Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

VX-2 Add-on ineffective


  • This topic is locked This topic is locked

#1
jm4

jm4

    New Member

  • Member
  • Pip
  • 4 posts
Hello,

I'm suffering from VX2 and smitfraud, for starters. Proceeding through the "before you post" steps before posting a HJT! log.

Problem: Ad-Aware SE locates VX2; attempting to delete VX2 freezes the program. Downloaded VX2 Add-on removal tool, but tool consistently reports system clean. Panda also identifies VX2. Thanks in advance for any advice.
  • 0

Advertisements


#2
Rawe

Rawe

    Visiting Staff

  • Member
  • PipPipPipPipPipPipPip
  • 4,746 posts
Welcome!

If you need help, post Ad-aware SE scanlog from "Full system scan".

Note; perform Webupdate- feature always before scanning your system, that way you are always up-to-date. At the moment SE1R42 28.04.2005 - definition file is the latest one.

Ad-Aware comes preconfigured with default options, so we need you to make one change. Deselect "Search for negligible risk entries"- setting, because mru-list's aren't considered as a threat. You can change this setting when selecting your scan type. Also, delete all tracking cookies just before scanning, they aren't a threat and just take space in your posts.

Select "Perform full system scan" and click next. When the scan has finished, click "Show logfile".

Then, copy & paste the complete scanlog here using Add Reply- feature. Don't quarantine or remove anything at this time, just post a complete logfile. This may take 2-3 posts to get it all here. You'll know when you are at the end when you see "Summary of this scan" information has posted.

When you have posted complete logfile from "Full system scan", we will tell you what to do.

Good day!

- Rawe :tazz:
  • 0

#3
jm4

jm4

    New Member

  • Topic Starter
  • Member
  • Pip
  • 4 posts
Thanks for the lightning-fast reply! I won't be home until 6:30 p.m. CST, but will post results then. Thanks again.
  • 0

#4
Rawe

Rawe

    Visiting Staff

  • Member
  • PipPipPipPipPipPipPip
  • 4,746 posts
Post the log whenever you have time for it.
I'll be here. ;)

- Rawe :tazz:
  • 0

#5
jm4

jm4

    New Member

  • Topic Starter
  • Member
  • Pip
  • 4 posts
OK, Here is the full-scan log file, tracking cookies deleted and negligible risk entries deselected. As I said in my initial post, the reason I'm posting in this forum (instead of the malware forum) is because I can't figure out why the VX2 removal tool won't recognize all these instances of VX2. If we can take care of that I'll continue with the "before you post" procedures and then, if still necessary, post a hjt! log in the malware forum. Many thanks again.

Ad-Aware SE Build 1.05
Logfile Created on:Wednesday, May 04, 2005 7:59:04 PM
Created with Ad-Aware SE Personal, free for private use.
Using definitions file:SE1R42 28.04.2005
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

References detected during the scan:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
CoolWebSearch(TAC index:10):18 total references
Possible Browser Hijack attempt(TAC index:3):1 total references
Security iGuard(TAC index:9):3 total references
Windows(TAC index:3):1 total references
VX2(TAC index:10):7 total references
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Definition File:
=========================
Definitions File Loaded:
Reference Number : SE1R42 28.04.2005
Internal build : 49
File location : C:\PROGRAM FILES\LAVASOFT\AD-AWARE SE PERSONAL\defs.ref
File size : 466557 Bytes
Total size : 1403889 Bytes
Signature data size : 1373297 Bytes
Reference data size : 30080 Bytes
Signatures total : 39226
Fingerprints total : 836
Fingerprints size : 28245 Bytes
Target categories : 15
Target families : 654


Memory + processor status:
==========================
Number of processors : 1
Processor architecture : Non Intel
Memory available:0 %
Total physical memory:114060 kb
Available physical memory:608 kb
Total page file size:1983088 kb
Available on page file:1800120 kb
Total virtual memory:2093056 kb
Available virtual memory:2040448 kb
OS:Microsoft Windows Millennium Edition

Ad-Aware SE Settings
===========================
Set : Scan active processes
Set : Scan registry
Set : Deep-scan registry
Set : Scan my IE Favorites for banned URLs
Set : Scan within archives
Set : Scan my Hosts file

Extended Ad-Aware SE Settings
===========================
Set : Unload recognized processes & modules during scan
Set : Obtain command line of scanned processes
Set : Scan registry for all users instead of current user only
Set : Always try to unload modules before deletion
Set : Let Windows remove files in use at next reboot
Set : Delete quarantined objects after restoring
Set : Write-protect system files after repair (Hosts file, etc.)
Set : Include basic Ad-Aware settings in log file
Set : Include additional Ad-Aware settings in log file
Set : Include reference summary in log file
Set : Include alternate data stream details in log file
Set : Play sound at scan completion if scan locates critical objects


5-4-2005 7:59:04 PM - Scan started. (Full System Scan)

Listing running processes
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

#:1 [KERNEL32.DLL]
ModuleName : C:\WINDOWS\SYSTEM\KERNEL32.DLL
Command Line : n/a
ProcessID : 4293873439
Threads : 8
Priority : High
FileVersion : 4.90.3000
ProductVersion : 4.90.3000
ProductName : Microsoft® Windows® Millennium Operating System
CompanyName : Microsoft Corporation
FileDescription : Win32 Kernel core component
InternalName : KERNEL32
LegalCopyright : Copyright © Microsoft Corp. 1991-2000
OriginalFilename : KERNEL32.DLL

#:2 [MSGSRV32.EXE]
ModuleName : C:\WINDOWS\SYSTEM\MSGSRV32.EXE
Command Line : n/a
ProcessID : 4294937087
Threads : 1
Priority : Normal
FileVersion : 4.90.3000
ProductVersion : 4.90.3000
ProductName : Microsoft® Windows® Millennium Operating System
CompanyName : Microsoft Corporation
FileDescription : Windows 32-bit VxD Message Server
InternalName : MSGSRV32
LegalCopyright : Copyright © Microsoft Corp. 1992-1998
OriginalFilename : MSGSRV32.EXE

#:3 [mmtask.tsk]
ModuleName : C:\WINDOWS\SYSTEM\mmtask.tsk
Command Line : n/a
ProcessID : 4294846527
Threads : 1
Priority : Normal
FileVersion : 4.90.3000
ProductVersion : 4.90.3000
ProductName : Microsoft Windows
CompanyName : Microsoft Corporation
FileDescription : Multimedia background task support module
InternalName : mmtask.tsk
LegalCopyright : Copyright © Microsoft Corp. 1991-2000
OriginalFilename : mmtask.tsk

#:4 [BCMDMMSG.EXE]
ModuleName : C:\WINDOWS\BCMDMMSG.EXE
Command Line : C:\WINDOWS\BCMDMMSG.exe
ProcessID : 4294844515
Threads : 1
Priority : Normal
FileVersion : 3.2.09 07/06/2000 14:06:52
ProductVersion : 3.2.09 07/06/2000 14:06:52
ProductName : BCM Modem Messaging Applet
CompanyName : BCM
FileDescription : Modem Messaging Applet
InternalName : smdmstat.exe
LegalCopyright : Copyright © BCM 1998-2000
OriginalFilename : smdmstat.exe

#:5 [MPREXE.EXE]
ModuleName : C:\WINDOWS\SYSTEM\MPREXE.EXE
Command Line : C:\WINDOWS\SYSTEM\MPREXE.EXE
ProcessID : 4294840463
Threads : 1
Priority : Normal
FileVersion : 4.90.3000
ProductVersion : 4.90.3000
ProductName : Microsoft® Windows® Millennium Operating System
CompanyName : Microsoft Corporation
FileDescription : WIN32 Network Interface Service Process
InternalName : MPREXE
LegalCopyright : Copyright © Microsoft Corp. 1993-2000
OriginalFilename : MPREXE.EXE

