Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

[Referred]Possible Trojan


  • Please log in to reply

#1
Bigbop

Bigbop

    New Member

  • Member
  • Pip
  • 9 posts
Here is my Ad-Aware log file. I am pretty sure I have a Trojan that got past my Norton and I cant seem to track it down. Programs list from start menu shows empty, sytem restore gives me a blank window, double clicking on desktop icons does nothing, random processes keep popping up on task manager, etc...
Any help would be appreciated.

Ad-Aware SE Build 1.05
Logfile Created on:Saturday, May 07, 2005 9:25:33 AM
Created with Ad-Aware SE Personal, free for private use.
Using definitions file:SE1R43 06.05.2005
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

References detected during the scan:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
CoolWebSearch(TAC index:10):24 total references
DealHelper(TAC index:7):2 total references
eUniverse(TAC index:10):1 total references
Possible Browser Hijack attempt(TAC index:3):6 total references
SahAgent(TAC index:9):1 total references
TPS108(TAC index:9):1 total references
WurldMedia(TAC index:9):1 total references
VX2(TAC index:10):5 total references
YourSiteBar(TAC index:6):2 total references
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Definition File:
=========================
Definitions File Loaded:
Reference Number : SE1R43 06.05.2005
Internal build : 50
File location : C:\Program Files\Lavasoft\Ad-Aware SE Personal\defs.ref
File size : 467649 Bytes
Total size : 1414672 Bytes
Signature data size : 1383852 Bytes
Reference data size : 30308 Bytes
Signatures total : 39494
Fingerprints total : 847
Fingerprints size : 28739 Bytes
Target categories : 15
Target families : 663


Memory + processor status:
==========================
Number of processors : 1
Processor architecture : Non Intel
Memory available:49 %
Total physical memory:327152 kb
Available physical memory:159228 kb
Total page file size:696920 kb
Available on page file:491276 kb
Total virtual memory:2097024 kb
Available virtual memory:2029600 kb
OS:Microsoft Windows XP Professional Service Pack 2 (Build 2600)

Ad-Aware SE Settings
===========================
Set : Safe mode (always request confirmation)
Set : Scan active processes
Set : Scan registry
Set : Deep-scan registry
Set : Scan my IE Favorites for banned URLs
Set : Scan within archives
Set : Scan my Hosts file

Extended Ad-Aware SE Settings
===========================
Set : Unload recognized processes & modules during scan
Set : Obtain command line of scanned processes
Set : Scan registry for all users instead of current user only
Set : Always try to unload modules before deletion
Set : During removal, unload Explorer and IE if necessary
Set : Let Windows remove files in use at next reboot
Set : Delete quarantined objects after restoring
Set : Write-protect system files after repair (Hosts file, etc.)
Set : Include basic Ad-Aware settings in log file
Set : Include additional Ad-Aware settings in log file
Set : Include reference summary in log file
Set : Play sound at scan completion if scan locates critical objects


5/7/2005 9:25:33 AM - Scan started. (Full System Scan)

Listing running processes
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

#:1 [smss.exe]
ModuleName : \SystemRoot\System32\smss.exe
Command Line : n/a
ProcessID : 344
ThreadCreationTime : 5/7/2005 2:23:53 PM
BasePriority : Normal


#:2 [csrss.exe]
ModuleName : \??\C:\WINDOWS\system32\csrss.exe
Command Line : C:\WINDOWS\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,3072,512 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ProfileControl=Off MaxRequestTh
ProcessID : 392
ThreadCreationTime : 5/7/2005 2:24:04 PM
BasePriority : Normal


#:3 [winlogon.exe]
ModuleName : \??\C:\WINDOWS\system32\winlogon.exe
Command Line : winlogon.exe
ProcessID : 416
ThreadCreationTime : 5/7/2005 2:24:05 PM
BasePriority : High


#:4 [services.exe]
ModuleName : C:\WINDOWS\system32\services.exe
Command Line : C:\WINDOWS\system32\services.exe
ProcessID : 460
ThreadCreationTime : 5/7/2005 2:24:06 PM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Services and Controller app
InternalName : services.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : services.exe

#:5 [lsass.exe]
ModuleName : C:\WINDOWS\system32\lsass.exe
Command Line : C:\WINDOWS\system32\lsass.exe
ProcessID : 472
ThreadCreationTime : 5/7/2005 2:24:06 PM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : LSA Shell (Export Version)
InternalName : lsass.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : lsass.exe

#:6 [svchost.exe]
ModuleName : C:\WINDOWS\system32\svchost.exe
Command Line : C:\WINDOWS\system32\svchost -k DcomLaunch
ProcessID : 620
ThreadCreationTime : 5/7/2005 2:24:07 PM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:7 [svchost.exe]
ModuleName : C:\WINDOWS\system32\svchost.exe
Command Line : C:\WINDOWS\system32\svchost -k rpcss
ProcessID : 668
ThreadCreationTime : 5/7/2005 2:24:07 PM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:8 [svchost.exe]
ModuleName : C:\WINDOWS\System32\svchost.exe
Command Line : C:\WINDOWS\System32\svchost.exe -k netsvcs
ProcessID : 716
ThreadCreationTime : 5/7/2005 2:24:07 PM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:9 [svchost.exe]
ModuleName : C:\WINDOWS\System32\svchost.exe
Command Line : C:\WINDOWS\System32\svchost.exe -k NetworkService
ProcessID : 764
ThreadCreationTime : 5/7/2005 2:24:08 PM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:10 [svchost.exe]
ModuleName : C:\WINDOWS\System32\svchost.exe
Command Line : C:\WINDOWS\System32\svchost.exe -k LocalService
ProcessID : 824
ThreadCreationTime : 5/7/2005 2:24:09 PM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:11 [spoolsv.exe]
ModuleName : C:\WINDOWS\system32\spoolsv.exe
Command Line : C:\WINDOWS\system32\spoolsv.exe
ProcessID : 1000
ThreadCreationTime : 5/7/2005 2:24:11 PM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Spooler SubSystem App
InternalName : spoolsv.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : spoolsv.exe

#:12 [adskscsrv.exe]
ModuleName : C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
Command Line : "C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe"
ProcessID : 1236
ThreadCreationTime : 5/7/2005 2:25:17 PM
BasePriority : Normal
FileVersion : 2.51.000
FileDescription : System Level Service Utility

#:13 [dcpflics.exe]
ModuleName : C:\Program Files\DCPFLICS\DCPFLICS.exe
Command Line : "C:\Program Files\DCPFLICS\DCPFLICS.exe"
ProcessID : 1256
ThreadCreationTime : 5/7/2005 2:25:17 PM
BasePriority : Normal


#:14 [defwatch.exe]
ModuleName : C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
Command Line : "C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe"
ProcessID : 1288
ThreadCreationTime : 5/7/2005 2:25:17 PM
BasePriority : Normal
FileVersion : 8.00.00.9374
ProductVersion : 8.00.00.9374
ProductName : Norton AntiVirus
CompanyName : Symantec Corporation
FileDescription : Virus Definition Daemon
InternalName : DefWatch
LegalCopyright : Copyright © 1998 Symantec Corporation
OriginalFilename : DefWatch.exe

#:15 [gearsec.exe]
ModuleName : C:\WINDOWS\system32\gearsec.exe
Command Line : system32\gearsec.exe
ProcessID : 1312
ThreadCreationTime : 5/7/2005 2:25:17 PM
BasePriority : Normal
FileVersion : 1, 0, 0, 3
ProductVersion : 1, 0, 0, 3
ProductName : gearsec
CompanyName : GEAR Software
FileDescription : gearsec
InternalName : gearsec
LegalCopyright : Copyright © 2001 GEAR Software
OriginalFilename : gearsec.exe

#:16 [appservices.exe]
ModuleName : C:\PROGRA~1\Iomega\System32\AppServices.exe
Command Line : "C:\PROGRA~1\Iomega\System32\AppServices.exe"
ProcessID : 1344
ThreadCreationTime : 5/7/2005 2:25:17 PM
BasePriority : Normal
FileVersion : 2, 0, 4, 2
ProductVersion : 2, 0, 4, 2
ProductName : Iomega App Services
CompanyName : Iomega Corporation
FileDescription : AppServices
InternalName : AppServices
LegalCopyright : Copyright © 2003
OriginalFilename : AppService.exe
Comments : Iomega App Services For Windows NT/2000/XP

#:17 [rtvscan.exe]
ModuleName : C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
Command Line : "C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe"
ProcessID : 1368
ThreadCreationTime : 5/7/2005 2:25:17 PM
BasePriority : Normal
FileVersion : 8.00.00.9374
ProductVersion : 8.00.00.9374
ProductName : Symantec AntiVirus
CompanyName : Symantec Corporation
FileDescription : Symantec AntiVirus
LegalCopyright : Copyright © Symantec Corporation 1991-2002

#:18 [nvsvc32.exe]
ModuleName : C:\WINDOWS\system32\nvsvc32.exe
Command Line : C:\WINDOWS\system32\nvsvc32.exe
ProcessID : 1424
ThreadCreationTime : 5/7/2005 2:25:17 PM
BasePriority : Normal
FileVersion : 6.14.10.6693
ProductVersion : 6.14.10.6693
ProductName : NVIDIA Driver Helper Service, Version 66.93
CompanyName : NVIDIA Corporation
FileDescription : NVIDIA Driver Helper Service, Version 66.93
InternalName : NVSVC
LegalCopyright : © NVIDIA Corporation. All rights reserved.
OriginalFilename : nvsvc32.exe

#:19 [svchost.exe]
ModuleName : C:\WINDOWS\System32\svchost.exe
Command Line : C:\WINDOWS\System32\svchost.exe -k imgsvc
ProcessID : 1508
ThreadCreationTime : 5/7/2005 2:25:18 PM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:20 [wdfmgr.exe]
ModuleName : C:\WINDOWS\System32\wdfmgr.exe
Command Line : C:\WINDOWS\System32\wdfmgr.exe
ProcessID : 1560
ThreadCreationTime : 5/7/2005 2:25:18 PM
BasePriority : Normal
FileVersion : 5.2.3790.1230 built by: DNSRV(bld4act)
ProductVersion : 5.2.3790.1230
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Windows User Mode Driver Manager
InternalName : WdfMgr
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : WdfMgr.exe

#:21 [mspmspsv.exe]
ModuleName : C:\WINDOWS\System32\MsPMSPSv.exe
Command Line : C:\WINDOWS\System32\MsPMSPSv.exe
ProcessID : 1772
ThreadCreationTime : 5/7/2005 2:25:24 PM
BasePriority : Normal
FileVersion : 7.10.00.3068
ProductVersion : 7.10.00.3068
ProductName : Microsoft ® DRM
CompanyName : Microsoft Corporation
FileDescription : WMDM PMSP Service
InternalName : MSPMSPSV.EXE
LegalCopyright : Copyright © Microsoft Corp. 1981-2000
OriginalFilename : MSPMSPSV.EXE

#:22 [alg.exe]
ModuleName : C:\WINDOWS\System32\alg.exe
Command Line : C:\WINDOWS\System32\alg.exe
ProcessID : 172
ThreadCreationTime : 5/7/2005 2:25:30 PM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Application Layer Gateway Service
InternalName : ALG.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : ALG.exe

#:23 [wscntfy.exe]
ModuleName : C:\WINDOWS\system32\wscntfy.exe
Command Line : C:\WINDOWS\system32\wscntfy.exe
ProcessID : 1180
ThreadCreationTime : 5/7/2005 2:35:08 PM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Windows Security Center Notification App
InternalName : wscntfy.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : wscntfy.exe

#:24 [viewmgr.exe]
ModuleName : C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
Command Line : "C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe"
ProcessID : 1496
ThreadCreationTime : 5/7/2005 2:35:47 PM
BasePriority : Normal
FileVersion : 2, 0, 0, 42
ProductVersion : 2, 0, 0, 42
ProductName : Viewpoint Manager
CompanyName : Viewpoint Corporation
FileDescription : ViewMgr
InternalName : Viewpoint Manager
LegalCopyright : Copyright © 2004
OriginalFilename : ViewMgr.exe
Comments : Viewpoint Manager

#:25 [sysqf.exe]
ModuleName : C:\WINDOWS\system32\sysqf.exe
Command Line : "C:\WINDOWS\system32\sysqf.exe"
ProcessID : 1548
ThreadCreationTime : 5/7/2005 2:35:47 PM
BasePriority : Normal


#:26 [zapro.exe]
ModuleName : C:\EXE_Backup1\ZoneAlarm\zapro.exe
Command Line : "C:\EXE_Backup1\ZoneAlarm\zapro.exe"
ProcessID : 1728
ThreadCreationTime : 5/7/2005 2:39:32 PM
BasePriority : Normal
FileVersion : 3.0.081
ProductVersion : 3.0.081
ProductName : ZoneAlarm Pro
CompanyName : Zone Labs Inc.
FileDescription : ZoneAlarm Pro
InternalName : ZoneAlarm Pro
LegalCopyright : Copyright © 2001, Zone Labs Inc.
OriginalFilename : zapro.exe

#:27 [vsmon.exe]
ModuleName : C:\WINDOWS\system32\ZoneLabs\vsmon.exe
Command Line : vsmon.exe -status
ProcessID : 924
ThreadCreationTime : 5/7/2005 2:39:43 PM
BasePriority : Normal
FileVersion : 3.0.081
ProductVersion : 3.0.081
ProductName : TrueVector Service
CompanyName : Zone Labs Inc.
FileDescription : TrueVector Service
InternalName : vsmon
LegalCopyright : Copyright © 2001, Zone Labs Inc.
OriginalFilename : vsmon.exe

#:28 [googledesktop.exe]
ModuleName : C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
Command Line : "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe"
ProcessID : 2452
ThreadCreationTime : 5/7/2005 2:47:03 PM
BasePriority : Normal


#:29 [googledesktopindex.exe]
ModuleName : C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
Command Line : "GoogleDesktopIndex.exe"
ProcessID : 2464
ThreadCreationTime : 5/7/2005 2:47:03 PM
BasePriority : Normal


#:30 [googledesktopdisplay.exe]
ModuleName : C:\Program Files\Google\Google Desktop Search\GoogleDesktopDisplay.exe
Command Line : "GoogleDesktopDisplay.exe"
ProcessID : 2480
ThreadCreationTime : 5/7/2005 2:47:07 PM
BasePriority : ?


#:31 [googledesktopcrawl.exe]
ModuleName : C:\Program Files\Google\Google Desktop Search\GoogleDesktopCrawl.exe
Command Line : "GoogleDesktopCrawl.exe" /ie /favorites /recent
ProcessID : 2512
ThreadCreationTime : 5/7/2005 2:47:09 PM
BasePriority : Normal


#:32 [taskmgr.exe]
ModuleName : C:\WINDOWS\system32\taskmgr.exe
Command Line : taskmgr.exe
ProcessID : 2588
ThreadCreationTime : 5/7/2005 2:47:24 PM
BasePriority : High
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Windows TaskManager
InternalName : taskmgr
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : taskmgr.exe

#:33 [googledesktopoe.exe]
ModuleName : C:\Program Files\Google\Google Desktop Search\GoogleDesktopOE.exe
Command Line : "GoogleDesktopOE.exe"
ProcessID : 2596
ThreadCreationTime : 5/7/2005 2:47:24 PM
BasePriority : Normal


#:34 [netscp.exe]
ModuleName : C:\PROGRA~1\Netscape\Netscape\Netscp.exe
Command Line : C:\PROGRA~1\Netscape\Netscape\Netscp.exe -turbo
ProcessID : 2336
ThreadCreationTime : 5/7/2005 3:09:57 PM
BasePriority : Normal


#:35 [ad-aware.exe]
ModuleName : C:\Program Files\Lavasoft\Ad-Aware SE Personal\Ad-Aware.exe
Command Line : "C:\Program Files\Lavasoft\Ad-Aware SE Personal\Ad-Aware.exe"
ProcessID : 1976
ThreadCreationTime : 5/7/2005 3:14:18 PM
BasePriority : Normal
FileVersion : 6.2.0.206
ProductVersion : VI.Second Edition
ProductName : Lavasoft Ad-Aware SE
CompanyName : Lavasoft Sweden
FileDescription : Ad-Aware SE Core application
InternalName : Ad-Aware.exe
LegalCopyright : Copyright © Lavasoft Sweden
OriginalFilename : Ad-Aware.exe
Comments : All Rights Reserved

#:36 [explorer.exe]
ModuleName : C:\WINDOWS\explorer.exe
Command Line : C:\WINDOWS\explorer.exe
ProcessID : 2548
ThreadCreationTime : 5/7/2005 3:25:00 PM
BasePriority : Normal
FileVersion : 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 6.00.2900.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Windows Explorer
InternalName : explorer
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : EXPLORER.EXE

Memory scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 0


Started registry scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Registry Scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 0


Started deep registry scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Deep registry scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 0


Started Tracking Cookie scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»


Tracking cookie scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 0



Deep scanning and examining files (C:)
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

YourSiteBar Object Recognized!
Type : File
Data : ysb.dll
Category : Malware
Comment :
Object : C:\RECYCLER\S-1-5-21-606747145-1957994488-1060284298-1000\Dc10\
FileVersion : 1, 2, 0, 4
ProductVersion : 1, 2, 0, 4
ProductName : YourSiteBar
FileDescription : YourSiteBar
InternalName : YourSiteBar
LegalCopyright : Copyright 2004
OriginalFilename : ysb.dll


CoolWebSearch Object Recognized!
Type : File
Data : winlink.dll
Category : Malware
Comment :
Object : C:\RECYCLER\S-1-5-21-606747145-1957994488-1060284298-1000\Dc7\
FileVersion : 1, 0, 0, 3
ProductVersion : 1, 0, 0, 3
ProductName : winlink Module
FileDescription : winlink Module
InternalName : winlink
LegalCopyright : Copyright 2003
OriginalFilename : winlink.DLL


CoolWebSearch Object Recognized!
Type : File
Data : winlink.new
Category : Malware
Comment :
Object : C:\RECYCLER\S-1-5-21-606747145-1957994488-1060284298-1000\Dc7\
FileVersion : 1, 0, 0, 5
ProductVersion : 1, 0, 0, 5
ProductName : winlink Module
FileDescription : winlink Module
InternalName : winlink
LegalCopyright : Copyright 2003
OriginalFilename : winlink.DLL


CoolWebSearch Object Recognized!
Type : File
Data : winshow.dll
Category : Malware
Comment :
Object : C:\RECYCLER\S-1-5-21-606747145-1957994488-1060284298-1000\Dc8\
FileVersion : 1, 0, 0, 8
ProductVersion : 1, 0, 0, 8
ProductName : WinShow Module
FileDescription : WinShow Module
InternalName : WinShow
LegalCopyright : Copyright 2003
OriginalFilename : WinShow.DLL


DealHelper Object Recognized!
Type : File
Data : A0000058.exe
Category : Malware
Comment :
Object : C:\System Volume Information\_restore{96C758AE-E89C-44C6-950D-F217CF309790}\RP3\
FileVersion : 1, 0, 0, 1
ProductVersion : 1, 0, 0, 1
ProductName : Redirect Application
FileDescription : Redirect MFC Application
InternalName : Redirect
LegalCopyright : Copyright © 2003
OriginalFilename : Redirect.EXE


TPS108 Object Recognized!
Type : File
Data : A0000060.exe
Category : Malware
Comment :
Object : C:\System Volume Information\_restore{96C758AE-E89C-44C6-950D-F217CF309790}\RP3\



VX2 Object Recognized!
Type : File
Data : A0000061.exe
Category : Malware
Comment :
Object : C:\System Volume Information\_restore{96C758AE-E89C-44C6-950D-F217CF309790}\RP3\



DealHelper Object Recognized!
Type : File
Data : A0000062.exe
Category : Malware
Comment :
Object : C:\System Volume Information\_restore{96C758AE-E89C-44C6-950D-F217CF309790}\RP3\
FileVersion : 1, 0, 0, 1
ProductVersion : 1, 0, 0, 1
ProductName : UnInstallKey Application
FileDescription : UnInstallKey MFC Application
InternalName : UnInstallKey
LegalCopyright : Copyright © 2003
OriginalFilename : UnInstallKey.EXE


WurldMedia Object Recognized!
Type : File
Data : A0000063.exe
Category : Data Miner
Comment :
Object : C:\System Volume Information\_restore{96C758AE-E89C-44C6-950D-F217CF309790}\RP3\
FileVersion : 1, 0, 0, 1
ProductVersion : 1, 0, 0, 1
ProductName : MSCStat2 Application
FileDescription : MSCStat2 MFC Application
InternalName : MSCStat2
LegalCopyright : Copyright © 2002
OriginalFilename : MSCStat2.EXE


SahAgent Object Recognized!
Type : File
Data : A0000064.exe
Category : Data Miner
Comment :
Object : C:\System Volume Information\_restore{96C758AE-E89C-44C6-950D-F217CF309790}\RP3\



eUniverse Object Recognized!
Type : File
Data : A0000065.exe
Category : Data Miner
Comment :
Object : C:\System Volume Information\_restore{96C758AE-E89C-44C6-950D-F217CF309790}\RP3\



CoolWebSearch Object Recognized!
Type : File
Data : bcqjs.log
Category : Malware
Comment :
Object : C:\WINDOWS\



Disk Scan Result for C:\
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 12


Deep scanning and examining files (D:)
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Disk Scan Result for D:\
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 12


Deep scanning and examining files (G:)
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

CoolWebSearch Object Recognized!
Type : File
Data : A0000066.dll
Category : Malware
Comment :
Object : G:\System Volume Information\_restore{96C758AE-E89C-44C6-950D-F217CF309790}\RP3\
FileVersion : 1, 0, 0, 3
ProductVersion : 1, 0, 0, 3
ProductName : winlink Module
FileDescription : winlink Module
InternalName : winlink
LegalCopyright : Copyright 2003
OriginalFilename : winlink.DLL


CoolWebSearch Object Recognized!
Type : File
Data : A0000067.new
Category : Malware
Comment :
Object : G:\System Volume Information\_restore{96C758AE-E89C-44C6-950D-F217CF309790}\RP3\
FileVersion : 1, 0, 0, 5
ProductVersion : 1, 0, 0, 5
ProductName : winlink Module
FileDescription : winlink Module
InternalName : winlink
LegalCopyright : Copyright 2003
OriginalFilename : winlink.DLL


CoolWebSearch Object Recognized!
Type : File
Data : A0000068.dll
Category : Malware
Comment :
Object : G:\System Volume Information\_restore{96C758AE-E89C-44C6-950D-F217CF309790}\RP3\
FileVersion : 1, 0, 0, 8
ProductVersion : 1, 0, 0, 8
ProductName : WinShow Module
FileDescription : WinShow Module
InternalName : WinShow
LegalCopyright : Copyright 2003
OriginalFilename : WinShow.DLL


VX2 Object Recognized!
Type : File
Data : A0000069.exe
Category : Malware
Comment :
Object : G:\System Volume Information\_restore{96C758AE-E89C-44C6-950D-F217CF309790}\RP3\



VX2 Object Recognized!
Type : File
Data : A0000070.exe
Category : Malware
Comment :
Object : G:\System Volume Information\_restore{96C758AE-E89C-44C6-950D-F217CF309790}\RP3\
FileVersion : 0, 1, 1, 3
ProductVersion : 0, 1, 1, 3
CompanyName : Better Internet Inc.
FileDescription : www.abetterinternet.com
LegalCopyright : Copyright © 2002


VX2 Object Recognized!
Type : File
Data : A0000071.dll
Category : Malware
Comment :
Object : G:\System Volume Information\_restore{96C758AE-E89C-44C6-950D-F217CF309790}\RP3\
FileVersion : 0, 1, 4, 19
ProductVersion : 0, 1, 4, 19
ProductName : Twaintec
CompanyName : Twain Tech
FileDescription : www.twain-tech.com
InternalName : Twaintec
LegalCopyright : Copyright © 2003
OriginalFilename : Twaintec.dll
Comments : www.twain-tech.com


VX2 Object Recognized!
Type : File
Data : A0000072.ini
Category : Malware
Comment :
Object : G:\System Volume Information\_restore{96C758AE-E89C-44C6-950D-F217CF309790}\RP3\



Disk Scan Result for G:\
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 19


Scanning Hosts file......
Hosts file location:"C:\WINDOWS\system32\drivers\etc\hosts".
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Hosts file scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
1 entries scanned.
New critical objects:0
Objects found so far: 19



Possible Browser Hijack attempt Object Recognized!
Type : File
Data : Free AOL & Unlimited Internet.url
Category : Misc
Comment : Problematic URL discovered: http://free.aol.com/...ndex.adp?268383
Object : C:\Documents and Settings\Default\Favorites\



Possible Browser Hijack attempt Object Recognized!
Type : File
Data : Search the web.url
Category : Misc
Comment : Problematic URL discovered: http://www.lookfor.cc/
Object : C:\Documents and Settings\Default\Favorites\



Possible Browser Hijack attempt Object Recognized!
Type : File
Data : Free AOL & Unlimited Internet.url
Category : Misc
Comment : Problematic URL discovered: http://free.aol.com/...ndex.adp?268383
Object : C:\Documents and Settings\Default\Favorites\Links\



Possible Browser Hijack attempt Object Recognized!
Type : File
Data : Free AOL & Unlimited Internet.url
Category : Misc
Comment : Problematic URL discovered: http://free.aol.com/...ndex.adp?268383
Object : C:\Documents and Settings\Default\Desktop\




Performing conditional scans...
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

YourSiteBar Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_CURRENT_USER
Object : software\microsoft\internet explorer\toolbar
Value : Locked

CoolWebSearch Object Recognized!
Type : Regkey
Data :
Category : Malware
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\internet explorer\urlsearchhooks

CoolWebSearch Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\internet explorer\urlsearchhooks
Value : {25984661-3482-A9A8-6BD1-7E8B33646034}

CoolWebSearch Object Recognized!
Type : Regkey
Data :
Category : Malware
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\windows\currentversion\uninstall\hsa

CoolWebSearch Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\windows\currentversion\uninstall\hsa
Value : DisplayName

CoolWebSearch Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\windows\currentversion\uninstall\hsa
Value : UninstallString

CoolWebSearch Object Recognized!
Type : Regkey
Data :
Category : Malware
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\windows\currentversion\uninstall\se

CoolWebSearch Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\windows\currentversion\uninstall\se
Value : DisplayName

CoolWebSearch Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\windows\currentversion\uninstall\se
Value : UninstallString

CoolWebSearch Object Recognized!
Type : Regkey
Data :
Category : Malware
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\windows\currentversion\uninstall\sw

CoolWebSearch Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\windows\currentversion\uninstall\sw
Value : DisplayName

CoolWebSearch Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\windows\currentversion\uninstall\sw
Value : UninstallString

CoolWebSearch Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_CURRENT_USER
Object : software\microsoft\internet explorer\main
Value : Search Bar

CoolWebSearch Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_CURRENT_USER
Object : software\microsoft\internet explorer\search
Value : SearchAssistant

CoolWebSearch Object Recognized!
Type : RegData
Data : no
Category : Malware
Comment :
Rootkey : HKEY_CURRENT_USER
Object : software\microsoft\internet explorer\main
Value : Use Search Asst
Data : no

CoolWebSearch Object Recognized!
Type : RegData
Data : about:blank
Category : Malware
Comment :
Rootkey : HKEY_CURRENT_USER
Object : software\microsoft\internet explorer\search
Value : CustomizeSearch
Data : about:blank

CoolWebSearch Object Recognized!
Type : RegData
Data : no
Category : Malware
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\internet explorer\main
Value : Use Search Asst
Data : no

CoolWebSearch Object Recognized!
Type : RegData
Data : about:blank
Category : Malware
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\internet explorer\main
Value : Start Page
Data : about:blank

Conditional scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 18
Objects found so far: 43

11:13:41 AM Scan Complete

Summary Of This Scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Total scanning time:01:48:08.30
Objects scanned:186357
Objects identified:43
Objects ignored:0
New critical objects:43
  • 0

Advertisements


#2
Rawe

Rawe

    Visiting Staff

  • Member
  • PipPipPipPipPipPipPip
  • 4,746 posts
Welcome! Let's get started..

Ad-aware has found object(s) on your computer

If you chose to clean your computer from what Ad-aware found, follow these instructions below…

Make sure that you are using the * SE1R43 06.05.2005 * definition file.


Open up Ad-Aware SE and click on the gear to access the Configuration menu. Make sure that this setting is applied.

Click on Tweak > Cleaning engine > UNcheck "Always try to unload modules before deletion".

Disconnect from the internet (for broadband/cable users, it is recommended that you disconnect the cable connection) and close all open browsers or other programs you have running.

Then boot into Safe Mode

To clean your machine, it is highly recommended that you clean the following directory contents (but not the directory folder);

Run CCleaner to help in this process.
Download CCleaner (Setup: go to >options > settings > Uncheck "Only delete files in Windows Temp folders older than 48 hours" for cleaning malware files!)

* C:\Windows\Temp\
* C:\Documents and Settings\<Your Profile>\Local Settings\Temporary Internet Files\ <- This will delete all your cached internet content including cookies.
* C:\Documents and Settings\<Your Profile>\Local Settings\Temp\
* C:\Documents and Settings\<Any other users Profile>\Local Settings\Temporary Internet Files\
* C:\Documents and Settings\<Any other users Profile>\Local Settings\Temp\
* Empty your "Recycle Bin".

Run Ad-Aware SE from the command lines shown in the instructions shown below.

Click "Start" > select "Run" > type the text shown below (including the quotation marks and with the same spacing as shown)

"C:\Program Files\Lavasoft\Ad-Aware SE Professional\Ad-Aware.exe" /full +procnuke
(For the Professional version)

"C:\Program Files\Lavasoft\Ad-Aware SE Plus\Ad-Aware.exe" /full +procnuke
(For the Plus version)

"C:\Program Files\Lavasoft\Ad-Aware SE Personal\Ad-Aware.exe" +procnuke
(For the Personal version)


Click Ok.

Note; the path above is of the default installation location for Ad-aware SE, if this is different, adjust it to the location that you have installed it to.

When the scan has completed, select next. In the Scanning Results window, select the "Scan Summary"- tab. Check the box next to any objects you wish to remove. Click next, Click Ok.

If problems are caused by deleting a family, just leave it.


Reboot your computer after removal, run a new "full system scan" and post the results as a reply. Don't open any programs or connect to the internet at this time.

Then copy & paste the complete log file here. Don't quarantine or remove anything at this time, just post a complete logfile. This can sometimes takes 2-3 posts to get it all posted, once the "Summary of this scan" information is shown, you have posted all of your logfile.

Also, keep in mind that when you are posting another logfile keep "Search for negligible risk entries" deselected as negligible risk entries (Mru's) aren't considered as a threat. This option can be changed when choosing your scan type.

Remember to post your fresh scanlog in THIS topic.

- Rawe :tazz:
  • 0

#3
Bigbop

Bigbop

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
Thanks for your quick response. I had no idea someone would address my issue so qucikly.

I have attached the logfile from my Ad-Aware scan but I also need to let you know that since I posted my last scan I also ran Trojan Hunter which found quite a few nasties on my system and got rid of them. My concern is that after running Trojan Hunter I ran Ad-Aware as per your insturctions and it was still finding spyware like coolwebsearch and IST. I suspect there is still something on my system even though the second scan of Ad-Aware did not find anything.

When I launch Windows Explorer and then try to shut it down, explorer.exe gets into somekind of loop and uses up all of my processing capacity. IE is completely snafu and I cant uninstall it because my add/remove programs window does not show any programs loaded. What I think I need to do is to set up a sytem restore but I cant do that right now because my system restore window comes up blank.

Any suggestions?


Ad-Aware SE Build 1.05
Logfile Created on:Sunday, May 08, 2005 8:44:43 AM
Created with Ad-Aware SE Personal, free for private use.
Using definitions file:SE1R43 06.05.2005
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

References detected during the scan:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
None
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Definition File:
=========================
Definitions File Loaded:
Reference Number : SE1R43 06.05.2005
Internal build : 50
File location : C:\Program Files\Lavasoft\Ad-Aware SE Personal\defs.ref
File size : 467649 Bytes
Total size : 1414672 Bytes
Signature data size : 1383852 Bytes
Reference data size : 30308 Bytes
Signatures total : 39494
Fingerprints total : 847
Fingerprints size : 28739 Bytes
Target categories : 15
Target families : 663


Memory + processor status:
==========================
Number of processors : 1
Processor architecture : Non Intel
Memory available:63 %
Total physical memory:327152 kb
Available physical memory:203460 kb
Total page file size:696920 kb
Available on page file:628404 kb
Total virtual memory:2097024 kb
Available virtual memory:2048836 kb
OS:Microsoft Windows XP Professional Service Pack 2 (Build 2600)

Ad-Aware SE Settings
===========================
Set : Safe mode (always request confirmation)
Set : Scan active processes
Set : Scan registry
Set : Deep-scan registry
Set : Scan my IE Favorites for banned URLs
Set : Scan within archives
Set : Scan my Hosts file

Extended Ad-Aware SE Settings
===========================
Set : Unload recognized processes & modules during scan
Set : Obtain command line of scanned processes
Set : Scan registry for all users instead of current user only
Set : During removal, unload Explorer and IE if necessary
Set : Let Windows remove files in use at next reboot
Set : Delete quarantined objects after restoring
Set : Write-protect system files after repair (Hosts file, etc.)
Set : Include basic Ad-Aware settings in log file
Set : Include additional Ad-Aware settings in log file
Set : Include reference summary in log file
Set : Play sound at scan completion if scan locates critical objects


5-8-2005 8:44:43 AM - Scan started. (Full System Scan)

Listing running processes
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

#:1 [smss.exe]
ModuleName : \SystemRoot\System32\smss.exe
Command Line : n/a
ProcessID : 192
ThreadCreationTime : 5-8-2005 2:29:30 PM
BasePriority : Normal


#:2 [csrss.exe]
ModuleName : \??\C:\WINDOWS\system32\csrss.exe
Command Line : C:\WINDOWS\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,3072,512 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ProfileControl=Off MaxRequestTh
ProcessID : 276
ThreadCreationTime : 5-8-2005 2:29:52 PM
BasePriority : Normal


#:3 [winlogon.exe]
ModuleName : \??\C:\WINDOWS\system32\winlogon.exe
Command Line : winlogon.exe
ProcessID : 300
ThreadCreationTime : 5-8-2005 2:29:53 PM
BasePriority : High


#:4 [services.exe]
ModuleName : C:\WINDOWS\system32\services.exe
Command Line : C:\WINDOWS\system32\services.exe
ProcessID : 344
ThreadCreationTime : 5-8-2005 2:29:57 PM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Services and Controller app
InternalName : services.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : services.exe

#:5 [lsass.exe]
ModuleName : C:\WINDOWS\system32\lsass.exe
Command Line : C:\WINDOWS\system32\lsass.exe
ProcessID : 356
ThreadCreationTime : 5-8-2005 2:29:58 PM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : LSA Shell (Export Version)
InternalName : lsass.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : lsass.exe

#:6 [svchost.exe]
ModuleName : C:\WINDOWS\system32\svchost.exe
Command Line : C:\WINDOWS\system32\svchost -k DcomLaunch
ProcessID : 512
ThreadCreationTime : 5-8-2005 2:30:01 PM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:7 [svchost.exe]
ModuleName : C:\WINDOWS\system32\svchost.exe
Command Line : C:\WINDOWS\system32\svchost -k rpcss
ProcessID : 572
ThreadCreationTime : 5-8-2005 2:30:03 PM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:8 [svchost.exe]
ModuleName : C:\WINDOWS\system32\svchost.exe
Command Line : C:\WINDOWS\system32\svchost.exe -k netsvcs
ProcessID : 628
ThreadCreationTime : 5-8-2005 2:30:04 PM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:9 [explorer.exe]
ModuleName : C:\WINDOWS\Explorer.EXE
Command Line : C:\WINDOWS\Explorer.EXE
ProcessID : 852
ThreadCreationTime : 5-8-2005 2:31:30 PM
BasePriority : Normal
FileVersion : 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 6.00.2900.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Windows Explorer
InternalName : explorer
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : EXPLORER.EXE

#:10 [ad-aware.exe]
ModuleName : C:\Program Files\Lavasoft\Ad-Aware SE Personal\Ad-Aware.exe
Command Line : "C:\Program Files\Lavasoft\Ad-Aware SE Personal\Ad-Aware.exe" +procnuke
ProcessID : 968
ThreadCreationTime : 5-8-2005 2:36:48 PM
BasePriority : Normal
FileVersion : 6.2.0.206
ProductVersion : VI.Second Edition
ProductName : Lavasoft Ad-Aware SE
CompanyName : Lavasoft Sweden
FileDescription : Ad-Aware SE Core application
InternalName : Ad-Aware.exe
LegalCopyright : Copyright © Lavasoft Sweden
OriginalFilename : Ad-Aware.exe
Comments : All Rights Reserved

Memory scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 0


Started registry scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Registry Scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 0


Started deep registry scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Deep registry scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 0


Started Tracking Cookie scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»


Tracking cookie scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 0



Deep scanning and examining files (C:)
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Disk Scan Result for C:\
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 0


Deep scanning and examining files (D:)
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Disk Scan Result for D:\
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 0


Deep scanning and examining files (G:)
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Disk Scan Result for G:\
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 0


Scanning Hosts file......
Hosts file location:"C:\WINDOWS\system32\drivers\etc\hosts".
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Hosts file scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
1 entries scanned.
New critical objects:0
Objects found so far: 0


9:15:27 AM Scan Complete

Summary Of This Scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Total scanning time:00:30:44.572
Objects scanned:195584
Objects identified:0
Objects ignored:0
New critical objects:0
:tazz: ;) ;)
  • 0

#4
Bigbop

Bigbop

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
One more thing...the explorer.exe problem does not occur in safe mode.
  • 0

#5
Rawe

Rawe

    Visiting Staff

  • Member
  • PipPipPipPipPipPipPip
  • 4,746 posts
Your scanlog seems to be clean ;)

Did you follow all my instructions?
Run these online virus scans here;
- F-secure
- Trend Micro

Post the results to this topic. I'll take a look.

- Rawe :tazz:
  • 0

#6
Bigbop

Bigbop

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
Yes I did. The only thing I could not do was run crap cleaner. It gave me the following error when I tried to run it.

runtime error 429
Active x component cant create object.

I will try the online virus scans and post the results as soon as I have them
  • 0

#7
Bigbop

Bigbop

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
I used Trend Micro and it gave me the following list. I am still trying to get it to clean up the problems but my mozilla browser is eating up my cpu when the scan is done and I cant get the Trend Micro to start deleting these files. One thing I did notice was that Norton was picking up TrojanByte while Trend Micro was running.

Can not use F-Secure as it is only compatible the IE.

Will try it agian. Let me know if you have any suggestions


HTML_COOLWEB.A
JAVA_NOCHEAT.A
JAVA_FEMAD.B
JAVA_BYTEVER.A
TROJ_STARTPAG.JR
JAVA_BYTEVER.A-1
TROJ_STARTPAGE.A
HTML_AVDER.A
JAVA_BYTEVER.B
JAVA_BYTEVER.G
TROJ_STARTPAG.NF
TROJ_STRTPAGE.PP
JAVA_BYTEVER.C
JAVA_SHIWOW.A
TROJ_CLICKER.L
TROJ_ISTBAR.CJ
TROJ_DSS.A
TROJ_ISTBAR.CF
TROJ_DLOADER.GE
TROJDLOADER.HD
TROJ_AGENT.JI
TROJ_DLOADER.HP
TROJ_STARTPGE.BG
TROJ_WINSHOW.A
  • 0

#8
Bigbop

Bigbop

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
I have now run Trend Micro 3 times and everytime I try to clean the problems it freezes up on me. Here is the report from the Java Console.





Java™ Plug-in: Version 1.4.0_01
Using JRE version 1.4.0_01 Java HotSpot™ Client VM
User home directory = C:\Documents and Settings\Default

Proxy Configuration: Browser Proxy Configuration





----------------------------------------------------
c: clear console window
f: finalize objects on finalization queue
g: garbage collect
h: display this help message
l: dump classloader list
m: print memory usage
o: trigger logging
p: reload proxy configuration
q: hide console
r: reload policy configuration
s: dump system properties
t: dump thread list
x: clear classloader cache
0-5: set trace level to <n>
----------------------------------------------------
Using Forwarder (Version 2)

Runtime.exec(C:\PROGRA~1\Java\J2RE14~1.0_0\bin\java.exe -jar "C:\Documents and Settings\Default\.housecall/housecall-client.jar");

No pattern-update necessary!

Client-Stream-Protocol Version:1.2

Engine-Update Finished!

C:\Documents and Settings\Default\.housecall\resource\pattern\additionals\tscptn.zip|tscptn.zip

Downloaded Additional Pattern file (dcs) is corrup
t, or could not be found.java.util.zip.ZipException: error in opening zip file

java.util.zip.ZipException: error in opening zip file

at java.util.zip.ZipFile.open(Native Method)

at java.util.zip.ZipFile.<init>(Unknown Source)

at java.util.zip.ZipFile.<init>(Unknown Source)

at com.trendmicro.web.housecall.network.B.B.B(Unknown Source)

at com.trendmicro.web.housecall.network.B.C$3.run(Unknown Source)

Requesting 1 VirusInfoPackages:

- Received:null

Requesting 1 VirusInfoPackages:

- Received:VirusInfoPackage: [ JAVA_NOCHEAT.A / Java Applet ]

Requesting 2 VirusInfoPackages:

- Received:VirusInfoPackage: [ JAVA_BYTEVER.A / Java Applet ]

- Received:VirusInfoPackage: [ JAVA_FEMAD.B / Trojan ]

Requesting 4 VirusInfoPackages:

- Received:VirusInfoPackage: [ TROJ_STARTPAGE.A / Trojan ]

- Received:null

- Received:VirusInfoPackage: [ JAVA_BYTEVER.K / JavaScript ]

- Received:VirusInfoPackage: [ TROJ_STARTPAG.JR / Trojan ]

Requesting 1 VirusInfoPackages:

- Received:VirusInfoPackage: [ HTML_ADVER.A / Html ]

Requesting 2 VirusInfoPackages:

- Received:null

- Received:VirusInfoPackage: [ JAVA_BYTEVER.B / Others ]

Requesting 1 VirusInfoPackages:

- Received:VirusInfoPackage: [ TROJ_STARTPAG.NF / Trojan ]

Requesting 1 VirusInfoPackages:

- Received:null

Requesting 1 VirusInfoPackages:

- Received:VirusInfoPackage: [ TROJ_STRTPAGE.PP / Trojan ]

Requesting 1 VirusInfoPackages:

- Received:null

Requesting 1 VirusInfoPackages:

- Received:null

Requesting 1 VirusInfoPackages:

- Received:VirusInfoPackage: [ TROJ_CLICKER.L / Trojan ]

Requesting 1 VirusInfoPackages:

- Received:null

Requesting 1 VirusInfoPackages:

- Received:VirusInfoPackage: [ TROJ_DSS.A / Trojan ]

Requesting 1 VirusInfoPackages:

- Received:null

Requesting 1 VirusInfoPackages:

- Received:null

Requesting 1 VirusInfoPackages:

- Received:null

Requesting 1 VirusInfoPackages:

- Received:VirusInfoPackage: [ TROJ_AGENT.JI / Trojan ]

Requesting 1 VirusInfoPackages:

- Received:null

Requesting 1 VirusInfoPackages:

- Received:null

Requesting 1 VirusInfoPackages:

- Received:VirusInfoPackage: [ TROJ_WINSHOW.A / Trojan ]

Reported an Infection on:HTML_COOLWEB.A

Reported an Infection on:JAVA_NOCHEAT.A

Reported an Infection on:JAVA_FEMAD.B

Reported an Infection on:JAVA_BYTEVER.A

Reported an Infection on:TROJ_STARTPAG.JR

Reported an Infection on:JAVA_BYTEVER.K

Reported an Infection on:JAVA_BYTEVER.A-1

Reported an Infection on:TROJ_STARTPAGE.A

Reported an Infection on:HTML_ADVER.A

Reported an Infection on:JAVA_BYTEVER.B

Reported an Infection on:JAVA_BYTEVER.G

Reported an Infection on:TROJ_STARTPAG.NF

Reported an Infection on:JAVA_BYTEVER.J

Reported an Infection on:TROJ_STRTPAGE.PP

Reported an Infection on:JAVA_BYTEVER.C

Reported an Infection on:JAVA_SHIWOW.A

Reported an Infection on:TROJ_CLICKER.L

Reported an Infection on:TROJ_ISTBAR.CJ

Reported an Infection on:TROJ_DSS.A

Reported an Infection on:TROJ_ISTBAR.CF

Reported an Infection on:TROJ_DLOADER.GE

Reported an Infection on:TROJ_DLOADER.HD

Reported an Infection on:TROJ_AGENT.JI

Reported an Infection on:TROJ_DLOADER.HP

Reported an Infection on:TROJ_STARTPGE.BG

Reported an Infection on:TROJ_WINSHOW.A
  • 0

#9
Rawe

Rawe

    Visiting Staff

  • Member
  • PipPipPipPipPipPipPip
  • 4,746 posts
Yes, Trojans as I expected.
Let's try Trojan Hunter <--- 30 days free trial.
(Just use the trial version, no need to buy) ;)

- Rawe :tazz:
  • 0

#10
Bigbop

Bigbop

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
Already tried it
  • 0

#11
Guest_numbnuts_*

Guest_numbnuts_*
  • Guest
Hello, Bigbop Please try this if you wish to clean your Machine..

The files found are in your restore folder that no program can clean
without you disabling it first..

Please do this if you want to clean that folder
http://service1.syma...src=sec_doc_nam


Then do the on line Virus Scans.. Delete/Disinfect what is found ..

Reboot/Restart your computer..


Scan again with, Ad-aware delete what is found..

Reboot/Restart your computer …..



Scan again with Ad-aware…Post the new log here..

Then if you are clean we can set a new Restore point …
But only, if you’re clean…

Regards..

numbnuts .. :tazz:
  • 0

#12
Bigbop

Bigbop

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
Thanks for responding numbnuts.
Here is my situation

I have already turned off system restore but my problem is that I cant find an online virus scanner that will work. IE is completely fouled up on my computer and the only online virus scanner I found that is compatible with firefox is housecall (trend micro). The problem with Housecall is that after it goes through the detection process it freezes up on me after I try to get it to clean what it has detected.

I have tried this several times and I get the same problem everytime. I even cleared my Java cache beforehand but it still finds the trojans and freezes up.


Any suggestions?
  • 0

#13
Guest_numbnuts_*

Guest_numbnuts_*
  • Guest
Please follow the instructions located in Step Five: Posting a Hijack This Log. Post your HJT log as a reply to this thread, which has been relocated to the Malware Removal Forum for providing you with further assistance.

Kindly note that it is very busy in the Malware Removal Forum, so there may be a delay in receiving a reply. Please also note that HJT logfiles are reviewed on a first come/first served basis.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP