[Hjalle_DK]

I am in desperat need of help, i think i have got multiple Vira, spyware, Pop Up vira etc.................


Ad-Aware SE Build 1.05
Logfile Created on:4. maj 2005 20:34:53
Created with Ad-Aware SE Personal, free for private use.
Using definitions file:SE1R42 28.04.2005
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

References detected during the scan:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Ebates MoneyMaker(TAC index:4):7 total references
Possible Browser Hijack attempt(TAC index:3):4 total references
Tracking Cookie(TAC index:3):1 total references
Windows(TAC index:3):1 total references
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Definition File:
=========================
Definitions File Loaded:
Reference Number : SE1R42 28.04.2005
Internal build : 49
File location : C:\Programmer\Lavasoft\Ad-Aware SE Personal\defs.ref
File size : 466557 Bytes
Total size : 1403889 Bytes
Signature data size : 1373297 Bytes
Reference data size : 30080 Bytes
Signatures total : 39226
Fingerprints total : 836
Fingerprints size : 28245 Bytes
Target categories : 15
Target families : 654


Memory + processor status:
==========================
Number of processors : 1
Processor architecture : Intel Pentium IV
Memory available:63 %
Total physical memory:1047020 kb
Available physical memory:659460 kb
Total page file size:2520280 kb
Available on page file:2323480 kb
Total virtual memory:2097024 kb
Available virtual memory:2028880 kb
OS:Microsoft Windows XP Home Edition Service Pack 2 (Build 2600)

Ad-Aware SE Settings
===========================
Set : Safe mode (always request confirmation)
Set : Scan active processes
Set : Scan registry
Set : Deep-scan registry
Set : Scan my IE Favorites for banned URLs
Set : Scan within archives
Set : Scan my Hosts file

Extended Ad-Aware SE Settings
===========================
Set : Unload recognized processes & modules during scan
Set : Obtain command line of scanned processes
Set : Scan registry for all users instead of current user only
Set : Always try to unload modules before deletion
Set : During removal, unload Explorer and IE if necessary
Set : Let Windows remove files in use at next reboot
Set : Delete quarantined objects after restoring
Set : Write-protect system files after repair (Hosts file, etc.)
Set : Include basic Ad-Aware settings in log file
Set : Include additional Ad-Aware settings in log file
Set : Include reference summary in log file
Set : Play sound at scan completion if scan locates critical objects


04-05-2005 20:34:53 - Scan started. (Full System Scan)

Listing running processes
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

#:1 [smss.exe]
ModuleName : \SystemRoot\System32\smss.exe
Command Line : n/a
ProcessID : 444
ThreadCreationTime : 04-05-2005 18:23:58
BasePriority : Normal


#:2 [csrss.exe]
ModuleName : \??\C:\WINDOWS\system32\csrss.exe
Command Line : C:\WINDOWS\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,3072,512 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ProfileControl=Off MaxRequestTh
ProcessID : 504
ThreadCreationTime : 04-05-2005 18:24:01
BasePriority : Normal


#:3 [winlogon.exe]
ModuleName : \??\C:\WINDOWS\system32\winlogon.exe
Command Line : winlogon.exe
ProcessID : 532
ThreadCreationTime : 04-05-2005 18:24:02
BasePriority : High


#:4 [services.exe]
ModuleName : C:\WINDOWS\system32\services.exe
Command Line : C:\WINDOWS\system32\services.exe
ProcessID : 580
ThreadCreationTime : 04-05-2005 18:24:03
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operativsystem
CompanyName : Microsoft Corporation
FileDescription : Tjenester og controllerprogrammer
InternalName : services.exe
LegalCopyright : © Microsoft Corporation. Alle rettigheder forbeholdes.
OriginalFilename : services.exe

#:5 [lsass.exe]
ModuleName : C:\WINDOWS\system32\lsass.exe
Command Line : C:\WINDOWS\system32\lsass.exe
ProcessID : 592
ThreadCreationTime : 04-05-2005 18:24:03
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : LSA Shell (Export Version)
InternalName : lsass.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : lsass.exe

#:6 [ati2evxx.exe]
ModuleName : C:\WINDOWS\system32\Ati2evxx.exe
Command Line : C:\WINDOWS\system32\Ati2evxx.exe
ProcessID : 740
ThreadCreationTime : 04-05-2005 18:24:03
BasePriority : Normal
FileVersion : 6.14.10.4107
ProductVersion : 6.14.10.4107.03
ProductName : ATI External Event Utility for WindowsNT and Windows9X
CompanyName : ATI Technologies Inc.
FileDescription : ATI External Event Utility EXE Module
InternalName : ATI2EVXX.EXE
LegalCopyright : Copyright © 1999-2004 ATI Technologies Inc.
OriginalFilename : ATI2EVXX.EXE

#:7 [svchost.exe]
ModuleName : C:\WINDOWS\system32\svchost.exe
Command Line : C:\WINDOWS\system32\svchost -k DcomLaunch
ProcessID : 752
ThreadCreationTime : 04-05-2005 18:24:03
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:8 [svchost.exe]
ModuleName : C:\WINDOWS\system32\svchost.exe
Command Line : C:\WINDOWS\system32\svchost -k rpcss
ProcessID : 820
ThreadCreationTime : 04-05-2005 18:24:04
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:9 [svchost.exe]
ModuleName : C:\WINDOWS\System32\svchost.exe
Command Line : C:\WINDOWS\System32\svchost.exe -k netsvcs
ProcessID : 888
ThreadCreationTime : 04-05-2005 18:24:04
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:10 [svchost.exe]
ModuleName : C:\WINDOWS\system32\svchost.exe
Command Line : C:\WINDOWS\system32\svchost.exe -k NetworkService
ProcessID : 932
ThreadCreationTime : 04-05-2005 18:24:04
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:11 [svchost.exe]
ModuleName : C:\WINDOWS\system32\svchost.exe
Command Line : C:\WINDOWS\system32\svchost.exe -k LocalService
ProcessID : 1056
ThreadCreationTime : 04-05-2005 18:24:04
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:12 [ati2evxx.exe]
ModuleName : C:\WINDOWS\system32\Ati2evxx.exe
Command Line : Ati2evxx.exe -Client
ProcessID : 1268
ThreadCreationTime : 04-05-2005 18:24:06
BasePriority : Normal
FileVersion : 6.14.10.4107
ProductVersion : 6.14.10.4107.03
ProductName : ATI External Event Utility for WindowsNT and Windows9X
CompanyName : ATI Technologies Inc.
FileDescription : ATI External Event Utility EXE Module
InternalName : ATI2EVXX.EXE
LegalCopyright : Copyright © 1999-2004 ATI Technologies Inc.
OriginalFilename : ATI2EVXX.EXE

#:13 [explorer.exe]
ModuleName : C:\WINDOWS\Explorer.exe
Command Line : Explorer.exe C:\WINDOWS\Nail.exe
ProcessID : 1328
ThreadCreationTime : 04-05-2005 18:24:06
BasePriority : Normal
FileVersion : 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 6.00.2900.2180
ProductName : Microsoft® Windows® Operativsystem
CompanyName : Microsoft Corporation
FileDescription : Windows Stifinder
InternalName : explorer
LegalCopyright : © Microsoft Corporation. Alle rettigheder forbeholdes.
OriginalFilename : EXPLORER.EXE

#:14 [spoolsv.exe]
ModuleName : C:\WINDOWS\system32\spoolsv.exe
Command Line : C:\WINDOWS\system32\spoolsv.exe
ProcessID : 1356
ThreadCreationTime : 04-05-2005 18:24:06
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Spooler SubSystem App
InternalName : spoolsv.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : spoolsv.exe

#:15 [jusched.exe]
ModuleName : C:\Programmer\Java\j2re1.4.2_05\bin\jusched.exe
Command Line : "C:\Programmer\Java\j2re1.4.2_05\bin\jusched.exe"
ProcessID : 1480
ThreadCreationTime : 04-05-2005 18:24:07
BasePriority : Normal


#:16 [soundman.exe]
ModuleName : C:\WINDOWS\SOUNDMAN.EXE
Command Line : "C:\WINDOWS\SOUNDMAN.EXE"
ProcessID : 1492
ThreadCreationTime : 04-05-2005 18:24:07
BasePriority : Normal
FileVersion : 1, 0, 0, 14
ProductVersion : 1, 0, 0, 14
ProductName : Realtek HD Sound Manager
CompanyName : Realtek Semiconductor Corp.
FileDescription : Realtek Sound Manager
InternalName : ALSMTray
LegalCopyright : Copyright © 2004 Realtek Semiconductor Corp.
OriginalFilename : ALSMTray.exe
Comments : Realtek HD Audio Sound Manager

#:17 [alcwzrd.exe]
ModuleName : C:\WINDOWS\ALCWZRD.EXE
Command Line : "C:\WINDOWS\ALCWZRD.EXE"
ProcessID : 1512
ThreadCreationTime : 04-05-2005 18:24:07
BasePriority : Normal
FileVersion : 1.1.0.15
ProductVersion : 1.1.0.15
ProductName : ALCWZRD
CompanyName : RealTek Semicoductor Corp.
FileDescription : RealTek AlcWzrd Application
InternalName : ALCWZRD.EXE
LegalCopyright : Copyright © 2003-2004 Realtek Semiconductor Corp.
OriginalFilename : ALCWZRD.EXE

#:18 [winampa.exe]
ModuleName : C:\Programmer\Winamp\winampa.exe
Command Line : "C:\Programmer\Winamp\winampa.exe"
ProcessID : 1528
ThreadCreationTime : 04-05-2005 18:24:07
BasePriority : Normal


#:19 [hpztsb05.exe]
ModuleName : C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb05.exe
Command Line : "C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb05.exe"
ProcessID : 1536
ThreadCreationTime : 04-05-2005 18:24:07
BasePriority : Normal
FileVersion : 2,128,0,0
ProductVersion : 2,128,0,0
ProductName : HP DeskJet
CompanyName : HP
LegalCopyright : Copyright © Hewlett-Packard Company 1999-2002

#:20 [hphmon04.exe]
ModuleName : C:\WINDOWS\system32\hphmon04.exe
Command Line : "C:\WINDOWS\system32\hphmon04.exe"
ProcessID : 1544
ThreadCreationTime : 04-05-2005 18:24:07
BasePriority : Normal
FileVersion : 4,1,14
ProductVersion : 4,1,14
ProductName : hp photosmart
CompanyName : Hewlett-Packard
FileDescription : HPHmon04
InternalName : HPHmon04
LegalCopyright : Copyright © 2001
OriginalFilename : HPHmon04.exe

#:21 [hpgs2wnd.exe]
ModuleName : C:\Programmer\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
Command Line : "C:\Programmer\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe"
ProcessID : 1572
ThreadCreationTime : 04-05-2005 18:24:07
BasePriority : Normal
FileVersion : 2,3,0,0\ 162
ProductVersion : 2,3,0,0\ 162
ProductName : Hewlett-Packard hpgs2wnd
CompanyName : Hewlett-Packard
FileDescription : hpgs2wnd
InternalName : hpgs2wnd
LegalCopyright : Copyright © 2001
OriginalFilename : hpgs2wnd.exe

#:22 [point32.exe]
ModuleName : C:\Programmer\Microsoft Hardware\Mouse\point32.exe
Command Line : "C:\Programmer\Microsoft Hardware\Mouse\point32.exe"
ProcessID : 1584
ThreadCreationTime : 04-05-2005 18:24:07
BasePriority : Normal


#:23 [seeve.exe]
ModuleName : C:\WINDOWS\seeve.exe
Command Line : "C:\WINDOWS\seeve.exe"
ProcessID : 1684
ThreadCreationTime : 04-05-2005 18:24:07
BasePriority : Normal
FileVersion : 6.04
ProductVersion : 6.04
ProductName : pop64
CompanyName : Network1
InternalName : seeve
OriginalFilename : seeve.exe

#:24 [msnmsgr.exe]
ModuleName : C:\Programmer\MSN Messenger\MsnMsgr.Exe
Command Line : "C:\Programmer\MSN Messenger\MsnMsgr.Exe" /background
ProcessID : 1708
ThreadCreationTime : 04-05-2005 18:24:07
BasePriority : Normal
FileVersion : 7.0.0777
ProductVersion : 7.0.0777
ProductName : MSN Messenger
CompanyName : Microsoft Corporation
FileDescription : MSN Messenger
InternalName : msnmsgr
LegalCopyright : Copyright © Microsoft Corporation 1997-2004
LegalTrademarks : Microsoft® is a registered trademark of Microsoft Corporation in the U.S. and/or other countries.
OriginalFilename : msnmsgr.exe

#:25 [ldljaog.exe]
ModuleName : c:\windows\system32\ldljaog.exe
Command Line : "c:\windows\system32\ldljaog.exe" jxyzvda
ProcessID : 1740
ThreadCreationTime : 04-05-2005 18:24:08
BasePriority : Normal
FileVersion : 1, 0, 7, 1
ProductVersion : 0, 0, 7, 0
ProductName : TODO: <Product name>
CompanyName : TODO: <Company name>
FileDescription : TODO: <File description>
LegalCopyright : TODO: © <Company name>. All rights reserved.

#:26 [hpgs2wnf.exe]
ModuleName : C:\Programmer\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
Command Line : "C:\Programmer\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe" -Embedding
ProcessID : 1896
ThreadCreationTime : 04-05-2005 18:24:08
BasePriority : Normal
FileVersion : 2, 6, 0, 162
ProductVersion : 2, 6, 0, 162
ProductName : hpgs2wnf Module
FileDescription : hpgs2wnf Module
InternalName : hpgs2wnf
LegalCopyright : Copyright 2001
OriginalFilename : hpgs2wnf.EXE

#:27 [slserv.exe]
ModuleName : C:\WINDOWS\system32\slserv.exe
Command Line : slserv.exe
ProcessID : 400
ThreadCreationTime : 04-05-2005 18:24:13
BasePriority : Normal


#:28 [wdfmgr.exe]
ModuleName : C:\WINDOWS\system32\wdfmgr.exe
Command Line : C:\WINDOWS\system32\wdfmgr.exe
ProcessID : 628
ThreadCreationTime : 04-05-2005 18:24:16
BasePriority : Normal
FileVersion : 5.2.3790.1230 built by: DNSRV(bld4act)
ProductVersion : 5.2.3790.1230
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Windows User Mode Driver Manager
InternalName : WdfMgr
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : WdfMgr.exe

#:29 [hphipm11.exe]
ModuleName : C:\WINDOWS\system32\HPHipm11.exe
Command Line : C:\WINDOWS\system32\HPHipm11.exe
ProcessID : 1552
ThreadCreationTime : 04-05-2005 18:24:17
BasePriority : Normal
FileVersion : 4, 5, 0, 770
ProductVersion : 4, 5, 0, 770
ProductName : HP PML
CompanyName : HP
FileDescription : PML Driver
InternalName : PmlDrv
LegalCopyright : Copyright © 1998, 1999 Hewlett-Packard Company
OriginalFilename : PmlDrv.exe

#:30 [wscntfy.exe]
ModuleName : C:\WINDOWS\system32\wscntfy.exe
Command Line : C:\WINDOWS\system32\wscntfy.exe
ProcessID : 1596
ThreadCreationTime : 04-05-2005 18:24:17
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Windows Security Center Notification App
InternalName : wscntfy.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : wscntfy.exe

#:31 [alg.exe]
ModuleName : C:\WINDOWS\System32\alg.exe
Command Line : C:\WINDOWS\System32\alg.exe
ProcessID : 2108
ThreadCreationTime : 04-05-2005 18:24:18
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Application Layer Gateway Service
InternalName : ALG.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : ALG.exe

#:32 [ad-aware.exe]
ModuleName : C:\Programmer\Lavasoft\Ad-Aware SE Personal\Ad-Aware.exe
Command Line : "C:\Programmer\Lavasoft\Ad-Aware SE Personal\Ad-Aware.exe"
ProcessID : 2544
ThreadCreationTime : 04-05-2005 18:24:24
BasePriority : Normal
FileVersion : 6.2.0.206
ProductVersion : VI.Second Edition
ProductName : Lavasoft Ad-Aware SE
CompanyName : Lavasoft Sweden
FileDescription : Ad-Aware SE Core application
InternalName : Ad-Aware.exe
LegalCopyright : Copyright © Lavasoft Sweden
OriginalFilename : Ad-Aware.exe
Comments : All Rights Reserved

#:33 [iexplore.exe]
ModuleName : C:\Programmer\Internet Explorer\IEXPLORE.EXE
Command Line : "C:\Programmer\Internet Explorer\IEXPLORE.EXE"
ProcessID : 3044
ThreadCreationTime : 04-05-2005 18:25:24
BasePriority : Normal
FileVersion : 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 6.00.2900.2180
ProductName : Microsoft® Windows® Operativsystem
CompanyName : Microsoft Corporation
FileDescription : Internet Explorer
InternalName : iexplore
LegalCopyright : © Microsoft Corporation. Alle rettigheder forbeholdes.
OriginalFilename : IEXPLORE.EXE

Memory scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 0


Started registry scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Ebates MoneyMaker Object Recognized!
Type : RegValue
Data :
Category : Data Miner
Comment : "AC"
Rootkey : HKEY_USERS
Object : S-1-5-21-448539723-1336601894-725345543-1005\software\lq
Value : AC

Windows Object Recognized!
Type : RegData
Data : explorer.exe c:\windows\nail.exe
Category : Vulnerability
Comment : Shell Possibly Compromised
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\windows nt\currentversion\winlogon
Value : Shell
Data : explorer.exe c:\windows\nail.exe

Registry Scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 2
Objects found so far: 2


Started deep registry scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Trusted zone presumably compromised : media-motor.net

Possible Browser Hijack attempt Object Recognized!
Type : Regkey
Data :
Category : Vulnerability
Comment : Trusted zone presumably compromised : media-motor.net
Rootkey : HKEY_CURRENT_USER
Object : Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\media-motor.net

Possible Browser Hijack attempt Object Recognized!
Type : RegValue
Data :
Category : Vulnerability
Comment : Trusted zone presumably compromised : media-motor.net
Rootkey : HKEY_CURRENT_USER
Object : Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\media-motor.net
Value : *
Trusted zone presumably compromised : popuppers.com

Possible Browser Hijack attempt Object Recognized!
Type : Regkey
Data :
Category : Vulnerability
Comment : Trusted zone presumably compromised : popuppers.com
Rootkey : HKEY_CURRENT_USER
Object : Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\popuppers.com

Possible Browser Hijack attempt Object Recognized!
Type : RegValue
Data :
Category : Vulnerability
Comment : Trusted zone presumably compromised : popuppers.com
Rootkey : HKEY_CURRENT_USER
Object : Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\popuppers.com
Value : *

Deep registry scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 4
Objects found so far: 6


Started Tracking Cookie scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»


Tracking Cookie Object Recognized!
Type : IECache Entry
Data : jens asbjø[email protected][1].txt
Category : Data Miner
Comment : Hits:3
Value : Cookie:jens asbjø[email protected]/
Expires : 05-05-2005 20:34:20
LastSync : Hits:3
UseCount : 0
Hits : 3

Tracking cookie scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 1
Objects found so far: 7



Deep scanning and examining files (C:)
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Disk Scan Result for C:\
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 7


Deep scanning and examining files (D:)
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Disk Scan Result for D:\
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 7


Scanning Hosts file......
Hosts file location:"C:\WINDOWS\system32\drivers\etc\hosts".
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Hosts file scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
1 entries scanned.
New critical objects:0
Objects found so far: 7




Performing conditional scans...
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Ebates MoneyMaker Object Recognized!
Type : Regkey
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_CURRENT_USER
Object : software\lq

Ebates MoneyMaker Object Recognized!
Type : RegValue
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_CURRENT_USER
Object : software\lq
Value : TM

Ebates MoneyMaker Object Recognized!
Type : RegValue
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_CURRENT_USER
Object : software\lq
Value : AT

Ebates MoneyMaker Object Recognized!
Type : RegValue
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_CURRENT_USER
Object : software\lq
Value : AC

Ebates MoneyMaker Object Recognized!
Type : RegValue
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_CURRENT_USER
Object : software\lq
Value : AD

Ebates MoneyMaker Object Recognized!
Type : RegValue
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_CURRENT_USER
Object : software\lq
Value : AM

Conditional scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 6
Objects found so far: 13

20:38:41 Scan Complete

Summary Of This Scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Total scanning time:00:03:48.62
Objects scanned:106427
Objects identified:13
Objects ignored:0
New critical objects:13

[Advertisements]

Welcome!

Ad-aware has found object(s) on your computer

If you chose to clean your computer from what Ad-aware found, follow these instructions below…

Make sure that you are using the * SE1R42 28.04.2005 * definition file.


Open up Ad-Aware SE and click on the gear to access the Configuration menu. Make sure that this setting is applied.

Click on Tweak > Cleaning engine > UNcheck "Always try to unload modules before deletion".

Disconnect from the internet (for broadband/cable users, it is recommended that you disconnect the cable connection) and close all open browsers or other programs you have running.

Then boot into Safe Mode

To clean your machine, it is highly recommended that you clean the following directory contents (but not the directory folder);

Run CCleaner to help in this process.
Download CCleaner (Setup: go to >options > settings > Uncheck "Only delete files in Windows Temp folders older than 48 hours" for cleaning malware files!)

* C:\Windows\Temp\
* C:\Documents and Settings\<Your Profile>\Local Settings\Temporary Internet Files\ <- This will delete all your cached internet content including cookies.
* C:\Documents and Settings\<Your Profile>\Local Settings\Temp\
* C:\Documents and Settings\<Any other users Profile>\Local Settings\Temporary Internet Files\
* C:\Documents and Settings\<Any other users Profile>\Local Settings\Temp\
* Empty your "Recycle Bin".

Run Ad-Aware SE from the command lines shown in the instructions shown below.

Click "Start" > select "Run" > type the text shown below (including the quotation marks and with the same spacing as shown)

"C:\Program Files\Lavasoft\Ad-Aware SE Professional\Ad-Aware.exe" /full +procnuke
(For the Professional version)

"C:\Program Files\Lavasoft\Ad-Aware SE Plus\Ad-Aware.exe" /full +procnuke
(For the Plus version)

"C:\Program Files\Lavasoft\Ad-Aware SE Personal\Ad-Aware.exe" +procnuke
(For the Personal version)


Click Ok.

Note; the path above is of the default installation location for Ad-aware SE, if this is different, adjust it to the location that you have installed it to.

When the scan has completed, select next. In the Scanning Results window, select the "Scan Summary"- tab. Check the box next to any objects you wish to remove. Click next, Click Ok.

If problems are caused by deleting a family, just leave it.


Reboot your computer after removal, run a new "full system scan" and post the results as a reply. Don't open any programs or connect to the internet at this time.

Then copy & paste the complete log file here. Don't quarantine or remove anything at this time, just post a complete logfile. This can sometimes takes 2-3 posts to get it all posted, once the "Summary of this scan" information is shown, you have posted all of your logfile.

Also, keep in mind that when you are posting another logfile keep "Search for negligible risk entries" deselected as negligible risk entries (Mru's) aren't considered as a threat. This option can be changed when choosing your scan type.

Remember to post your fresh scanlog in THIS topic.

- Rawe

[Rawe]

Welcome!

Ad-aware has found object(s) on your computer

If you chose to clean your computer from what Ad-aware found, follow these instructions below…

Make sure that you are using the * SE1R42 28.04.2005 * definition file.


Open up Ad-Aware SE and click on the gear to access the Configuration menu. Make sure that this setting is applied.

Click on Tweak > Cleaning engine > UNcheck "Always try to unload modules before deletion".

Disconnect from the internet (for broadband/cable users, it is recommended that you disconnect the cable connection) and close all open browsers or other programs you have running.

Then boot into Safe Mode

To clean your machine, it is highly recommended that you clean the following directory contents (but not the directory folder);

Run CCleaner to help in this process.
Download CCleaner (Setup: go to >options > settings > Uncheck "Only delete files in Windows Temp folders older than 48 hours" for cleaning malware files!)

* C:\Windows\Temp\
* C:\Documents and Settings\<Your Profile>\Local Settings\Temporary Internet Files\ <- This will delete all your cached internet content including cookies.
* C:\Documents and Settings\<Your Profile>\Local Settings\Temp\
* C:\Documents and Settings\<Any other users Profile>\Local Settings\Temporary Internet Files\
* C:\Documents and Settings\<Any other users Profile>\Local Settings\Temp\
* Empty your "Recycle Bin".

Run Ad-Aware SE from the command lines shown in the instructions shown below.

Click "Start" > select "Run" > type the text shown below (including the quotation marks and with the same spacing as shown)

"C:\Program Files\Lavasoft\Ad-Aware SE Professional\Ad-Aware.exe" /full +procnuke
(For the Professional version)

"C:\Program Files\Lavasoft\Ad-Aware SE Plus\Ad-Aware.exe" /full +procnuke
(For the Plus version)

"C:\Program Files\Lavasoft\Ad-Aware SE Personal\Ad-Aware.exe" +procnuke
(For the Personal version)


Click Ok.

Note; the path above is of the default installation location for Ad-aware SE, if this is different, adjust it to the location that you have installed it to.

When the scan has completed, select next. In the Scanning Results window, select the "Scan Summary"- tab. Check the box next to any objects you wish to remove. Click next, Click Ok.

If problems are caused by deleting a family, just leave it.


Reboot your computer after removal, run a new "full system scan" and post the results as a reply. Don't open any programs or connect to the internet at this time.

Then copy & paste the complete log file here. Don't quarantine or remove anything at this time, just post a complete logfile. This can sometimes takes 2-3 posts to get it all posted, once the "Summary of this scan" information is shown, you have posted all of your logfile.

Also, keep in mind that when you are posting another logfile keep "Search for negligible risk entries" deselected as negligible risk entries (Mru's) aren't considered as a threat. This option can be changed when choosing your scan type.

Remember to post your fresh scanlog in THIS topic.

- Rawe

[Hjalle_DK]

Hi Rawe, and thx for helping out.

My new scanlog is posted below, however you mentioned that i should clean the following paths:

* C:\Documents and Settings\<Your Profile>\Local Settings\Temporary Internet Files\ <- This will delete all your cached internet content including cookies.
* C:\Documents and Settings\<Your Profile>\Local Settings\Temp\
* C:\Documents and Settings\<Any other users Profile>\Local Settings\Temporary Internet Files\
* C:\Documents and Settings\<Any other users Profile>\Local Settings\Temp\

these paths were odd enough not avaliable on my PC.


Here is my newest scanlog log......


Ad-Aware SE Build 1.05
Logfile Created on:4. maj 2005 21:57:01
Created with Ad-Aware SE Personal, free for private use.
Using definitions file:SE1R42 28.04.2005
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

References detected during the scan:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Ebates MoneyMaker(TAC index:4):24 total references
Possible Browser Hijack attempt(TAC index:3):4 total references
Tracking Cookie(TAC index:3):2 total references
Windows(TAC index:3):1 total references
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Definition File:
=========================
Definitions File Loaded:
Reference Number : SE1R42 28.04.2005
Internal build : 49
File location : C:\Programmer\Lavasoft\Ad-Aware SE Personal\defs.ref
File size : 466557 Bytes
Total size : 1403889 Bytes
Signature data size : 1373297 Bytes
Reference data size : 30080 Bytes
Signatures total : 39226
Fingerprints total : 836
Fingerprints size : 28245 Bytes
Target categories : 15
Target families : 654


Memory + processor status:
==========================
Number of processors : 2
Processor architecture : Intel Pentium IV
Memory available:74 %
Total physical memory:1047020 kb
Available physical memory:771684 kb
Total page file size:2520280 kb
Available on page file:2351180 kb
Total virtual memory:2097024 kb
Available virtual memory:2047736 kb
OS:Microsoft Windows XP Home Edition Service Pack 2 (Build 2600)

Ad-Aware SE Settings
===========================
Set : Safe mode (always request confirmation)
Set : Scan active processes
Set : Scan registry
Set : Deep-scan registry
Set : Scan my IE Favorites for banned URLs
Set : Scan within archives
Set : Scan my Hosts file

Extended Ad-Aware SE Settings
===========================
Set : Unload recognized processes & modules during scan
Set : Obtain command line of scanned processes
Set : Scan registry for all users instead of current user only
Set : During removal, unload Explorer and IE if necessary
Set : Let Windows remove files in use at next reboot
Set : Delete quarantined objects after restoring
Set : Write-protect system files after repair (Hosts file, etc.)
Set : Include basic Ad-Aware settings in log file
Set : Include additional Ad-Aware settings in log file
Set : Include reference summary in log file
Set : Play sound at scan completion if scan locates critical objects


04-05-2005 21:57:01 - Scan started. (Full System Scan)

Listing running processes
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

#:1 [smss.exe]
ModuleName : \SystemRoot\System32\smss.exe
Command Line : n/a
ProcessID : 456
ThreadCreationTime : 04-05-2005 19:55:46
BasePriority : Normal


#:2 [csrss.exe]
ModuleName : \??\C:\WINDOWS\system32\csrss.exe
Command Line : C:\WINDOWS\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,3072,512 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ProfileControl=Off MaxRequestTh
ProcessID : 508
ThreadCreationTime : 04-05-2005 19:55:48
BasePriority : Normal


#:3 [winlogon.exe]
ModuleName : \??\C:\WINDOWS\system32\winlogon.exe
Command Line : winlogon.exe
ProcessID : 536
ThreadCreationTime : 04-05-2005 19:55:50
BasePriority : High


#:4 [services.exe]
ModuleName : C:\WINDOWS\system32\services.exe
Command Line : C:\WINDOWS\system32\services.exe
ProcessID : 584
ThreadCreationTime : 04-05-2005 19:55:51
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operativsystem
CompanyName : Microsoft Corporation
FileDescription : Tjenester og controllerprogrammer
InternalName : services.exe
LegalCopyright : © Microsoft Corporation. Alle rettigheder forbeholdes.
OriginalFilename : services.exe

#:5 [lsass.exe]
ModuleName : C:\WINDOWS\system32\lsass.exe
Command Line : C:\WINDOWS\system32\lsass.exe
ProcessID : 596
ThreadCreationTime : 04-05-2005 19:55:51
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : LSA Shell (Export Version)
InternalName : lsass.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : lsass.exe

#:6 [ati2evxx.exe]
ModuleName : C:\WINDOWS\system32\Ati2evxx.exe
Command Line : C:\WINDOWS\system32\Ati2evxx.exe
ProcessID : 760
ThreadCreationTime : 04-05-2005 19:55:51
BasePriority : Normal
FileVersion : 6.14.10.4107
ProductVersion : 6.14.10.4107.03
ProductName : ATI External Event Utility for WindowsNT and Windows9X
CompanyName : ATI Technologies Inc.
FileDescription : ATI External Event Utility EXE Module
InternalName : ATI2EVXX.EXE
LegalCopyright : Copyright © 1999-2004 ATI Technologies Inc.
OriginalFilename : ATI2EVXX.EXE

#:7 [svchost.exe]
ModuleName : C:\WINDOWS\system32\svchost.exe
Command Line : C:\WINDOWS\system32\svchost -k DcomLaunch
ProcessID : 776
ThreadCreationTime : 04-05-2005 19:55:51
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:8 [svchost.exe]
ModuleName : C:\WINDOWS\system32\svchost.exe
Command Line : C:\WINDOWS\system32\svchost -k rpcss
ProcessID : 832
ThreadCreationTime : 04-05-2005 19:55:51
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:9 [svchost.exe]
ModuleName : C:\WINDOWS\System32\svchost.exe
Command Line : C:\WINDOWS\System32\svchost.exe -k netsvcs
ProcessID : 900
ThreadCreationTime : 04-05-2005 19:55:51
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:10 [svchost.exe]
ModuleName : C:\WINDOWS\system32\svchost.exe
Command Line : C:\WINDOWS\system32\svchost.exe -k NetworkService
ProcessID : 988
ThreadCreationTime : 04-05-2005 19:55:52
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:11 [svchost.exe]
ModuleName : C:\WINDOWS\system32\svchost.exe
Command Line : C:\WINDOWS\system32\svchost.exe -k LocalService
ProcessID : 1044
ThreadCreationTime : 04-05-2005 19:55:52
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:12 [spoolsv.exe]
ModuleName : C:\WINDOWS\system32\spoolsv.exe
Command Line : C:\WINDOWS\system32\spoolsv.exe
ProcessID : 1224
ThreadCreationTime : 04-05-2005 19:55:52
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Spooler SubSystem App
InternalName : spoolsv.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : spoolsv.exe

#:13 [ati2evxx.exe]
ModuleName : C:\WINDOWS\system32\Ati2evxx.exe
Command Line : Ati2evxx.exe -Client
ProcessID : 1492
ThreadCreationTime : 04-05-2005 19:55:54
BasePriority : Normal
FileVersion : 6.14.10.4107
ProductVersion : 6.14.10.4107.03
ProductName : ATI External Event Utility for WindowsNT and Windows9X
CompanyName : ATI Technologies Inc.
FileDescription : ATI External Event Utility EXE Module
InternalName : ATI2EVXX.EXE
LegalCopyright : Copyright © 1999-2004 ATI Technologies Inc.
OriginalFilename : ATI2EVXX.EXE

#:14 [explorer.exe]
ModuleName : C:\WINDOWS\Explorer.exe
Command Line : Explorer.exe C:\WINDOWS\Nail.exe
ProcessID : 1580
ThreadCreationTime : 04-05-2005 19:55:54
BasePriority : Normal
FileVersion : 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 6.00.2900.2180
ProductName : Microsoft® Windows® Operativsystem
CompanyName : Microsoft Corporation
FileDescription : Windows Stifinder
InternalName : explorer
LegalCopyright : © Microsoft Corporation. Alle rettigheder forbeholdes.
OriginalFilename : EXPLORER.EXE

#:15 [jusched.exe]
ModuleName : C:\Programmer\Java\j2re1.4.2_05\bin\jusched.exe
Command Line : "C:\Programmer\Java\j2re1.4.2_05\bin\jusched.exe"
ProcessID : 1648
ThreadCreationTime : 04-05-2005 19:55:54
BasePriority : Normal


#:16 [soundman.exe]
ModuleName : C:\WINDOWS\SOUNDMAN.EXE
Command Line : "C:\WINDOWS\SOUNDMAN.EXE"
ProcessID : 1656
ThreadCreationTime : 04-05-2005 19:55:54
BasePriority : Normal
FileVersion : 1, 0, 0, 14
ProductVersion : 1, 0, 0, 14
ProductName : Realtek HD Sound Manager
CompanyName : Realtek Semiconductor Corp.
FileDescription : Realtek Sound Manager
InternalName : ALSMTray
LegalCopyright : Copyright © 2004 Realtek Semiconductor Corp.
OriginalFilename : ALSMTray.exe
Comments : Realtek HD Audio Sound Manager

#:17 [alcwzrd.exe]
ModuleName : C:\WINDOWS\ALCWZRD.EXE
Command Line : "C:\WINDOWS\ALCWZRD.EXE"
ProcessID : 1664
ThreadCreationTime : 04-05-2005 19:55:54
BasePriority : Normal
FileVersion : 1.1.0.15
ProductVersion : 1.1.0.15
ProductName : ALCWZRD
CompanyName : RealTek Semicoductor Corp.
FileDescription : RealTek AlcWzrd Application
InternalName : ALCWZRD.EXE
LegalCopyright : Copyright © 2003-2004 Realtek Semiconductor Corp.
OriginalFilename : ALCWZRD.EXE

#:18 [winampa.exe]
ModuleName : C:\Programmer\Winamp\winampa.exe
Command Line : "C:\Programmer\Winamp\winampa.exe"
ProcessID : 1680
ThreadCreationTime : 04-05-2005 19:55:54
BasePriority : Normal


#:19 [hpztsb05.exe]
ModuleName : C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb05.exe
Command Line : "C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb05.exe"
ProcessID : 1712
ThreadCreationTime : 04-05-2005 19:55:54
BasePriority : Normal
FileVersion : 2,128,0,0
ProductVersion : 2,128,0,0
ProductName : HP DeskJet
CompanyName : HP
LegalCopyright : Copyright © Hewlett-Packard Company 1999-2002

#:20 [hphmon04.exe]
ModuleName : C:\WINDOWS\system32\hphmon04.exe
Command Line : "C:\WINDOWS\system32\hphmon04.exe"
ProcessID : 1732
ThreadCreationTime : 04-05-2005 19:55:55
BasePriority : Normal
FileVersion : 4,1,14
ProductVersion : 4,1,14
ProductName : hp photosmart
CompanyName : Hewlett-Packard
FileDescription : HPHmon04
InternalName : HPHmon04
LegalCopyright : Copyright © 2001
OriginalFilename : HPHmon04.exe

#:21 [hpgs2wnd.exe]
ModuleName : C:\Programmer\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
Command Line : "C:\Programmer\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe"
ProcessID : 1768
ThreadCreationTime : 04-05-2005 19:55:55
BasePriority : Normal
FileVersion : 2,3,0,0\ 162
ProductVersion : 2,3,0,0\ 162
ProductName : Hewlett-Packard hpgs2wnd
CompanyName : Hewlett-Packard
FileDescription : hpgs2wnd
InternalName : hpgs2wnd
LegalCopyright : Copyright © 2001
OriginalFilename : hpgs2wnd.exe

#:22 [point32.exe]
ModuleName : C:\Programmer\Microsoft Hardware\Mouse\point32.exe
Command Line : "C:\Programmer\Microsoft Hardware\Mouse\point32.exe"
ProcessID : 1804
ThreadCreationTime : 04-05-2005 19:55:55
BasePriority : Normal


#:23 [seeve.exe]
ModuleName : C:\WINDOWS\seeve.exe
Command Line : "C:\WINDOWS\seeve.exe"
ProcessID : 1860
ThreadCreationTime : 04-05-2005 19:55:55
BasePriority : Normal
FileVersion : 6.04
ProductVersion : 6.04
ProductName : pop64
CompanyName : Network1
InternalName : seeve
OriginalFilename : seeve.exe

#:24 [msnmsgr.exe]
ModuleName : C:\Programmer\MSN Messenger\MsnMsgr.Exe
Command Line : "C:\Programmer\MSN Messenger\MsnMsgr.Exe" /background
ProcessID : 1896
ThreadCreationTime : 04-05-2005 19:55:55
BasePriority : Normal
FileVersion : 7.0.0777
ProductVersion : 7.0.0777
ProductName : MSN Messenger
CompanyName : Microsoft Corporation
FileDescription : MSN Messenger
InternalName : msnmsgr
LegalCopyright : Copyright © Microsoft Corporation 1997-2004
LegalTrademarks : Microsoft® is a registered trademark of Microsoft Corporation in the U.S. and/or other countries.
OriginalFilename : msnmsgr.exe

#:25 [manjzq.exe]
ModuleName : c:\windows\system32\manjzq.exe
Command Line : "c:\windows\system32\manjzq.exe" dmtiil
ProcessID : 1908
ThreadCreationTime : 04-05-2005 19:55:55
BasePriority : Normal
FileVersion : 1, 0, 7, 1
ProductVersion : 0, 0, 7, 0
ProductName : TODO: <Product name>
CompanyName : TODO: <Company name>
FileDescription : TODO: <File description>
LegalCopyright : TODO: © <Company name>. All rights reserved.

#:26 [hpgs2wnf.exe]
ModuleName : C:\Programmer\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
Command Line : "C:\Programmer\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe" -Embedding
ProcessID : 1964
ThreadCreationTime : 04-05-2005 19:55:56
BasePriority : Normal
FileVersion : 2, 6, 0, 162
ProductVersion : 2, 6, 0, 162
ProductName : hpgs2wnf Module
FileDescription : hpgs2wnf Module
InternalName : hpgs2wnf
LegalCopyright : Copyright 2001
OriginalFilename : hpgs2wnf.EXE

#:27 [slserv.exe]
ModuleName : C:\WINDOWS\system32\slserv.exe
Command Line : slserv.exe
ProcessID : 504
ThreadCreationTime : 04-05-2005 19:56:01
BasePriority : Normal


#:28 [wdfmgr.exe]
ModuleName : C:\WINDOWS\system32\wdfmgr.exe
Command Line : C:\WINDOWS\system32\wdfmgr.exe
ProcessID : 932
ThreadCreationTime : 04-05-2005 19:56:04
BasePriority : Normal
FileVersion : 5.2.3790.1230 built by: DNSRV(bld4act)
ProductVersion : 5.2.3790.1230
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Windows User Mode Driver Manager
InternalName : WdfMgr
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : WdfMgr.exe

#:29 [hphipm11.exe]
ModuleName : C:\WINDOWS\system32\HPHipm11.exe
Command Line : C:\WINDOWS\system32\HPHipm11.exe
ProcessID : 1380
ThreadCreationTime : 04-05-2005 19:56:05
BasePriority : Normal
FileVersion : 4, 5, 0, 770
ProductVersion : 4, 5, 0, 770
ProductName : HP PML
CompanyName : HP
FileDescription : PML Driver
InternalName : PmlDrv
LegalCopyright : Copyright © 1998, 1999 Hewlett-Packard Company
OriginalFilename : PmlDrv.exe

#:30 [alg.exe]
ModuleName : C:\WINDOWS\System32\alg.exe
Command Line : C:\WINDOWS\System32\alg.exe
ProcessID : 2124
ThreadCreationTime : 04-05-2005 19:56:05
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Application Layer Gateway Service
InternalName : ALG.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : ALG.exe

#:31 [wscntfy.exe]
ModuleName : C:\WINDOWS\system32\wscntfy.exe
Command Line : C:\WINDOWS\system32\wscntfy.exe
ProcessID : 2140
ThreadCreationTime : 04-05-2005 19:56:05
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Windows Security Center Notification App
InternalName : wscntfy.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : wscntfy.exe

#:32 [ad-aware.exe]
ModuleName : C:\Programmer\Lavasoft\Ad-Aware SE Personal\Ad-Aware.exe
Command Line : "C:\Programmer\Lavasoft\Ad-Aware SE Personal\Ad-Aware.exe"
ProcessID : 2760
ThreadCreationTime : 04-05-2005 19:56:42
BasePriority : Normal
FileVersion : 6.2.0.206
ProductVersion : VI.Second Edition
ProductName : Lavasoft Ad-Aware SE
CompanyName : Lavasoft Sweden
FileDescription : Ad-Aware SE Core application
InternalName : Ad-Aware.exe
LegalCopyright : Copyright © Lavasoft Sweden
OriginalFilename : Ad-Aware.exe
Comments : All Rights Reserved

#:33 [wuauclt.exe]
ModuleName : C:\WINDOWS\system32\wuauclt.exe
Command Line : "C:\WINDOWS\system32\wuauclt.exe" /RunStoreAsComServer Local\[384]SUSDSa17926c566eacb499e5164bd05a46f89
ProcessID : 2836
ThreadCreationTime : 04-05-2005 19:56:49
BasePriority : Normal
FileVersion : 5.4.3790.2182 built by: srv03_rtm(ntvbl04)
ProductVersion : 5.4.3790.2182
ProductName : Microsoft® Windows® Operativsystem
CompanyName : Microsoft Corporation
FileDescription : Automatiske opdateringer
InternalName : wuauclt.exe
LegalCopyright : © Microsoft Corporation. Alle rettigheder forbeholdes.
OriginalFilename : wuauclt.exe

Memory scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 0


Started registry scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Ebates MoneyMaker Object Recognized!
Type : RegValue
Data :
Category : Data Miner
Comment : "AC"
Rootkey : HKEY_USERS
Object : S-1-5-21-448539723-1336601894-725345543-1005\software\lq
Value : AC

Windows Object Recognized!
Type : RegData
Data : explorer.exe c:\windows\nail.exe
Category : Vulnerability
Comment : Shell Possibly Compromised
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\windows nt\currentversion\winlogon
Value : Shell
Data : explorer.exe c:\windows\nail.exe

Registry Scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 2
Objects found so far: 2


Started deep registry scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Trusted zone presumably compromised : media-motor.net

Possible Browser Hijack attempt Object Recognized!
Type : Regkey
Data :
Category : Vulnerability
Comment : Trusted zone presumably compromised : media-motor.net
Rootkey : HKEY_CURRENT_USER
Object : Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\media-motor.net

Possible Browser Hijack attempt Object Recognized!
Type : RegValue
Data :
Category : Vulnerability
Comment : Trusted zone presumably compromised : media-motor.net
Rootkey : HKEY_CURRENT_USER
Object : Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\media-motor.net
Value : *
Trusted zone presumably compromised : popuppers.com

Possible Browser Hijack attempt Object Recognized!
Type : Regkey
Data :
Category : Vulnerability
Comment : Trusted zone presumably compromised : popuppers.com
Rootkey : HKEY_CURRENT_USER
Object : Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\popuppers.com

Possible Browser Hijack attempt Object Recognized!
Type : RegValue
Data :
Category : Vulnerability
Comment : Trusted zone presumably compromised : popuppers.com
Rootkey : HKEY_CURRENT_USER
Object : Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\popuppers.com
Value : *

Deep registry scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 4
Objects found so far: 6


Started Tracking Cookie scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»


Tracking Cookie Object Recognized!
Type : IECache Entry
Data : jens asbjørn@revenue[2].txt
Category : Data Miner
Comment : Hits:2
Value : Cookie:jens asbjø[email protected]/
Expires : 10-06-2022 07:05:42
LastSync : Hits:2
UseCount : 0
Hits : 2

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : jens asbjørn@casalemedia[1].txt
Category : Data Miner
Comment : Hits:3
Value : Cookie:jens asbjø[email protected]/
Expires : 25-04-2006 17:56:52
LastSync : Hits:3
UseCount : 0
Hits : 3

Tracking cookie scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 2
Objects found so far: 8



Deep scanning and examining files (C:)
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Disk Scan Result for C:\
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 8


Deep scanning and examining files (D:)
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Disk Scan Result for D:\
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 8


Scanning Hosts file......
Hosts file location:"C:\WINDOWS\system32\drivers\etc\hosts".
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Hosts file scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
1 entries scanned.
New critical objects:0
Objects found so far: 8




Performing conditional scans...
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Ebates MoneyMaker Object Recognized!
Type : Regkey
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_CURRENT_USER
Object : software\lq

Ebates MoneyMaker Object Recognized!
Type : RegValue
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_CURRENT_USER
Object : software\lq
Value : TM

Ebates MoneyMaker Object Recognized!
Type : RegValue
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_CURRENT_USER
Object : software\lq
Value : U

Ebates MoneyMaker Object Recognized!
Type : RegValue
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_CURRENT_USER
Object : software\lq
Value : AD

Ebates MoneyMaker Object Recognized!
Type : RegValue
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_CURRENT_USER
Object : software\lq
Value : AC

Ebates MoneyMaker Object Recognized!
Type : RegValue
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_CURRENT_USER
Object : software\lq
Value : AM

Ebates MoneyMaker Object Recognized!
Type : RegValue
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_CURRENT_USER
Object : software\lq
Value : AT

Ebates MoneyMaker Object Recognized!
Type : RegValue
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_CURRENT_USER
Object : software\lq
Value : I

Ebates MoneyMaker Object Recognized!
Type : RegValue
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_CURRENT_USER
Object : software\lq
Value : TR

Ebates MoneyMaker Object Recognized!
Type : RegValue
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_CURRENT_USER
Object : software\lq
Value : country

Ebates MoneyMaker Object Recognized!
Type : RegValue
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_CURRENT_USER
Object : software\lq
Value : city

Ebates MoneyMaker Object Recognized!
Type : RegValue
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_CURRENT_USER
Object : software\lq
Value : state

Ebates MoneyMaker Object Recognized!
Type : RegValue
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_CURRENT_USER
Object : software\lq
Value : RX

Ebates MoneyMaker Object Recognized!
Type : RegValue
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_CURRENT_USER
Object : software\lq
Value : RX2.8

Ebates MoneyMaker Object Recognized!
Type : RegValue
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_CURRENT_USER
Object : software\lq
Value : RX2.9

Ebates MoneyMaker Object Recognized!
Type : RegValue
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_CURRENT_USER
Object : software\lq
Value : RX3.0

Ebates MoneyMaker Object Recognized!
Type : RegValue
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_CURRENT_USER
Object : software\lq
Value : RX3.1

Ebates MoneyMaker Object Recognized!
Type : RegValue
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_CURRENT_USER
Object : software\lq
Value : RX3.2

Ebates MoneyMaker Object Recognized!
Type : RegValue
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_CURRENT_USER
Object : software\lq
Value : RX3.3

Ebates MoneyMaker Object Recognized!
Type : RegValue
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_CURRENT_USER
Object : software\lq
Value : FU3.4

Ebates MoneyMaker Object Recognized!
Type : RegValue
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_CURRENT_USER
Object : software\lq
Value : FU3.5

Ebates MoneyMaker Object Recognized!
Type : RegValue
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_CURRENT_USER
Object : software\lq
Value : FU3.6

Ebates MoneyMaker Object Recognized!
Type : RegValue
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_CURRENT_USER
Object : software\lq
Value : LU3.7

Conditional scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 23
Objects found so far: 31

22:00:21 Scan Complete

Summary Of This Scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Total scanning time:00:03:20.15
Objects scanned:101182
Objects identified:31
Objects ignored:0
New critical objects:31

[Rawe]

Hello again,
run these online virus scans;
- Trend Micro
- Panda Activescan

Post the results here.

- Rawe

[Hjalle_DK]

Hi again.

Trend micro gives me the following message:
HouseCall was unable either to update or start the scan engine!


The report from Panda is as follows:

Incident Status Location

Spyware:Spyware/BetterInet No disinfected C:\WINDOWS\Bolger.dll
Spyware:Spyware/Media-motor No disinfected C:\WINDOWS\seeve.exe
Adware:Adware/Transponder No disinfected c:\windows\system32\manjzq.exe
Adware:Adware/EliteBar No disinfected C:\windows\system32\ELITEZ~1.EXE
Spyware:Spyware/Media-motor No disinfected C:\WINDOWS\seeve.exe
Adware:Adware/Transponder No disinfected c:\windows\system32\manjzq.exe
Adware:Adware/SaveNow No disinfected Windows Registry
Adware:Adware/KeenValue No disinfected C:\WINDOWS\system32\drivers\etc\hosts.bho
Adware:Adware/SAHAgent No disinfected C:\WINDOWS\unstall.exe
Adware:Adware/SideFind No disinfected Windows Registry
Spyware:Spyware/Media-motor No disinfected C:\WINDOWS\mm??.ocx
Adware:Adware/WUpd No disinfected Windows Registry
Adware:Adware/EliteBar No disinfected C:\Documents and Settings\Jens Asbjørn\Foretrukne\Casino & Carrers
Adware:Adware/Transponder No disinfected C:\WINDOWS\Bolger.dll
Adware:Adware/nCase No disinfected C:\WINDOWS\Downloaded Program Files\clientax.dll
Adware:Adware/nCase No disinfected C:\WINDOWS\Downloaded Program Files\ClientAX.inf
Spyware:Spyware/Media-motor No disinfected C:\WINDOWS\mm63.ocx
Adware:Adware/Transponder No disinfected C:\WINDOWS\Nail.exe
Spyware:Spyware/Media-motor No disinfected C:\WINDOWS\seeve.exe
Adware:Adware/Transponder No disinfected C:\WINDOWS\svcproc.exe
Adware:Adware/KeenValue No disinfected C:\WINDOWS\system32\drivers\etc\hosts.bho
Virus:Trj/Agent.PF Disinfected C:\WINDOWS\system32\DrPMon.dll
Adware:Adware/Transponder No disinfected C:\WINDOWS\system32\manjzq.exe
Adware:Adware/EliteBar No disinfected C:\WINDOWS\system32\temperror32.dat
Adware:Adware/FindWhatever No disinfected C:\WINDOWS\system32\unregister.exe
Adware:Adware/SAHAgent No disinfected C:\WINDOWS\unstall.exe

[Hjalle_DK]

Hi again.

Tried Trend Micro again this morning, but to no avail.

It still wont update the scan engine etc.

Hope the above mentioned Panda is enough to work with.

[Rawe]

Could you scan your computer here;
http://www.ewido.net/en/
Let it do a full scan, then copy the log from it. Paste it to a blank notepad file and save it to post here.
After that, just post the log in this topic.

- Rawe

Don't do anything else yet.

[Hjalle_DK]

Tis is what ewido said.

Scan result:
C:\Documents and Settings\Jens Asbjørn\Cookies\jens asbjørn@cgi-bin[1].txt -> Spyware.Tracking-Cookie -> Ignored
C:\Documents and Settings\Jens Asbjørn\Lokale indstillinger\Temp\DJA\aurareco.exe -> Spyware.BetterInternet -> Ignored
C:\Documents and Settings\Jens Asbjørn\Lokale indstillinger\Temp\ELI\aurareco.exe -> Spyware.BetterInternet -> Ignored
C:\Documents and Settings\Jens Asbjørn\Lokale indstillinger\Temp\MMX\aurareco.exe -> Spyware.BetterInternet -> Ignored
C:\Documents and Settings\Jens Asbjørn\Lokale indstillinger\Temp\TFG\aurareco.exe -> Spyware.BetterInternet -> Ignored
C:\Documents and Settings\Jens Asbjørn\Lokale indstillinger\Temp\UYH\aurareco.exe -> Spyware.BetterInternet -> Ignored
C:\Documents and Settings\Jens Asbjørn\Lokale indstillinger\Temp\ZJU\aurareco.exe -> Spyware.BetterInternet -> Ignored
C:\WINDOWS\Bolger.dll -> Spyware.BetterInternet -> Ignored
C:\WINDOWS\Downloaded Program Files\clientax.dll -> Spyware.180Solutions -> Ignored
C:\WINDOWS\Downloaded Program Files\popcaploader.dll -> Not-A-Virus.PornWare.PopCap.b -> Ignored
C:\WINDOWS\hnlggwwtnno.exe -> Spyware.BetterInternet -> Ignored
C:\WINDOWS\Nail.exe -> Trojan.Nail -> Ignored
C:\WINDOWS\svcproc.exe -> Trojan.Stervis.c -> Ignored
C:\WINDOWS\system32\acnsgsp.exe -> Trojan.Agent.cp -> Ignored
C:\WINDOWS\system32\DrPMon.dll -> Trojan.Agent.db -> Ignored
C:\WINDOWS\system32\temperror32.dat -> Spyware.Hijacker.Generic -> Ignored
C:\WINDOWS\system32\unregister.exe -> Spyware.VB.f -> Ignored::Report End


BTW i did not take any action at all....

Edited by Hjalle_DK, 05 May 2005 - 04:08 AM.

[Rawe]

Hello again.
This topic will be referred (moved), to Malware removal forums..
You need to post an HiJackThis log in this topic.
Someone from our Staff will move this right away when they have time.
Though, Malware forums are busy. So please be patient.

- Rawe

[Hjalle_DK]

Thx for now Rawe.

Here is the result of HJT.....

Logfile of HijackThis v1.99.1
Scan saved at 12:27:18, on 05-05-2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.exe
C:\Programmer\Java\j2re1.4.2_05\bin\jusched.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\ALCWZRD.EXE
C:\Programmer\Winamp\winampa.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb05.exe
C:\WINDOWS\system32\hphmon04.exe
C:\Programmer\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Programmer\Microsoft Hardware\Mouse\point32.exe
C:\WINDOWS\seeve.exe
C:\Programmer\MSN Messenger\MsnMsgr.Exe
c:\windows\system32\acnsgsp.exe
C:\Programmer\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\system32\HPHipm11.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Programmer\Internet Explorer\IEXPLORE.EXE
C:\mIRC\mirc.exe
C:\Programmer\Adobe\Acrobat 7.0\Reader\AcroRd32.exe
C:\Programmer\ewido\security suite\ewidoctrl.exe
C:\Programmer\ewido\security suite\ewidoguard.exe
C:\WINDOWS\system32\svchost.exe
C:\X-files\Temp\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.google.dk
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.dk/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.dk
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O2 - BHO: BolgerObj Class - {302A3240-4805-4a34-97D7-1645A0B08410} - C:\WINDOWS\Bolger.dll
O2 - BHO: (no name) - {ED103D9F-3070-4580-AB1E-E5C179C1AE41} - (no file)
O4 - HKLM\..\Run: [Genvej til egenskabsside for High Definition Audio] HDAudPropShortcut.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programmer\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [WinampAgent] C:\Programmer\Winamp\winampa.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: [HPHmon04] C:\WINDOWS\system32\hphmon04.exe
O4 - HKLM\..\Run: [HPHUPD04] "C:\Programmer\HP Photosmart 11\hphinstall\UniPatch\hphupd04.exe"
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Programmer\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [fyz] C:\WINDOWS\fyz.exe
O4 - HKLM\..\Run: [checkrun] C:\windows\system32\elitezvc32.exe
O4 - HKLM\..\Run: [WebSpecials] rundll32 "C:\Program Files\WebSpecials\webspec.dll",run
O4 - HKLM\..\Run: [firlnin] C:\Documents and Settings\Jens Asbjørn\Lokale indstillinger\Temporary Internet Files\Content.IE5\GPQB4HIR\delf061225[1].exe
O4 - HKLM\..\Run: [seeve] C:\WINDOWS\seeve.exe
O4 - HKLM\..\Run: [yjbcpa] c:\windows\system32\acnsgsp.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Programmer\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [WebSpecials] rundll32 "C:\Program Files\WebSpecials\webspec.dll",run
O8 - Extra context menu item: E&ksporter til Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmer\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmer\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Opslag - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Programmer\PartyPoker\PartyPoker.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Programmer\PartyPoker\PartyPoker.exe
O9 - Extra button: Ladbrokes Poker - {C2A80015-C447-4dc4-82DD-AED83D6ED57E} - C:\Programmer\ladbrokesMPP\MPPoker.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmer\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmer\Messenger\msmsgs.exe
O15 - Trusted Zone: *.media-motor.net
O15 - Trusted Zone: *.popuppers.com
O16 - DPF: {3D6DDD23-870A-4FC8-B3AF-5F67C935A9B7} (Util Class) - https://gandalf.cert...InkCSP-1204.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1111750225234
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pdownloader.cab
O16 - DPF: {D54160C3-DB7B-4534-9B65-190EE4A9C7F7} (SproutLauncherCtrl Class) - http://media.grab.co...outLauncher.cab
O16 - DPF: {D8575CE3-3432-4540-88A9-85A1325D3375} (e-Safekey) - https://netbank.bgba...G/e-Safekey.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://i.grab.com/me...aploader_v6.cab
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ewido security suite control - ewido networks - C:\Programmer\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Programmer\ewido\security suite\ewidoguard.exe
O23 - Service: Pml Driver HPH11 - HP - C:\WINDOWS\system32\HPHipm11.exe
O23 - Service: SmartLinkService (SLService) - Smart Link - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe



I havent taken any action yet...

[ScHwErV]

Hjalle_DK

Rawe was good enough to ask if I would help you out with your aurora problem.

Please download the trial version of Ewido Security Suite here:
http://www.ewido.net/en/download/
Install it, and update the definitions to the newest files. Do NOT run a scan yet.

Please run Notepad and copy the following text into a new file:

@ECHO OFF
cd %windir%
Nail.exe /FULLREMOVE
sc config SvcProc start= disabled
sc stop SvcProc
sc delete SvcProc
attrib -s -r -h nail.exe
attrib -s -r -h svcproc.exe
del nail.exe
del svcproc.exe
cd %windir%\system32
attrib -s -r -h DrPMon.dll
del DrPMon.dll
exit

Save the file to the desktop as remove.bat and make sure the "Save as type" field says "All files".

Next, please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode.

Once in Safe Mode, please double-click on remove.bat. A window should open and close very quickly --- this is normal.

Then please run Ewido, and run a full scan, let it fix everything it asks about. Post the log from the scan here for me.

Then please run HijackThis, click Scan, and check:

F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe

Close all open windows except for HijackThis and click Fix Checked.

Restart your computer in normal mode and please post a new HijackThis log, as well as the log from the Ewido scan.

ScHwErV

[Hjalle_DK]

Hi again, and thank you as well for helping out, you guys are fantastic.

And just one thing, one of my friends told me that i need to disable system restore before going ahead with what you tell me !!!

Is that correct ?



However here are the results from Ewido and HJT.


Ewido:

ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 17:12:58, 05-05-2005
+ Report-Checksum: 60C4ACA1

+ Date of database: 05-05-2005
+ Version of scan engine: v3.0

+ Duration: 45 min
+ Scanned Files: 93998
+ Speed: 34.73 Files/Second
+ Infected files: 21
+ Removed files: 21
+ Files put in quarantine: 21
+ Files that could not be opened: 0
+ Files that could not be cleaned: 0

+ Binder: Yes
+ Crypter: Yes
+ Archives: Yes

+ Scanned items:
C:\
D:\

+ Scan result:
C:\Documents and Settings\Jens Asbjørn\Cookies\jens asbjørn@cgi-bin[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Jens Asbjørn\Lokale indstillinger\Temp\ANF\aurareco.exe -> Spyware.BetterInternet -> Cleaned with backup
C:\Documents and Settings\Jens Asbjørn\Lokale indstillinger\Temp\BKY\aurareco.exe -> Spyware.BetterInternet -> Cleaned with backup
C:\Documents and Settings\Jens Asbjørn\Lokale indstillinger\Temp\DJA\aurareco.exe -> Spyware.BetterInternet -> Cleaned with backup
C:\Documents and Settings\Jens Asbjørn\Lokale indstillinger\Temp\ELI\aurareco.exe -> Spyware.BetterInternet -> Cleaned with backup
C:\Documents and Settings\Jens Asbjørn\Lokale indstillinger\Temp\MMX\aurareco.exe -> Spyware.BetterInternet -> Cleaned with backup
C:\Documents and Settings\Jens Asbjørn\Lokale indstillinger\Temp\TFG\aurareco.exe -> Spyware.BetterInternet -> Cleaned with backup
C:\Documents and Settings\Jens Asbjørn\Lokale indstillinger\Temp\UYH\aurareco.exe -> Spyware.BetterInternet -> Cleaned with backup
C:\Documents and Settings\Jens Asbjørn\Lokale indstillinger\Temp\ZJU\aurareco.exe -> Spyware.BetterInternet -> Cleaned with backup
C:\WINDOWS\Bolger.dll -> Spyware.BetterInternet -> Cleaned with backup
C:\WINDOWS\Downloaded Program Files\clientax.dll -> Spyware.180Solutions -> Cleaned with backup
C:\WINDOWS\Downloaded Program Files\popcaploader.dll -> Not-A-Virus.PornWare.PopCap.b -> Cleaned with backup
C:\WINDOWS\hnlggwwtnno.exe -> Spyware.BetterInternet -> Cleaned with backup
C:\WINDOWS\Nail.exe -> Trojan.Nail -> Cleaned with backup
C:\WINDOWS\seeve.exe -> Spyware.MediaMotor.f -> Cleaned with backup
C:\WINDOWS\system32\eliteeys32.exe -> Spyware.Hijacker.Generic -> Cleaned with backup
C:\WINDOWS\system32\elitenzy32.exe -> Spyware.Hijacker.Generic -> Cleaned with backup
C:\WINDOWS\system32\elitezvc32.exe -> Spyware.Hijacker.Generic -> Cleaned with backup
C:\WINDOWS\system32\kgawqb.exe -> Trojan.Agent.cp -> Cleaned with backup
C:\WINDOWS\system32\temperror32.dat -> Spyware.Hijacker.Generic -> Cleaned with backup
C:\WINDOWS\system32\unregister.exe -> Spyware.VB.f -> Cleaned with backup


::Report End


And this is from HJT:

Logfile of HijackThis v1.99.1
Scan saved at 17:18:02, on 05-05-2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.exe
C:\Programmer\Java\jre1.5.0_02\bin\jusched.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\ALCWZRD.EXE
C:\Programmer\Winamp\winampa.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb05.exe
C:\WINDOWS\system32\hphmon04.exe
C:\Programmer\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Programmer\Microsoft Hardware\Mouse\point32.exe
C:\Programmer\MSN Messenger\MsnMsgr.Exe
C:\Programmer\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Programmer\ewido\security suite\ewidoctrl.exe
C:\Programmer\ewido\security suite\ewidoguard.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\HPHipm11.exe
C:\WINDOWS\system32\wuauclt.exe
C:\X-files\Temp\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.google.dk
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.dk/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.dk
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O2 - BHO: BolgerObj Class - {302A3240-4805-4a34-97D7-1645A0B08410} - C:\WINDOWS\Bolger.dll (file missing)
O2 - BHO: (no name) - {ED103D9F-3070-4580-AB1E-E5C179C1AE41} - (no file)
O4 - HKLM\..\Run: [Genvej til egenskabsside for High Definition Audio] HDAudPropShortcut.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programmer\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [WinampAgent] C:\Programmer\Winamp\winampa.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: [HPHmon04] C:\WINDOWS\system32\hphmon04.exe
O4 - HKLM\..\Run: [HPHUPD04] "C:\Programmer\HP Photosmart 11\hphinstall\UniPatch\hphupd04.exe"
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Programmer\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [fyz] C:\WINDOWS\fyz.exe
O4 - HKLM\..\Run: [WebSpecials] rundll32 "C:\Program Files\WebSpecials\webspec.dll",run
O4 - HKLM\..\Run: [firlnin] C:\Documents and Settings\Jens Asbjørn\Lokale indstillinger\Temporary Internet Files\Content.IE5\GPQB4HIR\delf061225[1].exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Programmer\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [WebSpecials] rundll32 "C:\Program Files\WebSpecials\webspec.dll",run
O8 - Extra context menu item: E&ksporter til Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmer\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmer\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Opslag - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Programmer\PartyPoker\PartyPoker.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Programmer\PartyPoker\PartyPoker.exe
O9 - Extra button: Ladbrokes Poker - {C2A80015-C447-4dc4-82DD-AED83D6ED57E} - C:\Programmer\ladbrokesMPP\MPPoker.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmer\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmer\Messenger\msmsgs.exe
O15 - Trusted Zone: *.media-motor.net
O15 - Trusted Zone: *.popuppers.com
O16 - DPF: {3D6DDD23-870A-4FC8-B3AF-5F67C935A9B7} (Util Class) - https://gandalf.cert...InkCSP-1204.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1111750225234
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pdownloader.cab
O16 - DPF: {D54160C3-DB7B-4534-9B65-190EE4A9C7F7} (SproutLauncherCtrl Class) - http://media.grab.co...outLauncher.cab
O16 - DPF: {D8575CE3-3432-4540-88A9-85A1325D3375} (e-Safekey) - https://netbank.bgba...G/e-Safekey.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://i.grab.com/me...aploader_v6.cab
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ewido security suite control - ewido networks - C:\Programmer\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Programmer\ewido\security suite\ewidoguard.exe
O23 - Service: Pml Driver HPH11 - HP - C:\WINDOWS\system32\HPHipm11.exe
O23 - Service: SmartLinkService (SLService) - Smart Link - C:\WINDOWS\SYSTEM32\slserv.exe


This is what i got, hope to hear from you :-)

Edited by Hjalle_DK, 05 May 2005 - 10:07 AM.

[ScHwErV]

No, please do not turn off system restore. If something goes wrong during the fixing process, you will need a restore point to go back to. I dont expect this to happen, but its nice to have it there just in case.

Did you check this line in HJT?

F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe

If so, did you reboot before you ran HJT again?

ScHwErV

[ScHwErV]

Thanks Andy.

My mod powers are limited to Geek U and Malware Removal

ScHwErV