#:6 [MSTASK.EXE]
ModuleName : C:\WINDOWS\SYSTEM\MSTASK.EXE
Command Line : mstask.exe
ProcessID : 4294880795
Threads : 3
Priority : Normal
FileVersion : 4.71.2721.1
ProductVersion : 4.71.2721.1
ProductName : Microsoft® Windows® Task Scheduler
CompanyName : Microsoft Corporation
FileDescription : Task Scheduler Engine
InternalName : TaskScheduler
LegalCopyright : Copyright © Microsoft Corp. 2000
OriginalFilename : mstask.exe

#:7 [SSDPSRV.EXE]
ModuleName : C:\WINDOWS\SYSTEM\SSDPSRV.EXE
Command Line : C:\WINDOWS\SYSTEM\ssdpsrv.exe
ProcessID : 4294874959
Threads : 4
Priority : Normal
FileVersion : 4.90.3000.1
ProductVersion : 4.90.3000.1
ProductName : Microsoft® Windows® Millennium Operating System
CompanyName : Microsoft Corporation
FileDescription : SSDP Service on Windows Millennium
InternalName : ssdpsrv.exe
LegalCopyright : Copyright © Microsoft Corp. 1981-2000
OriginalFilename : ssdpsrv.exe

#:8 [CCEVTMGR.EXE]
ModuleName : C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCEVTMGR.EXE
Command Line : "C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"
ProcessID : 4294892831
Threads : 14
Priority : Normal
FileVersion : 103.0.4.3
ProductVersion : 103.0.4.3
ProductName : Client and Host Security Platform
CompanyName : Symantec Corporation
FileDescription : Symantec Event Manager Service
InternalName : ccEvtMgr
LegalCopyright : Copyright © 2000-2004 Symantec Corporation. All rights reserved.
OriginalFilename : ccEvtMgr.exe

#:9 [CCSETMGR.EXE]
ModuleName : C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCSETMGR.EXE
Command Line : "C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe"
ProcessID : 4294783359
Threads : 5
Priority : Normal
FileVersion : 103.0.4.3
ProductVersion : 103.0.4.3
ProductName : Client and Host Security Platform
CompanyName : Symantec Corporation
FileDescription : Symantec Settings Manager Service
InternalName : ccSetMgr
LegalCopyright : Copyright © 2000-2004 Symantec Corporation. All rights reserved.
OriginalFilename : ccSetMgr.exe

#:10 [NPFMNTOR.EXE]
ModuleName : C:\PROGRAM FILES\NORTON ANTIVIRUS\IWP\NPFMNTOR.EXE
Command Line : "C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe"
ProcessID : 4294783023
Threads : 3
Priority : Normal
FileVersion : 11.0.9.16
ProductVersion : 11.0.9
ProductName : Norton AntiVirus
CompanyName : Symantec Corporation
FileDescription : Norton AntiVirus Firewall Install Monitor
InternalName : NPFMonitor
LegalCopyright : Norton AntiVirus 2005 for Windows 98/ME/2000/XP Copyright © 2004 Symantec Corporation. All rights reserved.
OriginalFilename : NPFMonitor.EXE

#:11 [EXPLORER.EXE]
ModuleName : C:\WINDOWS\EXPLORER.EXE
Command Line : C:\WINDOWS\Explorer.exe
ProcessID : 4294799215
Threads : 20
Priority : Normal
FileVersion : 5.50.4134.100
ProductVersion : 5.50.4134.100
ProductName : Microsoft® Windows ® 2000 Operating System
CompanyName : Microsoft Corporation
FileDescription : Windows Explorer
InternalName : explorer
LegalCopyright : Copyright © Microsoft Corp. 1981-2000
OriginalFilename : EXPLORER.EXE

#:12 [STMGR.EXE]
ModuleName : C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
Command Line : C:\WINDOWS\System\Restore\StMgr.exe
ProcessID : 4294739927
Threads : 4
Priority : Normal
FileVersion : 4.90.0.2533
ProductVersion : 4.90.0.2533
ProductName : Microsoft ® PCHealth
CompanyName : Microsoft Corporation
FileDescription : Microsoft ® PC State Manager
InternalName : StateMgr.exe
LegalCopyright : Copyright © Microsoft Corp. 1981-2000
OriginalFilename : StateMgr.exe

#:13 [SYSTRAY.EXE]
ModuleName : C:\WINDOWS\SYSTEM\SYSTRAY.EXE
Command Line : "C:\WINDOWS\SYSTEM\SysTray.Exe"
ProcessID : 4293106799
Threads : 2
Priority : Normal
FileVersion : 4.90.3000
ProductVersion : 4.90.3000
ProductName : Microsoft® Windows® Millennium Operating System
CompanyName : Microsoft Corporation
FileDescription : System Tray Applet
InternalName : SYSTRAY
LegalCopyright : Copyright © Microsoft Corp. 1993-2000
OriginalFilename : SYSTRAY.EXE

#:14 [SK9910DM.EXE]
ModuleName : C:\WINDOWS\SYSTEM\SK9910DM.EXE
Command Line : "C:\WINDOWS\SYSTEM\SK9910DM.EXE"
ProcessID : 4293092427
Threads : 1
Priority : Normal
FileVersion : 1, 0, 9, 0
CompanyName : Silitek Corporation
FileDescription : Daemon
LegalCopyright : Copyright © Silitek Corp. 1999, 2000

#:15 [WMIEXE.EXE]
ModuleName : C:\WINDOWS\SYSTEM\WMIEXE.EXE
Command Line : WmiExe WMI_ffe39a1b
ProcessID : 4293108899
Threads : 3
Priority : Normal
FileVersion : 4.90.2452.1
ProductVersion : 4.90.2452.1
ProductName : Microsoft® Windows® Millennium Operating System
CompanyName : Microsoft Corporation
FileDescription : WMI service exe housing
InternalName : wmiexe
LegalCopyright : Copyright © Microsoft Corp. 1981-1999
OriginalFilename : wmiexe.exe

#:16 [DIRECTCD.EXE]
ModuleName : C:\PROGRAM FILES\ADAPTEC\DIRECTCD\DIRECTCD.EXE
Command Line : "C:\PROGRA~1\ADAPTEC\DIRECTCD\DIRECTCD.EXE"
ProcessID : 4293015407
Threads : 1
Priority : Normal
FileVersion : 3.01e (184)
ProductVersion : 3.01e (184)
ProductName : DirectCD
CompanyName : Adaptec
FileDescription : DirectCD Application
InternalName : DirectCD
LegalCopyright : Copyright © 1996-2000 Adaptec, Inc.
OriginalFilename : DirectCD.EXE

#:17 [SYGATE.EXE]
ModuleName : C:\PROGRAM FILES\SYGATE\SYGATE\SYGATE.EXE
Command Line : "C:\PROGRAM FILES\SYGATE\SYGATE\Sygate.exe"
ProcessID : 4293023695
Threads : 2
Priority : Normal
FileVersion : 4, 0, 759, 1
ProductVersion : 4, 0, 1, 0
ProductName : Sygate
CompanyName : Sygate Technologies, Inc.
FileDescription : Sygate - Internet Sharing Software
InternalName : Sygate Component
LegalCopyright : Sygate Technologies, Inc. © 1997-2001
LegalTrademarks : Sygate is a trademark of Sygate Technologies, Inc.

#:18 [SYMLCSVC.EXE]
ModuleName : C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCPD-LC\SYMLCSVC.EXE
Command Line : "C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe" start
ProcessID : 4293065911
Threads : 1
Priority : Normal
FileVersion : 1, 8, 54, 534
ProductVersion : 1, 8, 54, 534
ProductName : Symantec Core Component
CompanyName : Symantec Corporation
FileDescription : Symantec Core Component
InternalName : symlcsvc
LegalCopyright : Copyright © 2003
OriginalFilename : symlcsvc.exe

#:19 [CCAPP.EXE]
ModuleName : C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCAPP.EXE
Command Line : "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
ProcessID : 4293056903
Threads : 36
Priority : Normal
FileVersion : 103.0.4.3
ProductVersion : 103.0.4.3
ProductName : Client and Host Security Platform
CompanyName : Symantec Corporation
FileDescription : Symantec User Session
InternalName : ccApp
LegalCopyright : Copyright © 2000-2004 Symantec Corporation. All rights reserved.
OriginalFilename : ccApp.exe

#:20 [CREATECD.EXE]
ModuleName : C:\PROGRAM FILES\ADAPTEC\EASY CD CREATOR 4\CREATECD\CREATECD.EXE
Command Line : "C:\PROGRA~1\ADAPTEC\EASYCD~1\CREATECD\CREATECD.EXE" -r
ProcessID : 4292943591
Threads : 1
Priority : Normal
FileVersion : 4.02e (310)
ProductVersion : 4.02e (310)
ProductName : Easy CD Creator
CompanyName : Adaptec
FileDescription : Adaptec Create CD
InternalName : createcd.exe
LegalCopyright : Copyright © 1996-2000 Adaptec, Inc.
OriginalFilename : createcd.exe

#:21 [SYSNV.EXE]
ModuleName : C:\WINDOWS\SYSNV.EXE
Command Line : "C:\WINDOWS\SYSNV.EXE"
ProcessID : 4292971771
Threads : 4
Priority : Normal


#:22 [TASKPANL.EXE]
ModuleName : C:\PROGRAM FILES\EARTHLINK TOTALACCESS\TASKPANL.EXE
Command Line : "C:\PROGRAM FILES\EARTHLINK TOTALACCESS\TASKPANL.EXE" -winstart
ProcessID : 4292878359
Threads : 10
Priority : Normal
FileVersion : 2005.1.57.0
ProductVersion : 2005.1.57.0
ProductName : EarthLink TotalAccess
CompanyName : EarthLink, Inc.
LegalCopyright : © EarthLink, Inc. All rights reserved.

#:23 [TAPISRV.EXE]
ModuleName : C:\WINDOWS\SYSTEM\TAPISRV.EXE
Command Line : tapisrv.exe
ProcessID : 4293381783
Threads : 5
Priority : Normal
FileVersion : 4.90.3000
ProductVersion : 4.90.3000
ProductName : Microsoft® Windows® Millennium Operating System
CompanyName : Microsoft Corporation
FileDescription : Microsoft® Windows™ Telephony Server
InternalName : Telephony Service
LegalCopyright : Copyright © Microsoft Corp. 1994-1998
OriginalFilename : TAPISRV.EXE

#:24 [DDHELP.EXE]
ModuleName : C:\WINDOWS\SYSTEM\DDHELP.EXE
Command Line : ddhelp.exe
ProcessID : 4293164039
Threads : 2
Priority : Realtime
FileVersion : 4.08.00.0400
ProductVersion : 4.08.00.0400
ProductName : Microsoft® DirectX for Windows® 95 and 98
CompanyName : Microsoft Corporation
FileDescription : Microsoft DirectX Helper
InternalName : DDHelp.exe
LegalCopyright : Copyright © Microsoft Corp. 1994-2000
OriginalFilename : DDHelp.exe

#:25 [SNDSRVC.EXE]
ModuleName : C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\SNDSRVC.EXE
Command Line : "C:\PROGRA~1\COMMON~1\SYMANT~1\SndSrvc.exe"
ProcessID : 4293191187
Threads : 7
Priority : Normal
FileVersion : 5.4.4.17
ProductVersion : 5.4
ProductName : Symantec Security Drivers
CompanyName : Symantec Corporation
FileDescription : Network Driver Service
InternalName : SndSrvc
LegalCopyright : Copyright 2002, 2003, 2004 Symantec Corporation
OriginalFilename : SndSrvc.exe

#:26 [ELINKACC.EXE]
ModuleName : C:\PROGRAM FILES\EARTHLINK TOTALACCESS\ACCELERATOR\ELINKACC.EXE
Command Line : "C:\Program Files\EarthLink TotalAccess\Accelerator\ElinkAcc.exe"
ProcessID : 4293364011
Threads : 3
Priority : Normal


#:27 [AD-AWARE.EXE]
ModuleName : C:\PROGRAM FILES\LAVASOFT\AD-AWARE SE PERSONAL\AD-AWARE.EXE
Command Line : "C:\Program Files\Lavasoft\Ad-Aware SE Personal\Ad-Aware.exe"
ProcessID : 4293859015
Threads : 3
Priority : Normal
FileVersion : 6.2.0.206
ProductVersion : VI.Second Edition
ProductName : Lavasoft Ad-Aware SE
CompanyName : Lavasoft Sweden
FileDescription : Ad-Aware SE Core application
InternalName : Ad-Aware.exe
LegalCopyright : Copyright © Lavasoft Sweden
OriginalFilename : Ad-Aware.exe
Comments : All Rights Reserved

#:28 [NETLR32.EXE]
ModuleName : C:\WINDOWS\SYSTEM\NETLR32.EXE
Command Line : C:\WINDOWS\system\netlr32.exe /s
ProcessID : 4293561183
Threads : 1
Priority : Normal


VX2 Object Recognized!
Type : Process
Data : NETLR32.EXE
Category : Malware
Comment : (CSI MATCH)
Object : C:\WINDOWS\SYSTEM\


Warning! VX2 Object found in memory(C:\WINDOWS\SYSTEM\NETLR32.EXE)

"C:\WINDOWS\SYSTEM\NETLR32.EXE"Process terminated successfully

#:29 [SYSYU32.EXE]
ModuleName : C:\WINDOWS\SYSTEM\SYSYU32.EXE
Command Line : C:\WINDOWS\SYSTEM\SYSYU32.EXE /s
ProcessID : 4202694111
Threads : 1
Priority : Normal


VX2 Object Recognized!
Type : Process
Data : SYSYU32.EXE
Category : Malware
Comment : (CSI MATCH)
Object : C:\WINDOWS\SYSTEM\


Warning! VX2 Object found in memory(C:\WINDOWS\SYSTEM\SYSYU32.EXE)

"C:\WINDOWS\SYSTEM\SYSYU32.EXE"Process terminated successfully

#:30 [SYSYU32.EXE]
ModuleName : C:\WINDOWS\SYSTEM\SYSYU32.EXE
Command Line : C:\WINDOWS\SYSTEM\SYSYU32.EXE /s
ProcessID : 4293243971
Threads : 1
Priority : Normal


VX2 Object Recognized!
Type : Process
Data : SYSYU32.EXE
Category : Malware
Comment : (CSI MATCH)
Object : C:\WINDOWS\SYSTEM\


Warning! VX2 Object found in memory(C:\WINDOWS\SYSTEM\SYSYU32.EXE)

"C:\WINDOWS\SYSTEM\SYSYU32.EXE"Process terminated successfully

#:31 [NETLR32.EXE]
ModuleName : C:\WINDOWS\SYSTEM\NETLR32.EXE
Command Line : C:\WINDOWS\SYSTEM\NETLR32.EXE /s
ProcessID : 4203156883
Threads : 1
Priority : Normal


VX2 Object Recognized!
Type : Process
Data : NETLR32.EXE
Category : Malware
Comment : (CSI MATCH)
Object : C:\WINDOWS\SYSTEM\


Warning! VX2 Object found in memory(C:\WINDOWS\SYSTEM\NETLR32.EXE)

"C:\WINDOWS\SYSTEM\NETLR32.EXE"Process terminated successfully

#:32 [SYSAJ.EXE]
ModuleName : C:\WINDOWS\SYSAJ.EXE
Command Line : C:\WINDOWS\sysaj.exe /s
ProcessID : 4293405023
Threads : 1
Priority : Normal


VX2 Object Recognized!
Type : Process
Data : SYSAJ.EXE
Category : Malware
Comment : (CSI MATCH)
Object : C:\WINDOWS\


Warning! VX2 Object found in memory(C:\WINDOWS\SYSAJ.EXE)

"C:\WINDOWS\SYSAJ.EXE"Process terminated successfully

#:33 [SYSYU32.EXE]
ModuleName : C:\WINDOWS\SYSTEM\SYSYU32.EXE
Command Line : C:\WINDOWS\SYSTEM\SYSYU32.EXE /s
ProcessID : 4293365123
Threads : 1
Priority : Normal


VX2 Object Recognized!
Type : Process
Data : SYSYU32.EXE
Category : Malware
Comment : (CSI MATCH)
Object : C:\WINDOWS\SYSTEM\


Warning! VX2 Object found in memory(C:\WINDOWS\SYSTEM\SYSYU32.EXE)

"C:\WINDOWS\SYSTEM\SYSYU32.EXE"Process terminated successfully

Memory scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 6
Objects found so far: 6


Started registry scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

CoolWebSearch Object Recognized!
Type : Regkey
Data :
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : clsid\{676575dd-4d46-911d-8037-9b10d6ee8bb5}

CoolWebSearch Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : clsid\{676575dd-4d46-911d-8037-9b10d6ee8bb5}
Value :

Security iGuard Object Recognized!
Type : Regkey
Data :
Category : Malware
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\rex-services

Security iGuard Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\rex-services
Value : MGuid

Windows Object Recognized!
Type : RegData
Data : explorer.exe, msmsgs.exe
Category : Vulnerability
Comment : Shell Possibly Compromised
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\windows nt\currentversion\winlogon
Value : Shell
Data : explorer.exe, msmsgs.exe

Registry Scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 5
Objects found so far: 11


Started deep registry scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Deep registry scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 11


Started Tracking Cookie scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»


Tracking cookie scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 11


Disk Scan Result for c:\
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 11

Possible Browser Hijack attempt Object Recognized!
Type : File
Data : Search the web.url
Category : Misc
Comment : Problematic URL discovered: http://www.lookfor.cc/
Object : C:\WINDOWS\Favorites\




Performing conditional scans...
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

VX2 Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_CURRENT_USER
Object : software\microsoft\internet explorer\toolbar\webbrowser
Value : {0E5CBF21-D15F-11D0-8301-00AA005B4383}

CoolWebSearch Object Recognized!
Type : Regkey
Data :
Category : Malware
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\internet explorer\urlsearchhooks

CoolWebSearch Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\internet explorer\urlsearchhooks
Value : {77147D9C-260D-0E8E-F1F8-89AA214A95A1}

CoolWebSearch Object Recognized!
Type : Regkey
Data :
Category : Malware
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\windows\currentversion\uninstall\hsa

CoolWebSearch Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\windows\currentversion\uninstall\hsa
Value : DisplayName

CoolWebSearch Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\windows\currentversion\uninstall\hsa
Value : UninstallString

CoolWebSearch Object Recognized!
Type : Regkey
Data :
Category : Malware
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\windows\currentversion\uninstall\se

CoolWebSearch Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\windows\currentversion\uninstall\se
Value : DisplayName

CoolWebSearch Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\windows\currentversion\uninstall\se
Value : UninstallString

CoolWebSearch Object Recognized!
Type : Regkey
Data :
Category : Malware
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\windows\currentversion\uninstall\sw

CoolWebSearch Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\windows\currentversion\uninstall\sw
Value : DisplayName

CoolWebSearch Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\windows\currentversion\uninstall\sw
Value : UninstallString

CoolWebSearch Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_CURRENT_USER
Object : software\microsoft\internet explorer\main
Value : Search Bar

CoolWebSearch Object Recognized!
Type : RegData
Data : no
Category : Malware
Comment :
Rootkey : HKEY_CURRENT_USER
Object : software\microsoft\internet explorer\main
Value : Use Search Asst
Data : no

CoolWebSearch Object Recognized!
Type : RegData
Data :
Category : Malware
Comment : PROXY ENABLED - CHECK PROXY SETTINGS - Check this item if you do not use a proxy server - If a proxy server is in use, its settings in your Internet Options need to be verified.
Rootkey : HKEY_CURRENT_USER
Object : software\microsoft\windows\currentversion\internet settings
Value : ProxyEnable
Data :

CoolWebSearch Object Recognized!
Type : RegData
Data : no
Category : Malware
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\internet explorer\main
Value : Use Search Asst
Data : no

CoolWebSearch Object Recognized!
Type : RegData
Data : about:blank
Category : Malware
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\internet explorer\main
Value : Start Page
Data : about:blank

Security iGuard Object Recognized!
Type : Folder
Category : Malware
Comment :
Object : C:\WINDOWS\Application Data\Rex-Services

Conditional scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 18
Objects found so far: 30

8:03:49 PM Scan Complete

Summary Of This Scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Total scanning time:00:04:45.660
Objects scanned:47215
Objects identified:30
Objects ignored:0
New critical objects:30
  • 0

#6
Rawe

Rawe

    Visiting Staff

  • Member
  • PipPipPipPipPipPipPip
  • 4,746 posts
Ad-aware has found object(s) on your computer

If you chose to clean your computer from what Ad-aware found, follow these instructions below…

Make sure that you are using the * SE1R42 28.04.2005 * definition file.


Open up Ad-Aware SE and click on the gear to access the Configuration menu. Make sure that this setting is applied.

Click on Tweak > Cleaning engine > UNcheck "Always try to unload modules before deletion".

Disconnect from the internet (for broadband/cable users, it is recommended that you disconnect the cable connection) and close all open browsers or other programs you have running.

Then boot into Safe Mode

To clean your machine, it is highly recommended that you clean the following directory contents (but not the directory folder);

Run CCleaner to help in this process.
Download CCleaner (Setup: go to >options > settings > Uncheck "Only delete files in Windows Temp folders older than 48 hours" for cleaning malware files!)

* C:\Windows\Temp\
* C:\Documents and Settings\<Your Profile>\Local Settings\Temporary Internet Files\ <- This will delete all your cached internet content including cookies.
* C:\Documents and Settings\<Your Profile>\Local Settings\Temp\
* C:\Documents and Settings\<Any other users Profile>\Local Settings\Temporary Internet Files\
* C:\Documents and Settings\<Any other users Profile>\Local Settings\Temp\
* Empty your "Recycle Bin".

Run Ad-Aware SE from the command lines shown in the instructions shown below.

Click "Start" > select "Run" > type the text shown below (including the quotation marks and with the same spacing as shown)

"C:\Program Files\Lavasoft\Ad-Aware SE Professional\Ad-Aware.exe" /full +procnuke
(For the Professional version)

"C:\Program Files\Lavasoft\Ad-Aware SE Plus\Ad-Aware.exe" /full +procnuke
(For the Plus version)

"C:\Program Files\Lavasoft\Ad-Aware SE Personal\Ad-Aware.exe" +procnuke
(For the Personal version)


Click Ok.

Note; the path above is of the default installation location for Ad-aware SE, if this is different, adjust it to the location that you have installed it to.

When the scan has completed, select next. In the Scanning Results window, select the "Scan Summary"- tab. Check the box next to CoolWebSearch ONLY. Click next, Click Ok.

If problems are caused by deleting a family, just leave it.


Reboot your computer after removal, run a new "full system scan" and post the results as a reply. Don't open any programs or connect to the internet at this time.

Then copy & paste the complete log file here. Don't quarantine or remove anything at this time, just post a complete logfile. This can sometimes takes 2-3 posts to get it all posted, once the "Summary of this scan" information is shown, you have posted all of your logfile.

Also, keep in mind that when you are posting another logfile keep "Search for negligible risk entries" deselected as negligible risk entries (Mru's) aren't considered as a threat. This option can be changed when choosing your scan type.

Remember to post your fresh scanlog in THIS topic.

- Rawe :tazz:
  • 0

#7
jm4

jm4

    New Member

  • Topic Starter
  • Member
  • Pip
  • 4 posts
Followed all steps, although I don't have the "documents and settings" folders. Sorry for the delay in replying, and thanks again in advance for any advice.

Created with Ad-Aware SE Personal, free for private use.
Using definitions file:SE1R43 06.05.2005
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

References detected during the scan:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
CoolWebSearch(TAC index:10):18 total references
Possible Browser Hijack attempt(TAC index:3):3 total references
Security iGuard(TAC index:9):3 total references
Windows(TAC index:3):1 total references
VX2(TAC index:10):2 total references
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Definition File:
=========================
Definitions File Loaded:
Reference Number : SE1R42 28.04.2005
Internal build : 49
File location : C:\PROGRAM FILES\LAVASOFT\AD-AWARE SE PERSONAL\defs.ref
File size : 466557 Bytes
Total size : 1403889 Bytes
Signature data size : 1373297 Bytes
Reference data size : 30080 Bytes
Signatures total : 39226
Fingerprints total : 836
Fingerprints size : 28245 Bytes
Target categories : 15
Target families : 654

5/7/2005 7:48:25 PM Performing WebUpdate...

Installing Update...
Definitions File Loaded:
Reference Number : SE1R43 06.05.2005
Internal build : 50
File location : C:\PROGRAM FILES\LAVASOFT\AD-AWARE SE PERSONAL\defs.ref
File size : 467649 Bytes
Total size : 1414672 Bytes
Signature data size : 1383852 Bytes
Reference data size : 30308 Bytes
Signatures total : 39494
Fingerprints total : 847
Fingerprints size : 28739 Bytes
Target categories : 15
Target families : 663


5/7/2005 7:49:56 PM Success
Update successfully downloaded and installed.


Memory + processor status:
==========================
Number of processors : 1
Processor architecture : Non Intel
Memory available:0 %
Total physical memory:114060 kb
Available physical memory:3440 kb
Total page file size:1983088 kb
Available on page file:1803636 kb
Total virtual memory:2093056 kb
Available virtual memory:2043584 kb
OS:Microsoft Windows Millennium Edition

Ad-Aware SE Settings
===========================
Set : Scan active processes
Set : Scan registry
Set : Deep-scan registry
Set : Scan my IE Favorites for banned URLs
Set : Scan within archives
Set : Scan my Hosts file

Extended Ad-Aware SE Settings
===========================
Set : Unload recognized processes & modules during scan
Set : Obtain command line of scanned processes
Set : Scan registry for all users instead of current user only
Set : Let Windows remove files in use at next reboot
Set : Delete quarantined objects after restoring
Set : Write-protect system files after repair (Hosts file, etc.)
Set : Include basic Ad-Aware settings in log file
Set : Include additional Ad-Aware settings in log file
Set : Include reference summary in log file
Set : Include alternate data stream details in log file
Set : Play sound at scan completion if scan locates critical objects


5/7/2005 7:50:05 PM - Scan started. (Full System Scan)

Listing running processes
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

#:1 [KERNEL32.DLL]
ModuleName : C:\WINDOWS\SYSTEM\KERNEL32.DLL
Command Line : n/a
ProcessID : 4293871775
Threads : 8
Priority : High
FileVersion : 4.90.3000
ProductVersion : 4.90.3000
ProductName : Microsoft® Windows® Millennium Operating System
CompanyName : Microsoft Corporation
FileDescription : Win32 Kernel core component
InternalName : KERNEL32
LegalCopyright : Copyright © Microsoft Corp. 1991-2000
OriginalFilename : KERNEL32.DLL

#:2 [MSGSRV32.EXE]
ModuleName : C:\WINDOWS\SYSTEM\MSGSRV32.EXE
Command Line : n/a
ProcessID : 4294938239
Threads : 1
Priority : Normal
FileVersion : 4.90.3000
ProductVersion : 4.90.3000
ProductName : Microsoft® Windows® Millennium Operating System
CompanyName : Microsoft Corporation
FileDescription : Windows 32-bit VxD Message Server
InternalName : MSGSRV32
LegalCopyright : Copyright © Microsoft Corp. 1992-1998
OriginalFilename : MSGSRV32.EXE

#:3 [MPREXE.EXE]
ModuleName : C:\WINDOWS\SYSTEM\MPREXE.EXE
Command Line : C:\WINDOWS\SYSTEM\MPREXE.EXE
ProcessID : 4294845727
Threads : 2
Priority : Normal
FileVersion : 4.90.3000
ProductVersion : 4.90.3000
ProductName : Microsoft® Windows® Millennium Operating System
CompanyName : Microsoft Corporation
FileDescription : WIN32 Network Interface Service Process
InternalName : MPREXE
LegalCopyright : Copyright © Microsoft Corp. 1993-2000
OriginalFilename : MPREXE.EXE

#:4 [MSTASK.EXE]
ModuleName : C:\WINDOWS\SYSTEM\MSTASK.EXE
Command Line : mstask.exe
ProcessID : 4294854463
Threads : 2
Priority : Normal
FileVersion : 4.71.2721.1
ProductVersion : 4.71.2721.1
ProductName : Microsoft® Windows® Task Scheduler
CompanyName : Microsoft Corporation
FileDescription : Task Scheduler Engine
InternalName : TaskScheduler
LegalCopyright : Copyright © Microsoft Corp. 2000
OriginalFilename : mstask.exe

#:5 [SSDPSRV.EXE]
ModuleName : C:\WINDOWS\SYSTEM\SSDPSRV.EXE
Command Line : C:\WINDOWS\SYSTEM\ssdpsrv.exe
ProcessID : 4294880379
Threads : 4
Priority : Normal
FileVersion : 4.90.3000.1
ProductVersion : 4.90.3000.1
ProductName : Microsoft® Windows® Millennium Operating System
CompanyName : Microsoft Corporation
FileDescription : SSDP Service on Windows Millennium
InternalName : ssdpsrv.exe
LegalCopyright : Copyright © Microsoft Corp. 1981-2000
OriginalFilename : ssdpsrv.exe

#:6 [CCEVTMGR.EXE]
ModuleName : C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCEVTMGR.EXE
Command Line : "C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"
ProcessID : 4294871887
Threads : 14
Priority : Normal
FileVersion : 103.0.4.3
ProductVersion : 103.0.4.3
ProductName : Client and Host Security Platform
CompanyName : Symantec Corporation
FileDescription : Symantec Event Manager Service
InternalName : ccEvtMgr
LegalCopyright : Copyright © 2000-2004 Symantec Corporation. All rights reserved.
OriginalFilename : ccEvtMgr.exe

#:7 [CCSETMGR.EXE]
ModuleName : C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCSETMGR.EXE
Command Line : "C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe"
ProcessID : 4294890219
Threads : 5
Priority : Normal
FileVersion : 103.0.4.3
ProductVersion : 103.0.4.3
ProductName : Client and Host Security Platform
CompanyName : Symantec Corporation
FileDescription : Symantec Settings Manager Service
InternalName : ccSetMgr
LegalCopyright : Copyright © 2000-2004 Symantec Corporation. All rights reserved.
OriginalFilename : ccSetMgr.exe

#:8 [NPFMNTOR.EXE]
ModuleName : C:\PROGRAM FILES\NORTON ANTIVIRUS\IWP\NPFMNTOR.EXE
Command Line : "C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe"
ProcessID : 4294785223
Threads : 3
Priority : Normal
FileVersion : 11.0.9.16
ProductVersion : 11.0.9
ProductName : Norton AntiVirus
CompanyName : Symantec Corporation
FileDescription : Norton AntiVirus Firewall Install Monitor
InternalName : NPFMonitor
LegalCopyright : Norton AntiVirus 2005 for Windows 98/ME/2000/XP Copyright © 2004 Symantec Corporation. All rights reserved.
OriginalFilename : NPFMonitor.EXE

#:9 [BCMDMMSG.EXE]
ModuleName : C:\WINDOWS\BCMDMMSG.EXE
Command Line : C:\WINDOWS\BCMDMMSG.exe
ProcessID : 4293050627
Threads : 1
Priority : Normal
FileVersion : 3.2.09 07/06/2000 14:06:52
ProductVersion : 3.2.09 07/06/2000 14:06:52
ProductName : BCM Modem Messaging Applet
CompanyName : BCM
FileDescription : Modem Messaging Applet
InternalName : smdmstat.exe
LegalCopyright : Copyright © BCM 1998-2000
OriginalFilename : smdmstat.exe

#:10 [mmtask.tsk]
ModuleName : C:\WINDOWS\SYSTEM\mmtask.tsk
Command Line : n/a
ProcessID : 4294806811
Threads : 1
Priority : Normal
FileVersion : 4.90.3000
ProductVersion : 4.90.3000
ProductName : Microsoft Windows
CompanyName : Microsoft Corporation
FileDescription : Multimedia background task support module
InternalName : mmtask.tsk
LegalCopyright : Copyright © Microsoft Corp. 1991-2000
OriginalFilename : mmtask.tsk

#:11 [STMGR.EXE]
ModuleName : C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
Command Line : C:\WINDOWS\System\Restore\StMgr.exe
ProcessID : 4294832363
Threads : 4
Priority : Normal
FileVersion : 4.90.0.2533
ProductVersion : 4.90.0.2533
ProductName : Microsoft ® PCHealth
CompanyName : Microsoft Corporation
FileDescription : Microsoft ® PC State Manager
InternalName : StateMgr.exe
LegalCopyright : Copyright © Microsoft Corp. 1981-2000
OriginalFilename : StateMgr.exe

#:12 [EXPLORER.EXE]
ModuleName : C:\WINDOWS\EXPLORER.EXE
Command Line : C:\WINDOWS\Explorer.exe
ProcessID : 4294846795
Threads : 17
Priority : Normal
FileVersion : 5.50.4134.100
ProductVersion : 5.50.4134.100
ProductName : Microsoft® Windows ® 2000 Operating System
CompanyName : Microsoft Corporation
FileDescription : Windows Explorer
InternalName : explorer
LegalCopyright : Copyright © Microsoft Corp. 1981-2000
OriginalFilename : EXPLORER.EXE

#:13 [SYSTRAY.EXE]
ModuleName : C:\WINDOWS\SYSTEM\SYSTRAY.EXE
Command Line : "C:\WINDOWS\SYSTEM\SysTray.Exe"
ProcessID : 4292970291
Threads : 2
Priority : Normal
FileVersion : 4.90.3000
ProductVersion : 4.90.3000
ProductName : Microsoft® Windows® Millennium Operating System
CompanyName : Microsoft Corporation
FileDescription : System Tray Applet
InternalName : SYSTRAY
LegalCopyright : Copyright © Microsoft Corp. 1993-2000
OriginalFilename : SYSTRAY.EXE

#:14 [WMIEXE.EXE]
ModuleName : C:\WINDOWS\SYSTEM\WMIEXE.EXE
Command Line : WmiExe WMI_ffe1f90b
ProcessID : 4292981647
Threads : 3
Priority : Normal
FileVersion : 4.90.2452.1
ProductVersion : 4.90.2452.1
ProductName : Microsoft® Windows® Millennium Operating System
CompanyName : Microsoft Corporation
FileDescription : WMI service exe housing
InternalName : wmiexe
LegalCopyright : Copyright © Microsoft Corp. 1981-1999
OriginalFilename : wmiexe.exe

#:15 [SK9910DM.EXE]
ModuleName : C:\WINDOWS\SYSTEM\SK9910DM.EXE
Command Line : "C:\WINDOWS\SYSTEM\SK9910DM.EXE"
ProcessID : 4292994515
Threads : 1
Priority : Normal
FileVersion : 1, 0, 9, 0
CompanyName : Silitek Corporation
FileDescription : Daemon
LegalCopyright : Copyright © Silitek Corp. 1999, 2000

#:16 [DIRECTCD.EXE]
ModuleName : C:\PROGRAM FILES\ADAPTEC\DIRECTCD\DIRECTCD.EXE
Command Line : "C:\PROGRA~1\ADAPTEC\DIRECTCD\DIRECTCD.EXE"
ProcessID : 4292934779
Threads : 1
Priority : Normal
FileVersion : 3.01e (184)
ProductVersion : 3.01e (184)
ProductName : DirectCD
CompanyName : Adaptec
FileDescription : DirectCD Application
InternalName : DirectCD
LegalCopyright : Copyright © 1996-2000 Adaptec, Inc.
OriginalFilename : DirectCD.EXE

#:17 [SYGATE.EXE]
ModuleName : C:\PROGRAM FILES\SYGATE\SYGATE\SYGATE.EXE
Command Line : "C:\PROGRAM FILES\SYGATE\SYGATE\Sygate.exe"
ProcessID : 4292921047
Threads : 2
Priority : Normal
FileVersion : 4, 0, 759, 1
ProductVersion : 4, 0, 1, 0
ProductName : Sygate
CompanyName : Sygate Technologies, Inc.
FileDescription : Sygate - Internet Sharing Software
InternalName : Sygate Component
LegalCopyright : Sygate Technologies, Inc. © 1997-2001
LegalTrademarks : Sygate is a trademark of Sygate Technologies, Inc.

#:18 [SYMLCSVC.EXE]
ModuleName : C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCPD-LC\SYMLCSVC.EXE
Command Line : "C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe" start
ProcessID : 4293351895
Threads : 1
Priority : Normal
FileVersion : 1, 8, 54, 534
ProductVersion : 1, 8, 54, 534
ProductName : Symantec Core Component
CompanyName : Symantec Corporation
FileDescription : Symantec Core Component
InternalName : symlcsvc
LegalCopyright : Copyright © 2003
OriginalFilename : symlcsvc.exe

#:19 [CCAPP.EXE]
ModuleName : C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCAPP.EXE
Command Line : "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
ProcessID : 4293348019
Threads : 36
Priority : Normal
FileVersion : 103.0.4.3
ProductVersion : 103.0.4.3
ProductName : Client and Host Security Platform
CompanyName : Symantec Corporation
FileDescription : Symantec User Session
InternalName : ccApp
LegalCopyright : Copyright © 2000-2004 Symantec Corporation. All rights reserved.
OriginalFilename : ccApp.exe

#:20 [SYSNV.EXE]
ModuleName : C:\WINDOWS\SYSNV.EXE
Command Line : "C:\WINDOWS\SYSNV.EXE"
ProcessID : 4293378823
Threads : 4
Priority : Normal


#:21 [CREATECD.EXE]
ModuleName : C:\PROGRAM FILES\ADAPTEC\EASY CD CREATOR 4\CREATECD\CREATECD.EXE
Command Line : "C:\PROGRA~1\ADAPTEC\EASYCD~1\CREATECD\CREATECD.EXE" -r
ProcessID : 4293365019
Threads : 1
Priority : Normal
FileVersion : 4.02e (310)
ProductVersion : 4.02e (310)
ProductName : Easy CD Creator
CompanyName : Adaptec
FileDescription : Adaptec Create CD
InternalName : createcd.exe
LegalCopyright : Copyright © 1996-2000 Adaptec, Inc.
OriginalFilename : createcd.exe

#:22 [TASKPANL.EXE]
ModuleName : C:\PROGRAM FILES\EARTHLINK TOTALACCESS\TASKPANL.EXE
Command Line : "C:\PROGRAM FILES\EARTHLINK TOTALACCESS\TASKPANL.EXE" -winstart
ProcessID : 4293286399
Threads : 10
Priority : Normal
FileVersion : 2005.1.57.0
ProductVersion : 2005.1.57.0
ProductName : EarthLink TotalAccess
CompanyName : EarthLink, Inc.
LegalCopyright : © EarthLink, Inc. All rights reserved.

#:23 [DDHELP.EXE]
ModuleName : C:\WINDOWS\SYSTEM\DDHELP.EXE
Command Line : ddhelp.exe
ProcessID : 4293214459
Threads : 5
Priority : Realtime
FileVersion : 4.08.00.0400
ProductVersion : 4.08.00.0400
ProductName : Microsoft® DirectX for Windows® 95 and 98
CompanyName : Microsoft Corporation
FileDescription : Microsoft DirectX Helper
InternalName : DDHelp.exe
LegalCopyright : Copyright © Microsoft Corp. 1994-2000
OriginalFilename : DDHelp.exe

#:24 [TAPISRV.EXE]
ModuleName : C:\WINDOWS\SYSTEM\TAPISRV.EXE
Command Line : tapisrv.exe
ProcessID : 4293201543
Threads : 9
Priority : Normal
FileVersion : 4.90.3000
ProductVersion : 4.90.3000
ProductName : Microsoft® Windows® Millennium Operating System
CompanyName : Microsoft Corporation
FileDescription : Microsoft® Windows™ Telephony Server
InternalName : Telephony Service
LegalCopyright : Copyright © Microsoft Corp. 1994-1998
OriginalFilename : TAPISRV.EXE

#:25 [SNDSRVC.EXE]
ModuleName : C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\SNDSRVC.EXE
Command Line : "C:\PROGRA~1\COMMON~1\SYMANT~1\SndSrvc.exe"
ProcessID : 4293587911
Threads : 7
Priority : Normal
FileVersion : 5.4.4.17
ProductVersion : 5.4
ProductName : Symantec Security Drivers
CompanyName : Symantec Corporation
FileDescription : Network Driver Service
InternalName : SndSrvc
LegalCopyright : Copyright 2002, 2003, 2004 Symantec Corporation
OriginalFilename : SndSrvc.exe

#:26 [AD-AWARE.EXE]
ModuleName : C:\PROGRAM FILES\LAVASOFT\AD-AWARE SE PERSONAL\AD-AWARE.EXE
Command Line : "C:\Program Files\Lavasoft\Ad-Aware SE Personal\Ad-Aware.exe"
ProcessID : 4293180567
Threads : 3
Priority : Normal
FileVersion : 6.2.0.206
ProductVersion : VI.Second Edition
ProductName : Lavasoft Ad-Aware SE
CompanyName : Lavasoft Sweden
FileDescription : Ad-Aware SE Core application
InternalName : Ad-Aware.exe
LegalCopyright : Copyright © Lavasoft Sweden
OriginalFilename : Ad-Aware.exe
Comments : All Rights Reserved

#:27 [IEEU32.EXE]
ModuleName : C:\WINDOWS\SYSTEM\IEEU32.EXE
Command Line : C:\WINDOWS\SYSTEM\IEEU32.EXE /s
ProcessID : 4293538471
Threads : 1
Priority : Normal


VX2 Object Recognized!
Type : Process
Data : IEEU32.EXE
Category : Malware
Comment : (CSI MATCH)
Object : C:\WINDOWS\SYSTEM\


Warning! VX2 Object found in memory(C:\WINDOWS\SYSTEM\IEEU32.EXE)

"C:\WINDOWS\SYSTEM\IEEU32.EXE"Process terminated successfully

#:28 [IEEU32.EXE]
ModuleName : C:\WINDOWS\SYSTEM\IEEU32.EXE
Command Line : n/a
ProcessID : 4294795427
Threads : 1
Priority : Normal


#:29 [RNAAPP.EXE]
ModuleName : C:\WINDOWS\SYSTEM\RNAAPP.EXE
Command Line : rnaapp.exe -l
ProcessID : 4293112559
Threads : 3
Priority : Normal
FileVersion : 4.90.3000
ProductVersion : 4.90.3000
ProductName : Microsoft® Windows® Millennium Operating System
CompanyName : Microsoft Corporation
FileDescription : Dial-Up Networking Application
InternalName : RNAAPP
LegalCopyright : Copyright © Microsoft Corp. 1992-1996
OriginalFilename : RNAAPP.EXE

#:30 [IPCLIENT.EXE]
ModuleName : C:\PROGRAM FILES\EARTHLINK TOTALACCESS\FASTLANE\IPCLIENT.EXE
Command Line : -w
ProcessID : 4294868911
Threads : 4
Priority : Normal
FileVersion : 5.5.100.115
ProductVersion : 5.5.100.115
ProductName : Visual IP InSight
CompanyName : Visual Networks
FileDescription : IP Session Statistics
InternalName : IPCLIENT
LegalCopyright : Copyright © 2002 Visual Networks Technologies, Inc.
OriginalFilename : ipclient32.exe

#:31 [ELINKACC.EXE]
ModuleName : C:\PROGRAM FILES\EARTHLINK TOTALACCESS\ACCELERATOR\ELINKACC.EXE
Command Line : "C:\Program Files\EarthLink TotalAccess\Accelerator\ElinkAcc.exe"
ProcessID : 4293276719
Threads : 3
Priority : Normal


#:32 [IEXPLORE.EXE]
ModuleName : C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
Command Line : "C:\Program Files\Internet Explorer\IEXPLORE.EXE"
ProcessID : 4294805647
Threads : 8
Priority : Normal
FileVersion : 5.50.4134.100
ProductVersion : 5.50.4134.100
ProductName : Microsoft® Windows ® 2000 Operating System
CompanyName : Microsoft Corporation
FileDescription : Internet Explorer
InternalName : iexplore
LegalCopyright : Copyright © Microsoft Corp. 1981-2000
OriginalFilename : IEXPLORE.EXE

Memory scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 1
Objects found so far: 1


Started registry scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

CoolWebSearch Object Recognized!
Type : Regkey
Data :
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : clsid\{676575dd-4d46-911d-8037-9b10d6ee8bb5}

CoolWebSearch Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : clsid\{676575dd-4d46-911d-8037-9b10d6ee8bb5}
Value :

Security iGuard Object Recognized!
Type : Regkey
Data :
Category : Malware
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\rex-services

Security iGuard Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\rex-services
Value : MGuid

Windows Object Recognized!
Type : RegData
Data : explorer.exe, msmsgs.exe
Category : Vulnerability
Comment : Shell Possibly Compromised
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\windows nt\currentversion\winlogon
Value : Shell
Data : explorer.exe, msmsgs.exe

Registry Scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 5
Objects found so far: 6


Started deep registry scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Deep registry scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 6


Started Tracking Cookie scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»


Tracking cookie scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 6


Disk Scan Result for c:\
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 6

Possible Browser Hijack attempt Object Recognized!
Type : File
Data : Only sex website.url
Category : Misc
Comment : Problematic URL discovered: http://www.onlysex.ws/
Object : C:\WINDOWS\Favorites\



Possible Browser Hijack attempt Object Recognized!
Type : File
Data : Seven days of free [bleep].url
Category : Misc
Comment : Problematic URL discovered: http://www.7days.ws/
Object : C:\WINDOWS\Favorites\



Possible Browser Hijack attempt Object Recognized!
Type : File
Data : Search the web.url
Category : Misc
Comment : Problematic URL discovered: http://www.lookfor.cc/
Object : C:\WINDOWS\Favorites\




Performing conditional scans...
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

VX2 Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_CURRENT_USER
Object : software\microsoft\internet explorer\toolbar\webbrowser
Value : {0E5CBF21-D15F-11D0-8301-00AA005B4383}

CoolWebSearch Object Recognized!
Type : Regkey
Data :
Category : Malware
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\internet explorer\urlsearchhooks

CoolWebSearch Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\internet explorer\urlsearchhooks
Value : {77147D9C-260D-0E8E-F1F8-89AA214A95A1}

CoolWebSearch Object Recognized!
Type : Regkey
Data :
Category : Malware
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\windows\currentversion\uninstall\hsa

CoolWebSearch Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\windows\currentversion\uninstall\hsa
Value : DisplayName

CoolWebSearch Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\windows\currentversion\uninstall\hsa
Value : UninstallString

CoolWebSearch Object Recognized!
Type : Regkey
Data :
Category : Malware
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\windows\currentversion\uninstall\se

CoolWebSearch Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\windows\currentversion\uninstall\se
Value : DisplayName

CoolWebSearch Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\windows\currentversion\uninstall\se
Value : UninstallString

CoolWebSearch Object Recognized!
Type : Regkey
Data :
Category : Malware
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\windows\currentversion\uninstall\sw

CoolWebSearch Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\windows\currentversion\uninstall\sw
Value : DisplayName

CoolWebSearch Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\windows\currentversion\uninstall\sw
Value : UninstallString

CoolWebSearch Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_CURRENT_USER
Object : software\microsoft\internet explorer\main
Value : Search Bar

CoolWebSearch Object Recognized!
Type : RegData
Data : no
Category : Malware
Comment :
Rootkey : HKEY_CURRENT_USER
Object : software\microsoft\internet explorer\main
Value : Use Search Asst
Data : no

CoolWebSearch Object Recognized!
Type : RegData
Data :
Category : Malware
Comment : PROXY ENABLED - CHECK PROXY SETTINGS - Check this item if you do not use a proxy server - If a proxy server is in use, its settings in your Internet Options need to be verified.
Rootkey : HKEY_CURRENT_USER
Object : software\microsoft\windows\currentversion\internet settings
Value : ProxyEnable
Data :

CoolWebSearch Object Recognized!
Type : RegData
Data : no
Category : Malware
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\internet explorer\main
Value : Use Search Asst
Data : no

CoolWebSearch Object Recognized!
Type : RegData
Data : about:blank
Category : Malware
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\internet explorer\main
Value : Start Page
Data : about:blank

Security iGuard Object Recognized!
Type : Folder
Category : Malware
Comment :
Object : C:\WINDOWS\Application Data\Rex-Services

Conditional scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 18
Objects found so far: 27

7:55:28 PM Scan Complete

Summary Of This Scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Total scanning time:00:05:22.960
Objects scanned:46178
Objects identified:27
Objects ignored:0
New critical objects:27
  • 0

#8
Rawe

Rawe

    Visiting Staff

  • Member
  • PipPipPipPipPipPipPip
  • 4,746 posts
Sorry for the late answer, we have to try this removal this way then..

Ad-aware has found object(s) on your computer

If you chose to clean your computer from what Ad-aware found, follow these instructions below…

Make sure that you are using the * SE1R43 06.05.2005 * definition file.


Open up Ad-Aware SE and click on the gear to access the Configuration menu. Make sure that this setting is applied.

Click on Tweak > Cleaning engine > UNcheck "Always try to unload modules before deletion".

Disconnect from the internet (for broadband/cable users, it is recommended that you disconnect the cable connection) and close all open browsers or other programs you have running.

Then boot into Safe Mode

To clean your machine, it is highly recommended that you clean the following directory contents (but not the directory folder);

Run CCleaner to help in this process.
Download CCleaner (Setup: go to >options > settings > Uncheck "Only delete files in Windows Temp folders older than 48 hours" for cleaning malware files!)

* C:\Windows\Temp\
* C:\Documents and Settings\<Your Profile>\Local Settings\Temporary Internet Files\ <- This will delete all your cached internet content including cookies.
* C:\Documents and Settings\<Your Profile>\Local Settings\Temp\
* C:\Documents and Settings\<Any other users Profile>\Local Settings\Temporary Internet Files\
* C:\Documents and Settings\<Any other users Profile>\Local Settings\Temp\
* Empty your "Recycle Bin".

Run Ad-Aware SE from the command lines shown in the instructions shown below.

Click "Start" > select "Run" > type the text shown below (including the quotation marks and with the same spacing as shown)

"C:\Program Files\Lavasoft\Ad-Aware SE Professional\Ad-Aware.exe" /full +procnuke
(For the Professional version)

"C:\Program Files\Lavasoft\Ad-Aware SE Plus\Ad-Aware.exe" /full +procnuke
(For the Plus version)

"C:\Program Files\Lavasoft\Ad-Aware SE Personal\Ad-Aware.exe" +procnuke
(For the Personal version)


Click Ok.

Note; the path above is of the default installation location for Ad-aware SE, if this is different, adjust it to the location that you have installed it to.

When the scan has completed, select next. In the Scanning Results window, select the "Scan Summary"- tab. Check the box next to any objects you wish to remove. Click next, Click Ok.

If problems are caused by deleting a family, just leave it.


Reboot your computer after removal, run a new "full system scan" and post the results as a reply. Don't open any programs or connect to the internet at this time.

Then copy & paste the complete log file here. Don't quarantine or remove anything at this time, just post a complete logfile. This can sometimes takes 2-3 posts to get it all posted, once the "Summary of this scan" information is shown, you have posted all of your logfile.

Also, keep in mind that when you are posting another logfile keep "Search for negligible risk entries" deselected as negligible risk entries (Mru's) aren't considered as a threat. This option can be changed when choosing your scan type.

Remember to post your fresh scanlog in THIS topic.

- Rawe :tazz:
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP