Personal\
ProcessID : 1756
ThreadCreationTime : 4-29-2005 1:13:51 AM
BasePriority : Normal
FileVersion : 6.2.0.206
ProductVersion : VI.Second Edition
ProductName : Lavasoft Ad-Aware SE
CompanyName : Lavasoft Sweden
FileDescription : Ad-Aware SE Core application
InternalName : Ad-Aware.exe
LegalCopyright : Copyright © Lavasoft Sweden
OriginalFilename : Ad-Aware.exe
Comments : All Rights Reserved

Memory scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 2
Objects found so far: 2


Started registry scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

CoolWebSearch Object Recognized!
Type : Regkey
Data :
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : clsid\{676575dd-4d46-911d-8037-9b10d6ee8bb5}

Registry Scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 1
Objects found so far: 3


Started deep registry scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Deep registry scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 3


Started Tracking Cookie scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»


Tracking Cookie Object Recognized!
Type : IECache Entry
Data : dan@fastclick[2].txt
Category : Data Miner
Comment : Hits:5
Value : Cookie:[email protected]/
Expires : 4-18-2007 6:03:02 PM
LastSync : Hits:5
UseCount : 0
Hits : 5

Tracking cookie scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 1
Objects found so far: 4



Deep scanning and examining files (C:)
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : dan@fastclick[2].txt
Category : Data Miner
Comment :
Value : C:\Documents and Settings\Dan\Cookies\dan@fastclick[2].txt

SCBAR Object Recognized!
Type : File
Data : A0087596.exe
Category : Data Miner
Comment :
Object : C:\System Volume Information\_restore{6858ADA2-A446-4103-A4FD-946787D11A04}\RP508\
FileVersion : 1.0.0.2
ProductVersion : 1.0.0.2


180Solutions Object Recognized!
Type : File
Data : A0087597.exe
Category : Data Miner
Comment :
Object : C:\System Volume Information\_restore{6858ADA2-A446-4103-A4FD-946787D11A04}\RP508\
FileVersion : 1, 0, 0, 1
ProductVersion : 1, 0, 0, 1
ProductName : version Application
FileDescription : version MFC Application
InternalName : version
LegalCopyright : Copyright © 2003
OriginalFilename : version.EXE


SecondThought Object Recognized!
Type : File
Data : A0087598.exe
Category : Malware
Comment :
Object : C:\System Volume Information\_restore{6858ADA2-A446-4103-A4FD-946787D11A04}\RP508\
FileVersion : 8.0.7.1
ProductVersion : 8.0.7.1
ProductName : STC Application
FileDescription : Second Thought
InternalName : STC
LegalCopyright : Copyright © 2003
OriginalFilename : STC.exe


WhenU Object Recognized!
Type : File
Data : A0087599.exe
Category : Misc
Comment :
Object : C:\System Volume Information\_restore{6858ADA2-A446-4103-A4FD-946787D11A04}\RP508\
FileVersion : 1, 6, 1, 3
ProductVersion : 1, 6, 1, 3
ProductName : Save! Setup
CompanyName : WhenU.com, Inc.
FileDescription : Save! Setup
InternalName : SaveInst
LegalCopyright : Copyright 2000
OriginalFilename : SaveInst.exe


istbar Object Recognized!
Type : File
Data : A0087600.exe
Category : Malware
Comment :
Object : C:\System Volume Information\_restore{6858ADA2-A446-4103-A4FD-946787D11A04}\RP508\



Rads01.Quadrogram Object Recognized!
Type : File
Data : A0087601.exe
Category : Malware
Comment :
Object : C:\System Volume Information\_restore{6858ADA2-A446-4103-A4FD-946787D11A04}\RP508\



istbar Object Recognized!
Type : File
Data : A0087602.exe
Category : Malware
Comment :
Object : C:\System Volume Information\_restore{6858ADA2-A446-4103-A4FD-946787D11A04}\RP508\



Rads01.Quadrogram Object Recognized!
Type : File
Data : A0087603.exe
Category : Malware
Comment :
Object : C:\System Volume Information\_restore{6858ADA2-A446-4103-A4FD-946787D11A04}\RP508\



istbar Object Recognized!
Type : File
Data : A0087604.exe
Category : Malware
Comment :
Object : C:\System Volume Information\_restore{6858ADA2-A446-4103-A4FD-946787D11A04}\RP508\



Rads01.Quadrogram Object Recognized!
Type : File
Data : A0087605.exe
Category : Malware
Comment :
Object : C:\System Volume Information\_restore{6858ADA2-A446-4103-A4FD-946787D11A04}\RP508\



Rads01.Quadrogram Object Recognized!
Type : File
Data : A0087606.exe
Category : Malware
Comment :
Object : C:\System Volume Information\_restore{6858ADA2-A446-4103-A4FD-946787D11A04}\RP508\



Rads01.Quadrogram Object Recognized!
Type : File
Data : A0087607.exe
Category : Malware
Comment :
Object : C:\System Volume Information\_restore{6858ADA2-A446-4103-A4FD-946787D11A04}\RP508\



Rads01.Quadrogram Object Recognized!
Type : File
Data : A0087608.exe
Category : Malware
Comment :
Object : C:\System Volume Information\_restore{6858ADA2-A446-4103-A4FD-946787D11A04}\RP508\



istbar Object Recognized!
Type : File
Data : A0087609.exe
Category : Malware
Comment :
Object : C:\System Volume Information\_restore{6858ADA2-A446-4103-A4FD-946787D11A04}\RP508\



SecondThought Object Recognized!
Type : File
Data : A0087610.exe
Category : Malware
Comment :
Object : C:\System Volume Information\_restore{6858ADA2-A446-4103-A4FD-946787D11A04}\RP508\



istbar Object Recognized!
Type : File
Data : A0087611.exe
Category : Malware
Comment :
Object : C:\System Volume Information\_restore{6858ADA2-A446-4103-A4FD-946787D11A04}\RP508\



Rads01.Quadrogram Object Recognized!
Type : File
Data : A0087612.exe
Category : Malware
Comment :
Object : C:\System Volume Information\_restore{6858ADA2-A446-4103-A4FD-946787D11A04}\RP508\



istbar Object Recognized!
Type : File
Data : A0087613.exe
Category : Malware
Comment :
Object : C:\System Volume Information\_restore{6858ADA2-A446-4103-A4FD-946787D11A04}\RP508\



Rads01.Quadrogram Object Recognized!
Type : File
Data : A0087614.exe
Category : Malware
Comment :
Object : C:\System Volume Information\_restore{6858ADA2-A446-4103-A4FD-946787D11A04}\RP508\



Rads01.Quadrogram Object Recognized!
Type : File
Data : A0087615.exe
Category : Malware
Comment :
Object : C:\System Volume Information\_restore{6858ADA2-A446-4103-A4FD-946787D11A04}\RP508\



istbar Object Recognized!
Type : File
Data : A0087616.exe
Category : Malware
Comment :
Object : C:\System Volume Information\_restore{6858ADA2-A446-4103-A4FD-946787D11A04}\RP508\



Rads01.Quadrogram Object Recognized!
Type : File
Data : A0087617.exe
Category : Malware
Comment :
Object : C:\System Volume Information\_restore{6858ADA2-A446-4103-A4FD-946787D11A04}\RP508\



Rads01.Quadrogram Object Recognized!
Type : File
Data : A0087618.exe
Category : Malware
Comment :
Object : C:\System Volume Information\_restore{6858ADA2-A446-4103-A4FD-946787D11A04}\RP508\



istbar Object Recognized!
Type : File
Data : A0087619.exe
Category : Malware
Comment :
Object : C:\System Volume Information\_restore{6858ADA2-A446-4103-A4FD-946787D11A04}\RP508\



Rads01.Quadrogram Object Recognized!
Type : File
Data : A0087620.exe
Category : Malware
Comment :
Object : C:\System Volume Information\_restore{6858ADA2-A446-4103-A4FD-946787D11A04}\RP508\



istbar Object Recognized!
Type : File
Data : A0087621.exe
Category : Malware
Comment :
Object : C:\System Volume Information\_restore{6858ADA2-A446-4103-A4FD-946787D11A04}\RP508\



Rads01.Quadrogram Object Recognized!
Type : File
Data : A0087622.exe
Category : Malware
Comment :
Object : C:\System Volume Information\_restore{6858ADA2-A446-4103-A4FD-946787D11A04}\RP508\



Rads01.Quadrogram Object Recognized!
Type : File
Data : A0087623.exe
Category : Malware
Comment :
Object : C:\System Volume Information\_restore{6858ADA2-A446-4103-A4FD-946787D11A04}\RP508\



Rads01.Quadrogram Object Recognized!
Type : File
Data : A0087624.exe
Category : Malware
Comment :
Object : C:\System Volume Information\_restore{6858ADA2-A446-4103-A4FD-946787D11A04}\RP508\



Rads01.Quadrogram Object Recognized!
Type : File
Data : A0087625.exe
Category : Malware
Comment :
Object : C:\System Volume Information\_restore{6858ADA2-A446-4103-A4FD-946787D11A04}\RP508\



istbar Object Recognized!
Type : File
Data : A0087626.exe
Category : Malware
Comment :
Object : C:\System Volume Information\_restore{6858ADA2-A446-4103-A4FD-946787D11A04}\RP508\



istbar Object Recognized!
Type : File
Data : A0087627.exe
Category : Malware
Comment :
Object : C:\System Volume Information\_restore{6858ADA2-A446-4103-A4FD-946787D11A04}\RP508\



SecondThought Object Recognized!
Type : File
Data : A0087628.dll
Category : Malware
Comment :
Object : C:\System Volume Information\_restore{6858ADA2-A446-4103-A4FD-946787D11A04}\RP508\
FileVersion : 8.0.7.7
ProductVersion : 8.0.7.7
InternalName : runpool.dll
OriginalFilename : runpool.dll


Rads01.Quadrogram Object Recognized!
Type : File
Data : A0087629.exe
Category : Malware
Comment :
Object : C:\System Volume Information\_restore{6858ADA2-A446-4103-A4FD-946787D11A04}\RP508\



istbar Object Recognized!
Type : File
Data : A0087630.exe
Category : Malware
Comment :
Object : C:\System Volume Information\_restore{6858ADA2-A446-4103-A4FD-946787D11A04}\RP508\



istbar Object Recognized!
Type : File
Data : A0087631.exe
Category : Malware
Comment :
Object : C:\System Volume Information\_restore{6858ADA2-A446-4103-A4FD-946787D11A04}\RP508\



istbar Object Recognized!
Type : File
Data : A0087632.exe
Category : Malware
Comment :
Object : C:\System Volume Information\_restore{6858ADA2-A446-4103-A4FD-946787D11A04}\RP508\



Rads01.Quadrogram Object Recognized!
Type : File
Data : A0087633.exe
Category : Malware
Comment :
Object : C:\System Volume Information\_restore{6858ADA2-A446-4103-A4FD-946787D11A04}\RP508\



istbar Object Recognized!
Type : File
Data : A0087634.exe
Category : Malware
Comment :
Object : C:\System Volume Information\_restore{6858ADA2-A446-4103-A4FD-946787D11A04}\RP508\



Rads01.Quadrogram Object Recognized!
Type : File
Data : A0087635.exe
Category : Malware
Comment :
Object : C:\System Volume Information\_restore{6858ADA2-A446-4103-A4FD-946787D11A04}\RP508\



istbar Object Recognized!
Type : File
Data : A0087636.exe
Category : Malware
Comment :
Object : C:\System Volume Information\_restore{6858ADA2-A446-4103-A4FD-946787D11A04}\RP508\



istbar Object Recognized!
Type : File
Data : A0087637.exe
Category : Malware
Comment :
Object : C:\System Volume Information\_restore{6858ADA2-A446-4103-A4FD-946787D11A04}\RP508\



SecondThought Object Recognized!
Type : File
Data : A0087638.dll
Category : Malware
Comment :
Object : C:\System Volume Information\_restore{6858ADA2-A446-4103-A4FD-946787D11A04}\RP508\
FileVersion : 1.0.0.1
ProductVersion : 1.0.0.1
ProductName : IdleUI Dynamic Link Library
FileDescription : IdleUI Dynamic Link Library
InternalName : IdleUI
LegalCopyright : Copyright © 2003
OriginalFilename : IdleUI.dll


istbar Object Recognized!
Type : File
Data : A0087639.exe
Category : Malware
Comment :
Object : C:\System Volume Information\_restore{6858ADA2-A446-4103-A4FD-946787D11A04}\RP508\



SecondThought Object Recognized!
Type : File
Data : A0087640.exe
Category : Malware
Comment :
Object : C:\System Volume Information\_restore{6858ADA2-A446-4103-A4FD-946787D11A04}\RP508\



Rads01.Quadrogram Object Recognized!
Type : File
Data : A0087641.exe
Category : Malware
Comment :
Object : C:\System Volume Information\_restore{6858ADA2-A446-4103-A4FD-946787D11A04}\RP508\



istbar Object Recognized!
Type : File
Data : A0087642.exe
Category : Malware
Comment :
Object : C:\System Volume Information\_restore{6858ADA2-A446-4103-A4FD-946787D11A04}\RP508\



Rads01.Quadrogram Object Recognized!
Type : File
Data : A0087643.exe
Category : Malware
Comment :
Object : C:\System Volume Information\_restore{6858ADA2-A446-4103-A4FD-946787D11A04}\RP508\



Rads01.Quadrogram Object Recognized!
Type : File
Data : A0087644.exe
Category : Malware
Comment :
Object : C:\System Volume Information\_restore{6858ADA2-A446-4103-A4FD-946787D11A04}\RP508\



istbar Object Recognized!
Type : File
Data : A0087645.exe
Category : Malware
Comment :
Object : C:\System Volume Information\_restore{6858ADA2-A446-4103-A4FD-946787D11A04}\RP508\



Rads01.Quadrogram Object Recognized!
Type : File
Data : A0087646.exe
Category : Malware
Comment :
Object : C:\System Volume Information\_restore{6858ADA2-A446-4103-A4FD-946787D11A04}\RP508\



Rads01.Quadrogram Object Recognized!
Type : File
Data : A0087647.exe
Category : Malware
Comment :
Object : C:\System Volume Information\_restore{6858ADA2-A446-4103-A4FD-946787D11A04}\RP508\



Rads01.Quadrogram Object Recognized!
Type : File
Data : A0087648.exe
Category : Malware
Comment :
Object : C:\System Volume Information\_restore{6858ADA2-A446-4103-A4FD-946787D11A04}\RP508\



istbar Object Recognized!
Type : File
Data : A0087649.exe
Category : Malware
Comment :
Object : C:\System Volume Information\_restore{6858ADA2-A446-4103-A4FD-946787D11A04}\RP508\



istbar Object Recognized!
Type : File
Data : A0087650.exe
Category : Malware
Comment :
Object : C:\System Volume Information\_restore{6858ADA2-A446-4103-A4FD-946787D11A04}\RP508\



Rads01.Quadrogram Object Recognized!
Type : File
Data : A0087651.exe
Category : Malware
Comment :
Object : C:\System Volume Information\_restore{6858ADA2-A446-4103-A4FD-946787D11A04}\RP508\



Rads01.Quadrogram Object Recognized!
Type : File
Data : A0087652.exe
Category : Malware
Comment :
Object : C:\System Volume Information\_restore{6858ADA2-A446-4103-A4FD-946787D11A04}\RP508\



SecondThought Object Recognized!
Type : File
Data : A0087653.exe
Category : Malware
Comment :
Object : C:\System Volume Information\_restore{6858ADA2-A446-4103-A4FD-946787D11A04}\RP508\
FileVersion : 8.0.7.2
ProductVersion : 8.0.7.2
ProductName : Loader
FileDescription : Loader
InternalName : loader
LegalCopyright : Copyright © 2003
OriginalFilename : loader.exe


istbar Object Recognized!
Type : File
Data : A0087654.exe
Category : Malware
Comment :
Object : C:\System Volume Information\_restore{6858ADA2-A446-4103-A4FD-946787D11A04}\RP508\



Rads01.Quadrogram Object Recognized!
Type : File
Data : A0087655.exe
Category : Malware
Comment :
Object : C:\System Volume Information\_restore{6858ADA2-A446-4103-A4FD-946787D11A04}\RP508\



Rads01.Quadrogram Object Recognized!
Type : File
Data : A0087656.exe
Category : Malware
Comment :
Object : C:\System Volume Information\_restore{6858ADA2-A446-4103-A4FD-946787D11A04}\RP508\



Rads01.Quadrogram Object Recognized!
Type : File
Data : A0087657.exe
Category : Malware
Comment :
Object : C:\System Volume Information\_restore{6858ADA2-A446-4103-A4FD-946787D11A04}\RP508\



istbar Object Recognized!
Type : File
Data : A0087658.exe
Category : Malware
Comment :
Object : C:\System Volume Information\_restore{6858ADA2-A446-4103-A4FD-946787D11A04}\RP508\



istbar Object Recognized!
Type : File
Data : A0087659.exe
Category : Malware
Comment :
Object : C:\System Volume Information\_restore{6858ADA2-A446-4103-A4FD-946787D11A04}\RP508\



Rads01.Quadrogram Object Recognized!
Type : File
Data : A0087660.exe
Category : Malware
Comment :
Object : C:\System Volume Information\_restore{6858ADA2-A446-4103-A4FD-946787D11A04}\RP508\



Rads01.Quadrogram Object Recognized!
Type : File
Data : A0087661.exe
Category : Malware
Comment :
Object : C:\System Volume Information\_restore{6858ADA2-A446-4103-A4FD-946787D11A04}\RP508\



Disk Scan Result for C:\
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 71


Performing conditional scans...
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

CoolWebSearch Object Recognized!
Type : Regkey
Data :
Category : Malware
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\windows\currentversion\uninstall\sw

CoolWebSearch Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\windows\currentversion\uninstall\sw
Value : DisplayName

CoolWebSearch Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\windows\currentversion\uninstall\sw
Value : UninstallString

CoolWebSearch Object Recognized!
Type : Regkey
Data :
Category : Malware
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\windows\currentversion\uninstall\se

CoolWebSearch Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\windows\currentversion\uninstall\se
Value : DisplayName

CoolWebSearch Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\windows\currentversion\uninstall\se
Value : UninstallString

CoolWebSearch Object Recognized!
Type : Regkey
Data :
Category : Malware
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\windows\currentversion\uninstall\hsa

CoolWebSearch Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\windows\currentversion\uninstall\hsa
Value : DisplayName

CoolWebSearch Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\windows\currentversion\uninstall\hsa
Value : UninstallString

CoolWebSearch Object Recognized!
Type : Regkey
Data :
Category : Malware
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\internet explorer\urlsearchhooks

CoolWebSearch Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\internet explorer\urlsearchhooks
Value : {0ABCE593-A2F9-DA6D-2B6D-D92E2B05E875}

Conditional scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 11
Objects found so far: 82

8:30:54 PM Scan Complete

Summary Of This Scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Total scanning time:00:16:37.891
Objects scanned:112227
Objects identified:82
Objects ignored:0
New critical objects:82
  • 0

#4
Rawe
Posted 29 April 2005 - 09:17 AM

Rawe

    Visiting Staff

  • Member
  • PipPipPipPipPipPipPip
  • 4,746 posts
Ad-aware has found object(s) on your computer

If you chose to clean your computer from what Ad-aware found, follow these instructions below…

Make sure that you are using the * SE1R42 28.04.2005 * definition file.


Open up Ad-Aware SE and click on the gear to access the Configuration menu. Make sure that this setting is applied.

Click on Tweak > Cleaning engine > UNcheck "Always try to unload modules before deletion".

Disconnect from the internet (for broadband/cable users, it is recommended that you disconnect the cable connection) and close all open browsers or other programs you have running.

Then boot into Safe Mode

To clean your machine, it is highly recommended that you clean the following directory contents (but not the directory folder);

Run CCleaner to assist in this process.
Download CCleaner (Setup: go to >options > settings > Uncheck "Only delete files in Windows Temp folders older than 48 hours" for cleaning malware files!)

* C:\Windows\Temp\
* C:\Documents and Settings\<Your Profile>\Local Settings\Temporary Internet Files\ <- This will delete all your cached internet content including cookies.
* C:\Documents and Settings\<Your Profile>\Local Settings\Temp\
* C:\Documents and Settings\<Any other users Profile>\Local Settings\Temporary Internet Files\
* C:\Documents and Settings\<Any other users Profile>\Local Settings\Temp\
* Empty your "Recycle Bin".

Run Ad-Aware SE from the command lines shown in the instructions shown below.

Click "Start" > select "Run" > type the text shown below (including the quotation marks and with the same spacing as shown)

"C:\Program Files\Lavasoft\Ad-Aware SE Professional\Ad-Aware.exe" /full +procnuke
(For the Professional version)

"C:\Program Files\Lavasoft\Ad-Aware SE Plus\Ad-Aware.exe" /full +procnuke
(For the Plus version)

"C:\Program Files\Lavasoft\Ad-Aware SE Personal\Ad-Aware.exe" +procnuke
(For the Personal version)


Click Ok.

Note; the path above is of the default installation location for Ad-aware SE, if this is different, adjust it to the location that you have installed it to.

When the scan has completed, select next. In the Scanning Results window, select the "Scan Summary"- tab. Check the box next to CoolWebSearch ONLY. Click next, Click Ok.

If problems are caused by deleting a family, just leave it.


Reboot your computer after removal, run a new "full system scan" and post the results as a reply. Don't open any programs or connect to the internet at this time.

Then copy & paste the complete log file here. Don't quarantine or remove anything at this time, just post a complete logfile. This can sometimes takes 2-3 posts to get it all posted, once the "Summary of this scan" information is shown, you have posted all of your logfile.

Also, keep in mind that when you are posting another logfile keep "Search for negligible risk entries" deselected as negligible risk entries (Mru's) aren't considered as a threat. This option can be changed when choosing your scan type.

Remember to post your fresh scanlog in THIS topic.

- Rawe :tazz:
  • 0

#5
dnkrm
Posted 29 April 2005 - 09:43 AM

dnkrm

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
Hey, I did all that before I posted the last log. Do you want me to do it again? let me know. thanks
  • 0

#6
Rawe
Posted 29 April 2005 - 09:45 AM

Rawe

    Visiting Staff

  • Member
  • PipPipPipPipPipPipPip
  • 4,746 posts
Well, there is a new update, and I would recommend you to go through my instructions again, with updated definitions..

- Rawe :tazz:
  • 0

#7
dnkrm
Posted 29 April 2005 - 09:51 AM

dnkrm

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
I see, is it a problem that i can't run ad-aware from the run prompt in safe mode? what does the +procnuke command do? thanks for you help!
  • 0

#8
Guest_Andy_veal_*
Posted 29 April 2005 - 10:21 AM

Guest_Andy_veal_*
  • Guest
Try the above instructions in normal mode then please.

:tazz:
  • 0

#9
dnkrm
Posted 29 April 2005 - 06:33 PM

dnkrm

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
Hey, thanks for the help. I ran ccleaner, went to safe mode, could not run ad-aware from the run prompt so I just double clicked on the program icon to start and ran full scan. Removed cool web search items only. Next, went to normal mode and the full scan is below.

One thing to note, in the middle of the full scan the program appears to freeze for about 3-4 minutes while it is scanning my spybot files, and then it comes out of it and continues, it has done this every time I have run a scan. Let me know what to do next. thanks


Ad-Aware SE Build 1.05
Logfile Created on:Friday, April 29, 2005 7:07:44 PM
Created with Ad-Aware SE Personal, free for private use.
Using definitions file:SE1R42 28.04.2005
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

References detected during the scan:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
180Solutions(TAC index:6):1 total references
CoolWebSearch(TAC index:10):14 total references
istbar(TAC index:7):25 total references
Rads01.Quadrogram(TAC index:6):32 total references
SCBAR(TAC index:3):1 total references
SecondThought(TAC index:4):6 total references
Tracking Cookie(TAC index:3):2 total references
WhenU(TAC index:3):1 total references
VX2(TAC index:10):1 total references
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Ad-Aware SE Settings
===========================
Set : Safe mode (always request confirmation)
Set : Scan active processes
Set : Scan registry
Set : Deep-scan registry
Set : Scan my IE Favorites for banned URLs
Set : Scan my Hosts file

Extended Ad-Aware SE Settings
===========================
Set : Unload recognized processes & modules during scan
Set : Scan registry for all users instead of current user only
Set : During removal, unload Explorer and IE if necessary
Set : Let Windows remove files in use at next reboot
Set : Delete quarantined objects after restoring
Set : Include basic Ad-Aware settings in log file
Set : Include additional Ad-Aware settings in log file
Set : Include reference summary in log file
Set : Include alternate data stream details in log file
Set : Play sound at scan completion if scan locates critical objects


4/29/2005 7:07:44 PM - Scan started. (Full System Scan)

Listing running processes
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

#:1 [smss.exe]
FilePath : \SystemRoot\System32\
ProcessID : 412
ThreadCreationTime : 4/30/2005 12:06:19 AM
BasePriority : Normal


#:2 [winlogon.exe]
FilePath : \??\C:\WINDOWS\system32\
ProcessID : 492
ThreadCreationTime : 4/30/2005 12:06:21 AM
BasePriority : High


#:3 [services.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 536
ThreadCreationTime : 4/30/2005 12:06:21 AM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Services and Controller app
InternalName : services.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : services.exe

#:4 [lsass.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 548
ThreadCreationTime : 4/30/2005 12:06:21 AM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : LSA Shell (Export Version)
InternalName : lsass.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : lsass.exe

#:5 [svchost.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 696
ThreadCreationTime : 4/30/2005 12:06:22 AM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:6 [svchost.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 788
ThreadCreationTime : 4/30/2005 12:06:23 AM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:7 [lexbces.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 1040
ThreadCreationTime : 4/30/2005 12:06:25 AM
BasePriority : Normal
FileVersion : 8.18
ProductVersion : 8.18
ProductName : MarkVision for Windows (32 bit)
CompanyName : Lexmark International, Inc.
FileDescription : LexBce Service
InternalName : LexBce Service
LegalCopyright : © 1993 - 2003 Lexmark International, Inc.
OriginalFilename : LexBceS.exe

#:8 [spoolsv.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 1068
ThreadCreationTime : 4/30/2005 12:06:25 AM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Spooler SubSystem App
InternalName : spoolsv.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : spoolsv.exe

#:9 [lexpps.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 1152
ThreadCreationTime : 4/30/2005 12:06:25 AM
BasePriority : Normal
FileVersion : 8.18
ProductVersion : 8.18
ProductName : MarkVision for Windows (32 bit)
CompanyName : Lexmark International, Inc.
FileDescription : LEXPPS.EXE
InternalName : LEXPPS
LegalCopyright : © 1993 - 2003 Lexmark International, Inc.
OriginalFilename : LEXPPS.EXE
Comments : MarkVision for Windows '95 New P2P Server (32-bit)

#:10 [javage32.exe]
FilePath : C:\WINDOWS\
ProcessID : 1172
ThreadCreationTime : 4/30/2005 12:06:25 AM
BasePriority : Normal


VX2 Object Recognized!
Type : Process
Data : javage32.exe
Category : Malware
Comment : (CSI MATCH)
Object : C:\WINDOWS\


Warning! VX2 Object found in memory(C:\WINDOWS\javage32.exe)

Warning! "C:\WINDOWS\javage32.exe"Process could not be terminated!
Warning! "C:\WINDOWS\javage32.exe"Process could not be terminated!

#:11 [ccevtmgr.exe]
FilePath : C:\Program Files\Common Files\Symantec Shared\
ProcessID : 1240
ThreadCreationTime : 4/30/2005 12:06:27 AM
BasePriority : Normal
FileVersion : 1.00.37
ProductVersion : 1.00.37
ProductName : Event Manager
CompanyName : Symantec Corporation
FileDescription : Event Manager Service
InternalName : ccEvtMgr
LegalCopyright : Copyright © 2000-2002 Symantec Corporation. All rights reserved.
OriginalFilename : ccEvtMgr.exe

#:12 [navapsvc.exe]
FilePath : C:\Program Files\Norton AntiVirus\
ProcessID : 1284
ThreadCreationTime : 4/30/2005 12:06:27 AM
BasePriority : Normal
FileVersion : 9.05.1015
ProductVersion : 9.05.1015
ProductName : Norton AntiVirus
CompanyName : Symantec Corporation
FileDescription : Norton AntiVirus Auto-Protect Service
InternalName : NAVAPSVC
LegalCopyright : Copyright © 2000-2002 Symantec Corporation. All rights reserved.
OriginalFilename : NAVAPSVC.EXE

#:13 [svchost.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 1436
ThreadCreationTime : 4/30/2005 12:06:27 AM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:14 [wanmpsvc.exe]
FilePath : C:\WINDOWS\
ProcessID : 1464
ThreadCreationTime : 4/30/2005 12:06:27 AM
BasePriority : Normal
FileVersion : 7, 0, 0, 2
ProductVersion : 7, 0, 0, 2
ProductName : America Online
CompanyName : America Online, Inc.
FileDescription : Wan Miniport (ATW) Service
InternalName : WanMPSvc
LegalCopyright : Copyright © 2001 America Online, Inc.
OriginalFilename : WanMPSvc.exe

#:15 [explorer.exe]
FilePath : C:\WINDOWS\
ProcessID : 2000
ThreadCreationTime : 4/30/2005 12:06:31 AM
BasePriority : Normal
FileVersion : 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 6.00.2900.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Windows Explorer
InternalName : explorer
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : EXPLORER.EXE

#:16 [mhotkey.exe]
FilePath : C:\WINDOWS\
ProcessID : 196
ThreadCreationTime : 4/30/2005 12:06:33 AM
BasePriority : Normal
FileVersion : 2, 2, 2, 0
ProductVersion : 2, 2, 2, 0
ProductName : Chicony Multimedia Driver
CompanyName : Chicony
FileDescription : Chicony Multimedia Driver
InternalName : Multimedia Hotkey Driver
LegalCopyright : Copyright © 2001 Chicony
OriginalFilename : mHotkey.res

#:17 [hpqcmon.exe]
FilePath : C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\
ProcessID : 216
ThreadCreationTime : 4/30/2005 12:06:33 AM
BasePriority : Normal
FileVersion : 2.0.0.133
ProductVersion : 2.0.0.133
ProductName : HpqCmon Application
FileDescription : HpqCmon MFC Application
InternalName : HpqCmon
LegalCopyright : Copyright © 2001
OriginalFilename : HpqCmon.EXE

#:18 [hpgs2wnd.exe]
FilePath : C:\Program Files\Hewlett-Packard\HP Share-to-Web\
ProcessID : 224
ThreadCreationTime : 4/30/2005 12:06:33 AM
BasePriority : Normal
FileVersion : 2,3,0,0\ 162
ProductVersion : 2,3,0,0\ 162
ProductName : Hewlett-Packard hpgs2wnd
CompanyName : Hewlett-Packard
FileDescription : hpgs2wnd
InternalName : hpgs2wnd
LegalCopyright : Copyright © 2001
OriginalFilename : hpgs2wnd.exe

#:19 [crpm.exe]
FilePath : C:\WINDOWS\
ProcessID : 328
ThreadCreationTime : 4/30/2005 12:06:33 AM
BasePriority : Normal


CoolWebSearch Object Recognized!
Type : Process
Data : crpm.exe
Category : Malware
Comment : (CSI MATCH)
Object : C:\WINDOWS\


Warning! CoolWebSearch Object found in memory(C:\WINDOWS\crpm.exe)

"C:\WINDOWS\crpm.exe"Process terminated successfully
"C:\WINDOWS\crpm.exe"Process terminated successfully

#:20 [bigfix.exe]
FilePath : C:\Program Files\BigFix\
ProcessID : 456
ThreadCreationTime : 4/30/2005 12:06:35 AM
BasePriority : Normal
FileVersion : 1, 7, 6, 0
ProductVersion : 1, 7, 6, 0
ProductName : BigFix
CompanyName : BigFix Inc.
FileDescription : BigFix Client Application
InternalName : BigFix
LegalCopyright : Copyright © 2002
OriginalFilename : BigFix.exe

#:21 [quickdcf.exe]
FilePath : C:\Program Files\FinePixViewer\
ProcessID : 664
ThreadCreationTime : 4/30/2005 12:06:35 AM
BasePriority : Normal
FileVersion : 4, 0, 0, 0
ProductVersion : 4, 0, 0, 0
ProductName : FinePixViewer
CompanyName : FUJI PHOTO FILM CO., LTD.
FileDescription : Exif Launcher
InternalName : QuickDCF
LegalCopyright : Copyright 2000-2003 FUJI PHOTO FILM CO.,LTD.
OriginalFilename : QuickDCF.exe

#:22 [hpgs2wnf.exe]
FilePath : c:\Program Files\Hewlett-Packard\HP Share-to-Web\
ProcessID : 824
ThreadCreationTime : 4/30/2005 12:06:35 AM
BasePriority : Normal
FileVersion : 2, 6, 0, 162
ProductVersion : 2, 6, 0, 162
ProductName : hpgs2wnf Module
FileDescription : hpgs2wnf Module
InternalName : hpgs2wnf
LegalCopyright : Copyright 2001
OriginalFilename : hpgs2wnf.EXE

#:23 [iexplore.exe]
FilePath : C:\Program Files\Internet Explorer\
ProcessID : 924
ThreadCreationTime : 4/30/2005 12:06:36 AM
BasePriority : Normal
FileVersion : 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 6.00.2900.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Internet Explorer
InternalName : iexplore
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : IEXPLORE.EXE

#:24 [ad-aware.exe]
FilePath : C:\Program Files\Lavasoft\Ad-Aware SE Personal\
ProcessID : 2136
ThreadCreationTime : 4/30/2005 12:06:55 AM
BasePriority : Normal
FileVersion : 6.2.0.206
ProductVersion : VI.Second Edition
ProductName : Lavasoft Ad-Aware SE
CompanyName : Lavasoft Sweden
FileDescription : Ad-Aware SE Core application
InternalName : Ad-Aware.exe
LegalCopyright : Copyright © Lavasoft Sweden
OriginalFilename : Ad-Aware.exe
Comments : All Rights Reserved

#:25 [wuauclt.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 2316
ThreadCreationTime : 4/30/2005 12:07:12 AM
BasePriority : Normal
FileVersion : 5.4.3790.2182 built by: srv03_rtm(ntvbl04)
ProductVersion : 5.4.3790.2182
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Automatic Updates
InternalName : wuauclt.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : wuauclt.exe

Memory scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 2
Objects found so far: 2


Started registry scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

CoolWebSearch Object Recognized!
Type : Regkey
Data :
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : clsid\{676575dd-4d46-911d-8037-9b10d6ee8bb5}

Registry Scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 1
Objects found so far: 3


Started deep registry scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Deep registry scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 3


Started Tracking Cookie scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»


Tracking Cookie Object Recognized!
Type : IECache Entry
Data : dan@fastclick[2].txt
Category : Data Miner
Comment : Hits:5
Value : Cookie:[email protected]/
Expires : 4/18/2007 6:03:02 PM
LastSync : Hits:5
UseCount : 0
Hits : 5

Tracking cookie scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 1
Objects found so far: 4



Deep scanning and examining files (C:)
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : dan@fastclick[2].txt
Category : Data Miner
Comment :
Value : C:\Documents and Settings\Dan\Cookies\dan@fastclick[2].txt

SCBAR Object Recognized!
Type : File
Data : A0087596.exe
Category : Data Miner
Comment :
Object : C:\System Volume Information\_restore{6858ADA2-A446-4103-A4FD-946787D11A04}\RP508\
FileVersion : 1.0.0.2
ProductVersion : 1.0.0.2


180Solutions Object Recognized!
Type : File
Data : A0087597.exe
Category : Data Miner
Comment :
Object : C:\System Volume Information\_restore{6858ADA2-A446-4103-A4FD-946787D11A04}\RP508\
FileVersion : 1, 0, 0, 1
ProductVersion : 1, 0, 0, 1
ProductName : version Application
FileDescription : version MFC Application
InternalName : version
LegalCopyright : Copyright © 2003
OriginalFilename : version.EXE


SecondThought Object Recognized!
Type : File
Data : A0087598.exe
Category : Malware
Comment :
Object : C:\System Volume Information\_restore{6858ADA2-A446-4103-A4FD-946787D11A04}\RP508\
FileVersion : 8.0.7.1
ProductVersion : 8.0.7.1
ProductName : STC Application
FileDescription : Second Thought
InternalName : STC
LegalCopyright : Copyright © 2003
OriginalFilename : STC.exe


WhenU Object Recognized!
Type : File
Data : A0087599.exe
Category : Misc
Comment :
Object : C:\System Volume Information\_restore{6858ADA2-A446-4103-A4FD-946787D11A04}\RP508\
FileVersion : 1, 6, 1, 3
ProductVersion : 1, 6, 1, 3
ProductName : Save! Setup
CompanyName : WhenU.com, Inc.
FileDescription : Save! Setup
InternalName : SaveInst
LegalCopyright : Copyright 2000
OriginalFilename : SaveInst.exe


istbar Object Recognized!
Type : File
Data : A0087600.exe
Category : Malware
Comment :
Object : C:\System Volume Information\_restore{6858ADA2-A446-4103-A4FD-946787D11A04}\RP508\



Rads01.Quadrogram Object Recognized!
Type : File
Data : A0087601.exe
Category : Malware
Comment :
Object : C:\System Volume Information\_restore{6858ADA2-A446-4103-A4FD-946787D11A04}\RP508\



istbar Object Recognized!
Type : File
Data : A0087602.exe
Category : Malware
Comment :
Object : C:\System Volume Information\_restore{6858ADA2-A446-4103-A4FD-946787D11A04}\RP508\



Rads01.Quadrogram Object Recognized!
Type : File
Data : A0087603.exe
Category : Malware
Comment :
Object : C:\System Volume Information\_restore{6858ADA2-A446-4103-A4FD-946787D11A04}\RP508\



istbar Object Recognized!
Type : File
Data : A0087604.exe
Category : Malware
Comment :
Object : C:\System Volume Information\_restore{6858ADA2-A446-4103-A4FD-946787D11A04}\RP508\



Rads01.Quadrogram Object Recognized!
Type : File
Data : A0087605.exe
Category : Malware
Comment :
Object : C:\System Volume Information\_restore{6858ADA2-A446-4103-A4FD-946787D11A04}\RP508\



Rads01.Quadrogram Object Recognized!
Type : File
Data : A0087606.exe
Category : Malware
Comment :
Object : C:\System Volume Information\_restore{6858ADA2-A446-4103-A4FD-946787D11A04}\RP508\



Rads01.Quadrogram Object Recognized!
Type : File
Data : A0087607.exe
Category : Malware
Comment :
Object : C:\System Volume Information\_restore{6858ADA2-A446-4103-A4FD-946787D11A04}\RP508\



Rads01.Quadrogram Object Recognized!
Type : File
Data : A0087608.exe
Category : Malware
Comment :
Object : C:\System Volume Information\_restore{6858ADA2-A446-4103-A4FD-946787D11A04}\RP508\



istbar Object Recognized!
Type : File
Data : A0087609.exe
Category : Malware
Comment :
Object : C:\System Volume Information\_restore{6858ADA2-A446-4103-A4FD-946787D11A04}\RP508\



SecondThought Object Recognized!
Type : File
Data : A0087610.exe
Category : Malware
Comment :
Object : C:\System Volume Information\_restore{6858ADA2-A446-4103-A4FD-946787D11A04}\RP508\



istbar Object Recognized!
Type : File
Data : A0087611.exe
Category : Malware
Comment :
Object : C:\System Volume Information\_restore{6858ADA2-A446-4103-A4FD-946787D11A04}\RP508\



Rads01.Quadrogram Object Recognized!
Type : File
Data : A0087612.exe
Category : Malware
Comment :
Object : C:\System Volume Information\_restore{6858ADA2-A446-4103-A4FD-946787D11A04}\RP508\



istbar Object Recognized!
Type : File
Data : A0087613.exe
Category : Malware
Comment :
Object : C:\System Volume Information\_restore{6858ADA2-A446-4103-A4FD-946787D11A04}\RP508\



Rads01.Quadrogram Object Recognized!
Type : File
Data : A0087614.exe
Category : Malware
Comment :
Object : C:\System Volume Information\_restore{6858ADA2-A446-4103-A4FD-946787D11A04}\RP508\



Rads01.Quadrogram Object Recognized!
Type : File
Data : A0087615.exe
Category : Malware
Comment :
Object : C:\System Volume Information\_restore{6858ADA2-A446-4103-A4FD-946787D11A04}\RP508\



istbar Object Recognized!
Type : File
Data : A0087616.exe
Category : Malware
Comment :
Object : C:\System Volume Information\_restore{6858ADA2-A446-4103-A4FD-946787D11A04}\RP508\



Rads01.Quadrogram Object Recognized!
Type : File
Data : A0087617.exe
Category : Malware
Comment :
Object : C:\System Volume Information\_restore{6858ADA2-A446-4103-A4FD-946787D11A04}\RP508\



Rads01.Quadrogram Object Recognized!
Type : File
Data : A0087618.exe
Category : Malware
Comment :
Object : C:\System Volume Information\_restore{6858ADA2-A446-4103-A4FD-946787D11A04}\RP508\



istbar Object Recognized!
Type : File
Data : A0087619.exe
Category : Malware
Comment :
Object : C:\System Volume Information\_restore{6858ADA2-A446-4103-A4FD-946787D11A04}\RP508\



Rads01.Quadrogram Object Recognized!
Type : File
Data : A0087620.exe
Category : Malware
Comment :
Object : C:\System Volume Information\_restore{6858ADA2-A446-4103-A4FD-946787D11A04}\RP508\



istbar Object Recognized!
Type : File
Data : A0087621.exe
Category : Malware
Comment :
Object : C:\System Volume Information\_restore{6858ADA2-A446-4103-A4FD-946787D11A04}\RP508\



Rads01.Quadrogram Object Recognized!
Type : File
Data : A0087622.exe
Category : Malware
Comment :
Object : C:\System Volume Information\_restore{6858ADA2-A446-4103-A4FD-946787D11A04}\RP508\



Rads01.Quadrogram Object Recognized!
Type : File
Data : A0087623.exe
Category : Malware
Comment :
Object : C:\System Volume Information\_restore{6858ADA2-A446-4103-A4FD-946787D11A04}\RP508\



Rads01.Quadrogram Object Recognized!
Type : File
Data : A0087624.exe
Category : Malware
Comment :
Object : C:\System Volume Information\_restore{6858ADA2-A446-4103-A4FD-946787D11A04}\RP508\



Rads01.Quadrogram Object Recognized!
Type : File
Data : A0087625.exe
Category : Malware
Comment :
Object : C:\System Volume Information\_restore{6858ADA2-A446-4103-A4FD-946787D11A04}\RP508\



istbar Object Recognized!
Type : File
Data : A0087626.exe
Category : Malware
Comment :
Object : C:\System Volume Information\_restore{6858ADA2-A446-4103-A4FD-946787D11A04}\RP508\



istbar Object Recognized!
Type : File
Data : A0087627.exe
Category : Malware
Comment :
Object : C:\System Volume Information\_restore{6858ADA2-A446-4103-A4FD-946787D11A04}\RP508\



SecondThought Object Recognized!
Type : File
Data : A0087628.dll
Category : Malware
Comment :
Object : C:\System Volume Information\_restore{6858ADA2-A446-4103-A4FD-946787D11A04}\RP508\
FileVersion : 8.0.7.7
ProductVersion : 8.0.7.7
InternalName : runpool.dll
OriginalFilename : runpool.dll


Rads01.Quadrogram Object Recognized!
Type : File
Data : A0087629.exe
Category : Malware
Comment :
Object : C:\System Volume Information\_restore{6858ADA2-A446-4103-A4FD-946787D11A04}\RP508\



istbar Object Recognized!
Type : File
Data : A0087630.exe
Category : Malware
Comment :
Object : C:\System Volume Information\_restore{6858ADA2-A446-4103-A4FD-946787D11A04}\RP508\



istbar Object Recognized!
Type : File
Data : A0087631.exe
Category : Malware
Comment :
Object : C:\System Volume Information\_restore{6858ADA2-A446-4103-A4FD-946787D11A04}\RP508\



istbar Object Recognized!
Type : File
Data : A0087632.exe
Category : Malware
Comment :
Object : C:\System Volume Information\_restore{6858ADA2-A446-4103-A4FD-946787D11A04}\RP508\



Rads01.Quadrogram Object Recognized!
Type : File
Data : A0087633.exe
Category : Malware
Comment :
Object : C:\System Volume Information\_restore{6858ADA2-A446-4103-A4FD-946787D11A04}\RP508\



istbar Object Recognized!
Type : File
Data : A0087634.exe
Category : Malware
Comment :
Object : C:\System Volume Information\_restore{6858ADA2-A446-4103-A4FD-946787D11A04}\RP508\



Rads01.Quadrogram Object Recognized!
Type : File
Data : A0087635.exe
Category : Malware
Comment :
Object : C:\System Volume Information\_restore{6858ADA2-A446-4103-A4FD-946787D11A04}\RP508\



istbar Object Recognized!
Type : File
Data : A0087636.exe
Category : Malware
Comment :
Object : C:\System Volume Information\_restore{6858ADA2-A446-4103-A4FD-946787D11A04}\RP508\



istbar Object Recognized!
Type : File
Data : A0087637.exe
Category : Malware
Comment :
Object : C:\System Volume Information\_restore{6858ADA2-A446-4103-A4FD-946787D11A04}\RP508\



SecondThought Object Recognized!
Type : File
Data : A0087638.dll
Category : Malware
Comment :
Object : C:\System Volume Information\_restore{6858ADA2-A446-4103-A4FD-946787D11A04}\RP508\
FileVersion : 1.0.0.1
ProductVersion : 1.0.0.1
ProductName : IdleUI Dynamic Link Library
FileDescription : IdleUI Dynamic Link Library
InternalName : IdleUI
LegalCopyright : Copyright © 2003
OriginalFilename : IdleUI.dll


istbar Object Recognized!
Type : File
Data : A0087639.exe
Category : Malware
Comment :
Object : C:\System Volume Information\_restore{6858ADA2-A446-4103-A4FD-946787D11A04}\RP508\



SecondThought Object Recognized!
Type : File
Data : A0087640.exe
Category : Malware
Comment :
Object : C:\System Volume Information\_restore{6858ADA2-A446-4103-A4FD-946787D11A04}\RP508\



Rads01.Quadrogram Object Recognized!
Type : File
Data : A0087641.exe
Category : Malware
Comment :
Object : C:\System Volume Information\_restore{6858ADA2-A446-4103-A4FD-946787D11A04}\RP508\



istbar Object Recognized!
Type : File
Data : A0087642.exe
Category : Malware
Comment :
Object : C:\System Volume Information\_restore{6858ADA2-A446-4103-A4FD-946787D11A04}\RP508\



Rads01.Quadrogram Object Recognized!
Type : File
Data : A0087643.exe
Category : Malware
Comment :
Object : C:\System Volume Information\_restore{6858ADA2-A446-4103-A4FD-946787D11A04}\RP508\



Rads01.Quadrogram Object Recognized!
Type : File
Data : A0087644.exe
Category : Malware
Comment :
Object : C:\System Volume Information\_restore{6858ADA2-A446-4103-A4FD-946787D11A04}\RP508\



istbar Object Recognized!
Type : File
Data : A0087645.exe
Category : Malware
Comment :
Object : C:\System Volume Information\_restore{6858ADA2-A446-4103-A4FD-946787D11A04}\RP508\



Rads01.Quadrogram Object Recognized!
Type : File
Data : A0087646.exe
Category : Malware
Comment :
Object : C:\System Volume Information\_restore{6858ADA2-A446-4103-A4FD-946787D11A04}\RP508\



Rads01.Quadrogram Object Recognized!
Type : File
Data : A0087647.exe
Category : Malware
Comment :
Object : C:\System Volume Information\_restore{6858ADA2-A446-4103-A4FD-946787D11A04}\RP508\



Rads01.Quadrogram Object Recognized!
Type : File
Data : A0087648.exe
Category : Malware
Comment :
Object : C:\System Volume Information\_restore{6858ADA2-A446-4103-A4FD-946787D11A04}\RP508\



istbar Object Recognized!
Type : File
Data : A0087649.exe
Category : Malware
Comment :
Object : C:\System Volume Information\_restore{6858ADA2-A446-4103-A4FD-946787D11A04}\RP508\



istbar Object Recognized!
Type : File
Data : A0087650.exe
Category : Malware
Comment :
Object : C:\System Volume Information\_restore{6858ADA2-A446-4103-A4FD-946787D11A04}\RP508\



Rads01.Quadrogram Object Recognized!
Type : File
Data : A0087651.exe
Category : Malware
Comment :
Object : C:\System Volume Information\_restore{6858ADA2-A446-4103-A4FD-946787D11A04}\RP508\



Rads01.Quadrogram Object Recognized!
Type : File
Data : A0087652.exe
Category : Malware
Comment :
Object : C:\System Volume Information\_restore{6858ADA2-A446-4103-A4FD-946787D11A04}\RP508\



SecondThought Object Recognized!
Type : File
Data : A0087653.exe
Category : Malware
Comment :
Object : C:\System Volume Information\_restore{6858ADA2-A446-4103-A4FD-946787D11A04}\RP508\
FileVersion : 8.0.7.2
ProductVersion : 8.0.7.2
ProductName : Loader
FileDescription : Loader
InternalName : loader
LegalCopyright : Copyright © 2003
OriginalFilename : loader.exe


istbar Object Recognized!
Type : File
Data : A0087654.exe
Category : Malware
Comment :
Object : C:\System Volume Information\_restore{6858ADA2-A446-4103-A4FD-946787D11A04}\RP508\



Rads01.Quadrogram Object Recognized!
Type : File
Data : A0087655.exe
Category : Malware
Comment :
Object : C:\System Volume Information\_restore{6858ADA2-A446-4103-A4FD-946787D11A04}\RP508\



Rads01.Quadrogram Object Recognized!
Type : File
Data : A0087656.exe
Category : Malware
Comment :
Object : C:\System Volume Information\_restore{6858ADA2-A446-4103-A4FD-946787D11A04}\RP508\



Rads01.Quadrogram Object Recognized!
Type : File
Data : A0087657.exe
Category : Malware
Comment :
Object : C:\System Volume Information\_restore{6858ADA2-A446-4103-A4FD-946787D11A04}\RP508\



istbar Object Recognized!
Type : File
Data : A0087658.exe
Category : Malware
Comment :
Object : C:\System Volume Information\_restore{6858ADA2-A446-4103-A4FD-946787D11A04}\RP508\



istbar Object Recognized!
Type : File
Data : A0087659.exe
Category : Malware
Comment :
Object : C:\System Volume Information\_restore{6858ADA2-A446-4103-A4FD-946787D11A04}\RP508\



Rads01.Quadrogram Object Recognized!
Type : File
Data : A0087660.exe
Category : Malware
Comment :
Object : C:\System Volume Information\_restore{6858ADA2-A446-4103-A4FD-946787D11A04}\RP508\



Rads01.Quadrogram Object Recognized!
Type : File
Data : A0087661.exe
Category : Malware
Comment :
Object : C:\System Volume Information\_restore{6858ADA2-A446-4103-A4FD-946787D11A04}\RP508\



Disk Scan Result for C:\
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 71


Performing conditional scans...
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

CoolWebSearch Object Recognized!
Type : Regkey
Data :
Category : Malware
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\internet explorer\urlsearchhooks

CoolWebSearch Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\internet explorer\urlsearchhooks
Value : {0ABCE593-A2F9-DA6D-2B6D-D92E2B05E875}

CoolWebSearch Object Recognized!
Type : Regkey
Data :
Category : Malware
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\windows\currentversion\uninstall\hsa

CoolWebSearch Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\windows\currentversion\uninstall\hsa
Value : DisplayName

CoolWebSearch Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\windows\currentversion\uninstall\hsa
Value : UninstallString

CoolWebSearch Object Recognized!
Type : Regkey
Data :
Category : Malware
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\windows\currentversion\uninstall\se

CoolWebSearch Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\windows\currentversion\uninstall\se
Value : DisplayName

CoolWebSearch Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\windows\currentversion\uninstall\se
Value : UninstallString

CoolWebSearch Object Recognized!
Type : Regkey
Data :
Category : Malware
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\windows\currentversion\uninstall\sw

CoolWebSearch Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\windows\currentversion\uninstall\sw
Value : DisplayName

CoolWebSearch Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\windows\currentversion\uninstall\sw
Value : UninstallString

CoolWebSearch Object Recognized!
Type : File
Data : 2.tmp
Category : Malware
Comment :
Object : C:\DOCUME~1\Dan\LOCALS~1\Temp\



Conditional scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 12
Objects found so far: 83

7:24:53 PM Scan Complete

Summary Of This Scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Total scanning time:00:17:08.938
Objects scanned:112585
Objects identified:83
Objects ignored:0
New critical objects:83
  • 0

#10
Guest_Andy_veal_*
Posted 29 April 2005 - 06:37 PM

Guest_Andy_veal_*
  • Guest
Could you boot into safe mode

Open Task Manager, (Ctrl Alt Delete keys)

Click File,

Then New task,

Please then try to run Ad-aware from the Command line

"C:\Program Files\Lavasoft\Ad-Aware SE Personal\Ad-Aware.exe" +procnuke


If this works,

Select CWS only again,

Reboot.

Rescan and then post your latest logfile here

Thanks

:tazz:
  • 0

Advertisements

#11
dnkrm
Posted 29 April 2005 - 07:03 PM

dnkrm

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
Hey Andy, I went to task manager, clicked new task, typed in the command and when i hit enter the "Dr. Watson Debugger needs to close" window popped up and the computer locked and I had to end the dr.watson process to unlock it. Let me know what to do, thanks
  • 0

#12
Guest_Andy_veal_*
Posted 29 April 2005 - 07:10 PM

Guest_Andy_veal_*
  • Guest
Please scan your computer with a free online AV scanners and post your results here


Panda

Symantec

McAfee

TrendMicro Recommended

F-secure


Thanks

Andy
  • 0

#13
dnkrm
Posted 30 April 2005 - 09:04 AM

dnkrm

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
Unfortunately my internet explorer is not working. Whenever I try to open the program the "internet explorer has commited an error and must close" box pops up immediately, so I can't run any of those scans. Let me know if you can help me with that. thanks
  • 0

#14
prab
Posted 30 April 2005 - 08:21 PM

prab

    Member

  • Member
  • PipPip
  • 61 posts
Are you sure that Internet explorer does not work? It seems to be running according to your log file. I believe you, but the facts just don't add up. :tazz:

#:23 [iexplore.exe]
FilePath : C:\Program Files\Internet Explorer\
FileDescription : Internet Explorer


If it still is not working, try to boot into "Safe mode with networking" then launching Internet Explorer. Then do the instructions in the post above.

~Prab~

Edited by prab, 30 April 2005 - 08:22 PM.

  • 0

#15
dnkrm
Posted 02 May 2005 - 09:45 PM

dnkrm

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
Hey, I tried opening internet explorer in safe mode and had no luck. The same box popped up saying it had encountered a problem and must close. Any help from here is appreciated. thanks
  • 0
Back to Lavasoft Support (Ad-aware) · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Retired Forums
  3. Lavasoft Support (Ad-aware)

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP