Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

[Referred]smitfraud


  • Please log in to reply

#1
lilli

lilli

    Member

  • Member
  • PipPip
  • 16 posts
please help me, three weeks ago i had the blue screen etc, i have followed lots of different instructions and got my wallpaper back. i have run ad-aware and spybot and trend. my macafee virus scan finds nothing but the background system scan keeps coming up with infected files called downloader YN in temp files or restore files and sometimes deletes them and sometimes cant. i am pretty useless on this sort of stuff so please give me idiot proof instructions. tried to download killbox but couldnt seem to run it. tried system restore but it wont let me go back to before all the trouble began. i want to throw my computer out the window now!!! also there have been various instructions to use windows explorer, when i click on it my documents file opens.
here is my logfile
thank you in anticipation
i hope i can find your answer! lol!

Logfile removed: Incorrect Logfile type posted

Edited by Andy_veal, 11 May 2005 - 03:39 PM.

  • 0

Advertisements


#2
Guest_Andy_veal_*

Guest_Andy_veal_*
  • Guest
In order to assist you, we need to see the log from an Ad-Aware SE 1.05 full system scan.

Important Note! Before performing a scan, be sure that you have the most recent definitions file by using WebUpdate. (Click on the Globe icon, Click connect, Click OK, Click Finish.) At this current point * SE1R44 10.05.2005 * is the most recent definition file.

Ad-Aware SE comes preconfigured with default options so we need you to make only one change. Please deselect "Search for negligible risk entries" as negligible risk entries (MRU's) are not considered to be a threat. This option can be changed when choosing your scan type.

Select "Perform Full System Scan" and press "Next". When the scan has completed, click "Show Logfile".

Please copy/paste the complete log file here using the reply button. Don't quarantine or remove anything at this time, just post a complete logfile. This sometimes takes 2-3 posts to get it all posted. You will know you are at the end when you see the "Summary of this scan" information has been posted.

When you have posted your log here, Team Lavasoft can advise on what to do next.

Please post back if you have any questions or other problems.


Good luck

Andy
  • 0

#3
lilli

lilli

    Member

  • Topic Starter
  • Member
  • PipPip
  • 16 posts
Hi Andy

Thank you so much for your quick reply
I hope i have done it right this time
as i said earlier i am pretty useless
now i have posted the log i will delete the critical objects
looking forward to the next step

lilli


Ad-Aware SE Build 1.05
Logfile Created on:11 May 2005 23:13:14
Created with Ad-Aware SE Personal, free for private use.
Using definitions file:SE1R44 10.05.2005
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

References detected during the scan:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Tracking Cookie(TAC index:3):6 total references
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Definition File:
=========================
Definitions File Loaded:
Reference Number : SE1R44 10.05.2005
Internal build : 52
File location : C:\PROGRAM FILES\LAVASOFT\AD-AWARE SE PERSONAL\defs.ref
File size : 470885 Bytes
Total size : 1423894 Bytes
Signature data size : 1392940 Bytes
Reference data size : 30442 Bytes
Signatures total : 39753
Fingerprints total : 872
Fingerprints size : 29756 Bytes
Target categories : 15
Target families : 668


Memory + processor status:
==========================
Number of processors : 1
Processor architecture : Intel Pentium II
Memory available:0 %
Total physical memory:114176 kb
Available physical memory:376 kb
Total page file size:1982972 kb
Available on page file:1849404 kb
Total virtual memory:2093056 kb
Available virtual memory:2042880 kb
OS:Microsoft Windows Millennium Edition

Ad-Aware SE Settings
===========================
Set : Safe mode (always request confirmation)
Set : Scan active processes
Set : Scan registry
Set : Deep-scan registry
Set : Scan my IE Favorites for banned URLs
Set : Scan within archives
Set : Scan my Hosts file

Extended Ad-Aware SE Settings
===========================
Set : Unload recognized processes & modules during scan
Set : Obtain command line of scanned processes
Set : Run scan as background process (Low CPU usage)
Set : Scan registry for all users instead of current user only
Set : Always try to unload modules before deletion
Set : Let Windows remove files in use at next reboot
Set : Delete quarantined objects after restoring
Set : Write-protect system files after repair (Hosts file, etc.)
Set : Include basic Ad-Aware settings in log file
Set : Include additional Ad-Aware settings in log file
Set : Include reference summary in log file
Set : Include alternate data stream details in log file
Set : Play sound at scan completion if scan locates critical objects


11-05-2005 23:13:14 - Scan started. (Full System Scan)

Listing running processes
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

#:1 [KERNEL32.DLL]
ModuleName : C:\WINDOWS\SYSTEM\KERNEL32.DLL
Command Line : n/a
ProcessID : 4293870813
Threads : 4
Priority : High
FileVersion : 4.90.3000
ProductVersion : 4.90.3000
ProductName : Microsoft® Windows® Millennium Operating System
CompanyName : Microsoft Corporation
FileDescription : Win32 Kernel core component
InternalName : KERNEL32
LegalCopyright : Copyright © Microsoft Corp. 1991-2000
OriginalFilename : KERNEL32.DLL

#:2 [MSGSRV32.EXE]
ModuleName : C:\WINDOWS\SYSTEM\MSGSRV32.EXE
Command Line : n/a
ProcessID : 4294935101
Threads : 1
Priority : Normal
FileVersion : 4.90.3000
ProductVersion : 4.90.3000
ProductName : Microsoft® Windows® Millennium Operating System
CompanyName : Microsoft Corporation
FileDescription : Windows 32-bit VxD Message Server
InternalName : MSGSRV32
LegalCopyright : Copyright © Microsoft Corp. 1992-1998
OriginalFilename : MSGSRV32.EXE

#:3 [mmtask.tsk]
ModuleName : C:\WINDOWS\SYSTEM\mmtask.tsk
Command Line : n/a
ProcessID : 4294845437
Threads : 1
Priority : Normal
FileVersion : 4.90.3000
ProductVersion : 4.90.3000
ProductName : Microsoft Windows
CompanyName : Microsoft Corporation
FileDescription : Multimedia background task support module
InternalName : mmtask.tsk
LegalCopyright : Copyright © Microsoft Corp. 1991-2000
OriginalFilename : mmtask.tsk

#:4 [MPREXE.EXE]
ModuleName : C:\WINDOWS\SYSTEM\MPREXE.EXE
Command Line : C:\WINDOWS\SYSTEM\MPREXE.EXE
ProcessID : 4294846905
Threads : 1
Priority : Normal
FileVersion : 4.90.3000
ProductVersion : 4.90.3000
ProductName : Microsoft® Windows® Millennium Operating System
CompanyName : Microsoft Corporation
FileDescription : WIN32 Network Interface Service Process
InternalName : MPREXE
LegalCopyright : Copyright © Microsoft Corp. 1993-2000
OriginalFilename : MPREXE.EXE

#:5 [MSTASK.EXE]
ModuleName : C:\WINDOWS\SYSTEM\MSTASK.EXE
Command Line : mstask.exe
ProcessID : 4294844145
Threads : 2
Priority : Normal
FileVersion : 4.71.2721.1
ProductVersion : 4.71.2721.1
ProductName : Microsoft® Windows® Task Scheduler
CompanyName : Microsoft Corporation
FileDescription : Task Scheduler Engine
InternalName : TaskScheduler
LegalCopyright : Copyright © Microsoft Corp. 2000
OriginalFilename : mstask.exe

#:6 [STIMON.EXE]
ModuleName : C:\WINDOWS\SYSTEM\STIMON.EXE
Command Line : C:\WINDOWS\SYSTEM\STIMON.EXE
ProcessID : 4294878073
Threads : 5
Priority : Normal
FileVersion : 4.90.3000.1
ProductVersion : 4.90.3000.1
ProductName : Microsoft® Windows® Millennium Operating System
CompanyName : Microsoft Corporation
FileDescription : Still Image Devices Monitor
InternalName : STIMON
LegalCopyright : Copyright © Microsoft Corp. 1981-2000
OriginalFilename : STIMON.EXE

#:7 [AVSYNMGR.EXE]
ModuleName : C:\PROGRAM FILES\NETWORK ASSOCIATES\VIRUSSCAN\AVSYNMGR.EXE
Command Line : "C:\Program Files\Network Associates\VirusScan\AVSYNMGR.EXE"
ProcessID : 4294841429
Threads : 4
Priority : Normal


#:8 [AOLACSD.EXE]
ModuleName : C:\PROGRAM FILES\COMMON FILES\AOL\ACS\AOLACSD.EXE
Command Line : "C:\PROGRAM FILES\COMMON FILES\AOL\ACS\AOLACSD.EXE"
ProcessID : 4294883461
Threads : 21
Priority : Normal


#:9 [SPOOLSRV32.EXE]
ModuleName : C:\WINDOWS\SYSTEM\SPOOLSRV32.EXE
Command Line : C:\WINDOWS\System\spoolsrv32.exe
ProcessID : 4294889409
Threads : 3
Priority : Normal


#:10 [EXPLORER.EXE]
ModuleName : C:\WINDOWS\EXPLORER.EXE
Command Line : C:\WINDOWS\Explorer.exe
ProcessID : 4294797981
Threads : 17
Priority : Normal
FileVersion : 5.50.4134.100
ProductVersion : 5.50.4134.100
ProductName : Microsoft® Windows ® 2000 Operating System
CompanyName : Microsoft Corporation
FileDescription : Windows Explorer
InternalName : explorer
LegalCopyright : Copyright © Microsoft Corp. 1981-2000
OriginalFilename : EXPLORER.EXE

#:11 [STMGR.EXE]
ModuleName : C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
Command Line : C:\WINDOWS\System\Restore\StMgr.exe
ProcessID : 4294726729
Threads : 4
Priority : Normal
FileVersion : 4.90.0.2533
ProductVersion : 4.90.0.2533
ProductName : Microsoft ® PCHealth
CompanyName : Microsoft Corporation
FileDescription : Microsoft ® PC State Manager
InternalName : StateMgr.exe
LegalCopyright : Copyright © Microsoft Corp. 1981-2000
OriginalFilename : StateMgr.exe

#:12 [VSSTAT.EXE]
ModuleName : C:\PROGRAM FILES\NETWORK ASSOCIATES\VIRUSSCAN\VSSTAT.EXE
Command Line : "C:\PROGRAM FILES\NETWORK ASSOCIATES\VIRUSSCAN\VsStat.exe"
ProcessID : 4294829105
Threads : 2
Priority : Normal


#:13 [TASKMON.EXE]
ModuleName : C:\WINDOWS\TASKMON.EXE
Command Line : "C:\WINDOWS\taskmon.exe"
ProcessID : 4294760441
Threads : 1
Priority : Normal
FileVersion : 4.90.3000
ProductVersion : 4.90.3000
ProductName : Microsoft® Windows® Millennium Operating System
CompanyName : Microsoft Corporation
FileDescription : Task Monitor
InternalName : TaskMon
LegalCopyright : Copyright © Microsoft Corp. 1998
OriginalFilename : TASKMON.EXE

#:14 [SYSTRAY.EXE]
ModuleName : C:\WINDOWS\SYSTEM\SYSTRAY.EXE
Command Line : "C:\WINDOWS\SYSTEM\SysTray.Exe"
ProcessID : 4294762033
Threads : 2
Priority : Normal
FileVersion : 4.90.3000
ProductVersion : 4.90.3000
ProductName : Microsoft® Windows® Millennium Operating System
CompanyName : Microsoft Corporation
FileDescription : System Tray Applet
InternalName : SYSTRAY
LegalCopyright : Copyright © Microsoft Corp. 1993-2000
OriginalFilename : SYSTRAY.EXE

#:15 [PCTVOICE.EXE]
ModuleName : C:\WINDOWS\PCTVOICE.EXE
Command Line : "C:\WINDOWS\pctvoice.exe"
ProcessID : 4293094185
Threads : 3
Priority : Normal
FileVersion : 0.0
ProductVersion : 1.0
ProductName : PCTVOICE
CompanyName : PCtel, Inc.
FileDescription : PCTVOICE
InternalName : PCTVOICE
LegalCopyright : Copyright © PCtel,Inc. 2000 - 2001
Comments : Written by: Cathy Luo

#:16 [E_S10IC2.EXE]
ModuleName : C:\WINDOWS\SYSTEM\E_S10IC2.EXE
Command Line : "C:\WINDOWS\SYSTEM\E_S10IC2.EXE" /P19 "EPSON Stylus CX3200" /O7 "EPUSB1:" /M "Stylus CX3200"
ProcessID : 4293085245
Threads : 1
Priority : Normal
FileVersion : 3.05
ProductVersion : 3.05
ProductName : EPSON Status Monitor 3
CompanyName : SEIKO EPSON CORPORATION
FileDescription : EPSON Status Monitor 3
InternalName : E_S10IC2
LegalCopyright : Copyright © SEIKO EPSON CORP. 2002
OriginalFilename : E_S10IC2.EXE

#:17 [SPOOL32.EXE]
ModuleName : C:\WINDOWS\SYSTEM\SPOOL32.EXE
Command Line : C:\WINDOWS\SYSTEM\spool32.exe
ProcessID : 4293111077
Threads : 2
Priority : Normal
FileVersion : 4.90.3000
ProductVersion : 4.90.3000
ProductName : Microsoft® Windows® Millennium Operating System
CompanyName : Microsoft Corporation
FileDescription : Spooler Sub System Process
InternalName : spool32
LegalCopyright : Copyright © Microsoft Corp. 1994 - 1998
OriginalFilename : spool32.exe

#:18 [TAPISRV.EXE]
ModuleName : C:\WINDOWS\SYSTEM\TAPISRV.EXE
Command Line : tapisrv.exe
ProcessID : 4293112045
Threads : 7
Priority : Normal
FileVersion : 4.90.3000
ProductVersion : 4.90.3000
ProductName : Microsoft® Windows® Millennium Operating System
CompanyName : Microsoft Corporation
FileDescription : Microsoft® Windows™ Telephony Server
InternalName : Telephony Service
LegalCopyright : Copyright © Microsoft Corp. 1994-1998
OriginalFilename : TAPISRV.EXE

#:19 [AOLDIAL.EXE]
ModuleName : C:\PROGRAM FILES\COMMON FILES\AOL\ACS\AOLDIAL.EXE
Command Line : "C:\Program Files\Common Files\AOL\ACS\AOLDial.exe"
ProcessID : 4293071081
Threads : 13
Priority : Normal
FileVersion : 2.6.6.3.UK.53
ProductVersion : 2.6.6.3.UK.53
ProductName : AOL Connectivity Service
CompanyName : America Online, Inc
FileDescription : AOL Connectivity Service Dialer
LegalCopyright : Copyright © 2003 America Online, Inc.
OriginalFilename : AOLDial.exe

#:20 [REALPLAY.EXE]
ModuleName : C:\PROGRAM FILES\REAL\REALPLAYER\REALPLAY.EXE
Command Line : "C:\Program Files\Real\RealPlayer\RealPlay.exe" SYSTEMBOOTHIDEPLAYER
ProcessID : 4293124993
Threads : 6
Priority : Normal
FileVersion : 6.0.9.584
ProductVersion : 6.0.9.584
ProductName : RealPlayer (32-bit)
CompanyName : RealNetworks, Inc.
FileDescription : RealPlayer
InternalName : REALPLAY
LegalCopyright : Copyright © RealNetworks, Inc. 1995-2000
LegalTrademarks : RealAudio™ is a trademark of RealNetworks, Inc.
OriginalFilename : REALPLAY.EXE

#:21 [LOADQM.EXE]
ModuleName : C:\WINDOWS\LOADQM.EXE
Command Line : "C:\WINDOWS\loadqm.exe"
ProcessID : 4293104969
Threads : 3
Priority : Normal
FileVersion : 5.4.1103.3
ProductVersion : 5.4.1103.3
ProductName : QMgr Loader
CompanyName : Microsoft Corporation
FileDescription : Microsoft QMgr
InternalName : LOADQM.EXE
LegalCopyright : Copyright © Microsoft Corp. 1981-1999
OriginalFilename : LOADQM.EXE

#:22 [AVCONSOL.EXE]
ModuleName : C:\PROGRAM FILES\NETWORK ASSOCIATES\VIRUSSCAN\AVCONSOL.EXE
Command Line : "C:\PROGRAM FILES\NETWORK ASSOCIATES\VIRUSSCAN\Avconsol.exe"
ProcessID : 4293019237
Threads : 2
Priority : Normal


#:23 [WMIEXE.EXE]
ModuleName : C:\WINDOWS\SYSTEM\WMIEXE.EXE
Command Line : WmiExe WMI_ffe337b1
ProcessID : 4293070361
Threads : 3
Priority : Normal
FileVersion : 4.90.2452.1
ProductVersion : 4.90.2452.1
ProductName : Microsoft® Windows® Millennium Operating System
CompanyName : Microsoft Corporation
FileDescription : WMI service exe housing
InternalName : wmiexe
LegalCopyright : Copyright © Microsoft Corp. 1981-1999
OriginalFilename : wmiexe.exe

#:24 [AOLTRAY.EXE]
ModuleName : C:\PROGRAM FILES\AOL 9.0\AOLTRAY.EXE
Command Line : "C:\Program Files\AOL 9.0\aoltray.exe" -check
ProcessID : 4293061509
Threads : 1
Priority : Normal
FileVersion : 9.00.001
ProductVersion : 9.00.001
ProductName : America Online
CompanyName : America Online, Inc.
FileDescription : AOL Tray Icon
InternalName : AolTray
LegalCopyright : Copyright © America Online, Inc. 1999 - 2004

#:25 [QUICKDCF.EXE]
ModuleName : C:\PROGRAM FILES\FINEPIXVIEWER\QUICKDCF.EXE
Command Line : "C:\Program Files\FinePixViewer\QuickDCF.exe"
ProcessID : 4293066597
Threads : 1
Priority : Normal
FileVersion : 3, 0, 0, 0
ProductVersion : 3, 0, 0, 0
ProductName : FinePixViewer
CompanyName : FUJI PHOTO FILM CO., LTD.
FileDescription : Exif Launcher
InternalName : QuickDCF
LegalCopyright : Copyright 2000-2002 FUJI PHOTO FILM CO.,LTD.
OriginalFilename : QuickDCF.exe

#:26 [WKCALREM.EXE]
ModuleName : C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\WORKS SHARED\WKCALREM.EXE
Command Line : "C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe"
ProcessID : 4292998357
Threads : 2
Priority : Normal
FileVersion : 5.00.1928.1
ProductVersion : 5.00.1928.1
ProductName : Microsoft® Works 2000
CompanyName : Microsoft® Corporation
FileDescription : Microsoft® Works Calendar Reminder Service
InternalName : WkCalRem
LegalCopyright : © 1999 Microsoft Corp. All rights reserved.
OriginalFilename : WKCALREM.EXE

#:27 [VSHWIN32.EXE]
ModuleName : C:\PROGRAM FILES\NETWORK ASSOCIATES\VIRUSSCAN\VSHWIN32.EXE
Command Line : "C:\PROGRAM FILES\NETWORK ASSOCIATES\VIRUSSCAN\Vshwin32.exe"
ProcessID : 4292999441
Threads : 6
Priority : Normal


#:28 [DDHELP.EXE]
ModuleName : C:\WINDOWS\SYSTEM\DDHELP.EXE
Command Line : ddhelp.exe
ProcessID : 4293227965
Threads : 5
Priority : Realtime
FileVersion : 4.08.00.0400
ProductVersion : 4.08.00.0400
ProductName : Microsoft® DirectX for Windows® 95 and 98
CompanyName : Microsoft Corporation
FileDescription : Microsoft DirectX Helper
InternalName : DDHelp.exe
LegalCopyright : Copyright © Microsoft Corp. 1994-2000
OriginalFilename : DDHelp.exe

#:29 [WAOL.EXE]
ModuleName : C:\PROGRAM FILES\AOL 9.0\WAOL.EXE
Command Line : "C:\PROGRAM FILES\AOL 9.0\waol.exe"
ProcessID : 4293189877
Threads : 21
Priority : Normal


#:30 [SHELLMON.EXE]
ModuleName : C:\PROGRAM FILES\AOL 9.0\SHELLMON.EXE
Command Line : "C:\PROGRAM FILES\AOL 9.0\shellmon.exe"
ProcessID : 4293168541
Threads : 1
Priority : Normal


#:31 [AOLTPSPD.EXE]
ModuleName : C:\PROGRAM FILES\COMMON FILES\AOL\AOLTPSPD.EXE
Command Line : -p11523 -S256 -s443 -l443 -G"C:\WINDOWS\All Users\Application Data\AOL\C_AOL 9.0\vph.ph" -c1 -Z -H4293189877
ProcessID : 4293330353
Threads : 3
Priority : Normal
FileVersion : 1, 1, 0, 0
ProductVersion : [v1.1-4] On Tue 03/16/2004 21:24:09.18
ProductName : AOL TopSpeed™
CompanyName : America Online Inc
FileDescription : AOL TopSpeed™
InternalName : AOL TopSpeed™
LegalCopyright : Copyright © America Online 2003
LegalTrademarks : AOL TopSpeed™
OriginalFilename : aoltpspd.exe

#:32 [RNAAPP.EXE]
ModuleName : C:\WINDOWS\SYSTEM\RNAAPP.EXE
Command Line : rnaapp.exe -l
ProcessID : 4293272045
Threads : 3
Priority : Normal
FileVersion : 4.90.3000
ProductVersion : 4.90.3000
ProductName : Microsoft® Windows® Millennium Operating System
CompanyName : Microsoft Corporation
FileDescription : Dial-Up Networking Application
InternalName : RNAAPP
LegalCopyright : Copyright © Microsoft Corp. 1992-1996
OriginalFilename : RNAAPP.EXE

#:33 [AD-AWARE.EXE]
ModuleName : C:\PROGRAM FILES\LAVASOFT\AD-AWARE SE PERSONAL\AD-AWARE.EXE
Command Line : "C:\Program Files\Lavasoft\Ad-Aware SE Personal\Ad-Aware.exe"
ProcessID : 4293162437
Threads : 2
Priority : Idle
FileVersion : 6.2.0.206
ProductVersion : VI.Second Edition
ProductName : Lavasoft Ad-Aware SE
CompanyName : Lavasoft Sweden
FileDescription : Ad-Aware SE Core application
InternalName : Ad-Aware.exe
LegalCopyright : Copyright © Lavasoft Sweden
OriginalFilename : Ad-Aware.exe
Comments : All Rights Reserved

Memory scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 0


Started registry scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Registry Scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 0


Started deep registry scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Deep registry scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 0


Started Tracking Cookie scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»


Tracking Cookie Object Recognized!
Type : IECache Entry
Data : bill gates@doubleclick[1].txt
Category : Data Miner
Comment : Hits:1
Value : Cookie:bill gates@doubleclick.net/
Expires : 11-05-2005 23:13:50
LastSync : Hits:1
UseCount : 0
Hits : 1

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : bill gates@advertising[1].txt
Category : Data Miner
Comment : Hits:5
Value : Cookie:bill gates@advertising.com/
Expires : 10-05-2010 22:58:50
LastSync : Hits:5
UseCount : 0
Hits : 5

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : bill gates@servedby.advertising[2].txt
Category : Data Miner
Comment : Hits:4
Value : Cookie:bill gates@servedby.advertising.com/
Expires : 10-06-2005 22:58:50
LastSync : Hits:4
UseCount : 0
Hits : 4

Tracking cookie scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 3
Objects found so far: 3



Deep scanning and examining files (c:)
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : bill gates@doubleclick[1].txt
Category : Data Miner
Comment :
Value : c:\WINDOWS\Cookies\bill gates@doubleclick[1].txt

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : bill gates@advertising[1].txt
Category : Data Miner
Comment :
Value : c:\WINDOWS\Cookies\bill gates@advertising[1].txt

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : bill gates@servedby.advertising[2].txt
Category : Data Miner
Comment :
Value : c:\WINDOWS\Cookies\bill gates@servedby.advertising[2].txt

Disk Scan Result for c:\
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 6


Performing conditional scans...
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Conditional scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 6

23:24:29 Scan Complete

Summary Of This Scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Total scanning time:00:11:14.370
Objects scanned:85079
Objects identified:6
Objects ignored:0
New critical objects:6
  • 0

#4
Guest_Andy_veal_*

Guest_Andy_veal_*
  • Guest
Please read these instructions carefully and print them out! Be sure to follow ALL instructions!

Go to Start > Control Panel > Add or Remove Programs and remove the following programs, if found:

Security IGuard
Virtual Maid
Search Maid


Exit Add/Remove Programs.

*IMPORTANT*CLICK THIS LINK TO LEARN HOW TO VIEW HIDDEN FILES

Press CTRL ALT DELETE to open Windows Task Manger. Click on the Processes tab and end the following processes:

List any files going to be deleted that are running

Exit Task Manager.

I need you to copy all of the Killbox instructions below and paste them into Notepad and save it for use while in Safe Mode.

* Please download the Killbox by Option^Explicit. *In the event you already have Killbox, this is a new version that I need you to download.
Unzip it to the desktop but do NOT run it yet.

* Please reboot into Safe Mode by restarting your computer and tapping F8 continuously as your computer is booting up until a menu appears. use your up arrow key to highlight "Safe Mode", then hit enter

* Once in Safe Mode, please run Killbox.

* Select "Delete on Reboot".

* Open the Notepad file where you saved these instructions earlier, and copy the file names below to the clipboard by highlighting them and pressing CTRL + C:

C:\wp.exe
C:\wp.bmp
C:\Windows\sites.ini
C:\Windows\popuper.exe
C:\WINDOWS\System32\wldr.dll
C:\Windows\System32\helper.exe
C:\Windows\System32\intmonp.exe
C:\Windows\System32\msmsgs.exe
C:\Windows\System32\ole32vbs.exe
C:\Windows\system32\msole32.exe


* Return to Killbox, go to the File menu, and choose "Paste from Clipboard".

* Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt.

If your computer does not restart automatically, please restart it manually. While your computer is restarting, tap the F8 key continually until a menu appears. Use your up arrow key to highlight Safe Mode, then hit enter. Yes, we need you to go back into Safe Mode!

Make sure you can view hidden files.

Using Windows Explorer, delete the following (please do NOT try to find them by "search" because they will not show up that way)

FOLDERS to delete (in bold) if found:

C:\Program Files\Search Maid
C:\Program Files\Virtual Maid
C:\Windows\System32\Log Files
C:\Program Files\Security IGuard

Reboot into normal mode.

*Download and install Registrar Lite version 2.00
*Double click the purple Registrar Lite icon on your desktop.
*Copy the line below and paste it into the "Address" field (located at the top) of the program:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies

*Click the "Go" button.
*It will take you into the "Policies" folder.
*Locate the "System" folder (in the right panel)
*If found, right-click on the System folder and go to Delete
*Be very careful that you only delete the System folder that is inside the Policies folder.

Reboot your computer again.

1.) Download the Hoster from HERE Press "Restore Original Hosts" and press "OK". Exit Program.

2.) Download: http://www.mvps.org/winhelp2002/DelDomains.inf
To use: right-click and select: Install (no need to restart)
Note: This will remove all entries in the "Trusted Zone" and "Ranges" also.

3.) Download, install, and run CleanUp!

4.) Run this online virus scan: ActiveScan - Save the results from the scan!

Post a new Ad-aware SE Logfile.
  • 0

#5
lilli

lilli

    Member

  • Topic Starter
  • Member
  • PipPip
  • 16 posts
i tried similar instructions earlier from someone else's thread. i couldnt run killbox and my windows explorer just takes me to documents. Security IGuard Virtual Maid and Search Maid are not in my computer.
i dont have a processes tab in task manager. so i cant follow instructions
sorry am i doing something wrong?
  • 0

#6
lilli

lilli

    Member

  • Topic Starter
  • Member
  • PipPip
  • 16 posts
sorry, i also dont know how to unzip killbox to my desktop


hi andy

ok i have killbox on my desktop, put the computer into safe mode and when i try to copy file names to clipboard nothing happens, i am sure i am doing something wrong. thanks for your patience. not quite so stupid in real life, just with computers!!

thanks.

went to the next step, downloaded registrar lite, copied line got to the policies folder no system folder in there to delete

macafee system scan still finding infected files every so often, trend finds nothing

will wait for new instructions

Edited by lilli, 12 May 2005 - 03:06 PM.

  • 0

#7
Guest_Andy_veal_*

Guest_Andy_veal_*
  • Guest
To Copy:

Ctrl C

To Paste:

Ctrl V


Each file needs to be inserted by itself. :tazz:

Otherwise please write down or print off the path lines for the program and input the file paths manually

Thanks
  • 0

#8
lilli

lilli

    Member

  • Topic Starter
  • Member
  • PipPip
  • 16 posts
hi andy

hope you had a good day

thanks for the new advice, i have entered each file in killbox and rebooted but have no windows explorer for the next step.

here is a new scan
not finding bad registrykeys so must have done something right!

sitting here with a very large glass of wine and a big bar of chocolate before i hang myself or this wretched computer lol

Ad-Aware SE Build 1.05
Logfile Created on:12 May 2005 23:26:14
Created with Ad-Aware SE Personal, free for private use.
Using definitions file:SE1R44 10.05.2005
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

References detected during the scan:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Tracking Cookie(TAC index:3):5 total references
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Definition File:
=========================
Definitions File Loaded:
Reference Number : SE1R44 10.05.2005
Internal build : 52
File location : C:\PROGRAM FILES\LAVASOFT\AD-AWARE SE PERSONAL\defs.ref
File size : 470885 Bytes
Total size : 1423894 Bytes
Signature data size : 1392940 Bytes
Reference data size : 30442 Bytes
Signatures total : 39753
Fingerprints total : 872
Fingerprints size : 29756 Bytes
Target categories : 15
Target families : 668


Memory + processor status:
==========================
Number of processors : 1
Processor architecture : Intel Pentium II
Memory available:0 %
Total physical memory:114176 kb
Available physical memory:2776 kb
Total page file size:1982972 kb
Available on page file:1858028 kb
Total virtual memory:2093056 kb
Available virtual memory:2042880 kb
OS:Microsoft Windows Millennium Edition

Ad-Aware SE Settings
===========================
Set : Safe mode (always request confirmation)
Set : Scan active processes
Set : Scan registry
Set : Deep-scan registry
Set : Scan my IE Favorites for banned URLs
Set : Scan within archives
Set : Scan my Hosts file

Extended Ad-Aware SE Settings
===========================
Set : Unload recognized processes & modules during scan
Set : Obtain command line of scanned processes
Set : Run scan as background process (Low CPU usage)
Set : Scan registry for all users instead of current user only
Set : Always try to unload modules before deletion
Set : Let Windows remove files in use at next reboot
Set : Delete quarantined objects after restoring
Set : Write-protect system files after repair (Hosts file, etc.)
Set : Include basic Ad-Aware settings in log file
Set : Include additional Ad-Aware settings in log file
Set : Include reference summary in log file
Set : Include alternate data stream details in log file
Set : Play sound at scan completion if scan locates critical objects


12-05-2005 23:26:14 - Scan started. (Smart mode)

Listing running processes
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

#:1 [KERNEL32.DLL]
ModuleName : C:\WINDOWS\SYSTEM\KERNEL32.DLL
Command Line : n/a
ProcessID : 4293875119
Threads : 4
Priority : High
FileVersion : 4.90.3000
ProductVersion : 4.90.3000
ProductName : Microsoft® Windows® Millennium Operating System
CompanyName : Microsoft Corporation
FileDescription : Win32 Kernel core component
InternalName : KERNEL32
LegalCopyright : Copyright © Microsoft Corp. 1991-2000
OriginalFilename : KERNEL32.DLL

#:2 [MSGSRV32.EXE]
ModuleName : C:\WINDOWS\SYSTEM\MSGSRV32.EXE
Command Line : n/a
ProcessID : 4294939471
Threads : 1
Priority : Normal
FileVersion : 4.90.3000
ProductVersion : 4.90.3000
ProductName : Microsoft® Windows® Millennium Operating System
CompanyName : Microsoft Corporation
FileDescription : Windows 32-bit VxD Message Server
InternalName : MSGSRV32
LegalCopyright : Copyright © Microsoft Corp. 1992-1998
OriginalFilename : MSGSRV32.EXE

#:3 [mmtask.tsk]
ModuleName : C:\WINDOWS\SYSTEM\mmtask.tsk
Command Line : n/a
ProcessID : 4294849167
Threads : 1
Priority : Normal
FileVersion : 4.90.3000
ProductVersion : 4.90.3000
ProductName : Microsoft Windows
CompanyName : Microsoft Corporation
FileDescription : Multimedia background task support module
InternalName : mmtask.tsk
LegalCopyright : Copyright © Microsoft Corp. 1991-2000
OriginalFilename : mmtask.tsk

#:4 [MPREXE.EXE]
ModuleName : C:\WINDOWS\SYSTEM\MPREXE.EXE
Command Line : C:\WINDOWS\SYSTEM\MPREXE.EXE
ProcessID : 4294850763
Threads : 2
Priority : Normal
FileVersion : 4.90.3000
ProductVersion : 4.90.3000
ProductName : Microsoft® Windows® Millennium Operating System
CompanyName : Microsoft Corporation
FileDescription : WIN32 Network Interface Service Process
InternalName : MPREXE
LegalCopyright : Copyright © Microsoft Corp. 1993-2000
OriginalFilename : MPREXE.EXE

#:5 [MSTASK.EXE]
ModuleName : C:\WINDOWS\SYSTEM\MSTASK.EXE
Command Line : mstask.exe
ProcessID : 4294838395
Threads : 2
Priority : Normal
FileVersion : 4.71.2721.1
ProductVersion : 4.71.2721.1
ProductName : Microsoft® Windows® Task Scheduler
CompanyName : Microsoft Corporation
FileDescription : Task Scheduler Engine
InternalName : TaskScheduler
LegalCopyright : Copyright © Microsoft Corp. 2000
OriginalFilename : mstask.exe

#:6 [STIMON.EXE]
ModuleName : C:\WINDOWS\SYSTEM\STIMON.EXE
Command Line : C:\WINDOWS\SYSTEM\STIMON.EXE
ProcessID : 4294861015
Threads : 5
Priority : Normal
FileVersion : 4.90.3000.1
ProductVersion : 4.90.3000.1
ProductName : Microsoft® Windows® Millennium Operating System
CompanyName : Microsoft Corporation
FileDescription : Still Image Devices Monitor
InternalName : STIMON
LegalCopyright : Copyright © Microsoft Corp. 1981-2000
OriginalFilename : STIMON.EXE

#:7 [AVSYNMGR.EXE]
ModuleName : C:\PROGRAM FILES\NETWORK ASSOCIATES\VIRUSSCAN\AVSYNMGR.EXE
Command Line : "C:\Program Files\Network Associates\VirusScan\AVSYNMGR.EXE"
ProcessID : 4294837543
Threads : 4
Priority : Normal


#:8 [AOLACSD.EXE]
ModuleName : C:\PROGRAM FILES\COMMON FILES\AOL\ACS\AOLACSD.EXE
Command Line : "C:\PROGRAM FILES\COMMON FILES\AOL\ACS\AOLACSD.EXE"
ProcessID : 4294879983
Threads : 21
Priority : Normal


#:9 [SPOOLSRV32.EXE]
ModuleName : C:\WINDOWS\SYSTEM\SPOOLSRV32.EXE
Command Line : C:\WINDOWS\System\spoolsrv32.exe
ProcessID : 4294899107
Threads : 3
Priority : Normal


#:10 [EXPLORER.EXE]
ModuleName : C:\WINDOWS\EXPLORER.EXE
Command Line : C:\WINDOWS\Explorer.exe
ProcessID : 4294897647
Threads : 19
Priority : Normal
FileVersion : 5.50.4134.100
ProductVersion : 5.50.4134.100
ProductName : Microsoft® Windows ® 2000 Operating System
CompanyName : Microsoft Corporation
FileDescription : Windows Explorer
InternalName : explorer
LegalCopyright : Copyright © Microsoft Corp. 1981-2000
OriginalFilename : EXPLORER.EXE

#:11 [STMGR.EXE]
ModuleName : C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
Command Line : C:\WINDOWS\System\Restore\StMgr.exe
ProcessID : 4294730539
Threads : 4
Priority : Normal
FileVersion : 4.90.0.2533
ProductVersion : 4.90.0.2533
ProductName : Microsoft ® PCHealth
CompanyName : Microsoft Corporation
FileDescription : Microsoft ® PC State Manager
InternalName : StateMgr.exe
LegalCopyright : Copyright © Microsoft Corp. 1981-2000
OriginalFilename : StateMgr.exe

#:12 [TASKMON.EXE]
ModuleName : C:\WINDOWS\TASKMON.EXE
Command Line : "C:\WINDOWS\taskmon.exe"
ProcessID : 4294769611
Threads : 1
Priority : Normal
FileVersion : 4.90.3000
ProductVersion : 4.90.3000
ProductName : Microsoft® Windows® Millennium Operating System
CompanyName : Microsoft Corporation
FileDescription : Task Monitor
InternalName : TaskMon
LegalCopyright : Copyright © Microsoft Corp. 1998
OriginalFilename : TASKMON.EXE

#:13 [SYSTRAY.EXE]
ModuleName : C:\WINDOWS\SYSTEM\SYSTRAY.EXE
Command Line : "C:\WINDOWS\SYSTEM\SysTray.Exe"
ProcessID : 4294762407
Threads : 2
Priority : Normal
FileVersion : 4.90.3000
ProductVersion : 4.90.3000
ProductName : Microsoft® Windows® Millennium Operating System
CompanyName : Microsoft Corporation
FileDescription : System Tray Applet
InternalName : SYSTRAY
LegalCopyright : Copyright © Microsoft Corp. 1993-2000
OriginalFilename : SYSTRAY.EXE

#:14 [PCTVOICE.EXE]
ModuleName : C:\WINDOWS\PCTVOICE.EXE
Command Line : "C:\WINDOWS\pctvoice.exe"
ProcessID : 4293092611
Threads : 3
Priority : Normal
FileVersion : 0.0
ProductVersion : 1.0
ProductName : PCTVOICE
CompanyName : PCtel, Inc.
FileDescription : PCTVOICE
InternalName : PCTVOICE
LegalCopyright : Copyright © PCtel,Inc. 2000 - 2001
Comments : Written by: Cathy Luo

#:15 [E_S10IC2.EXE]
ModuleName : C:\WINDOWS\SYSTEM\E_S10IC2.EXE
Command Line : "C:\WINDOWS\SYSTEM\E_S10IC2.EXE" /P19 "EPSON Stylus CX3200" /O7 "EPUSB1:" /M "Stylus CX3200"
ProcessID : 4293089327
Threads : 1
Priority : Normal
FileVersion : 3.05
ProductVersion : 3.05
ProductName : EPSON Status Monitor 3
CompanyName : SEIKO EPSON CORPORATION
FileDescription : EPSON Status Monitor 3
InternalName : E_S10IC2
LegalCopyright : Copyright © SEIKO EPSON CORP. 2002
OriginalFilename : E_S10IC2.EXE

#:16 [TAPISRV.EXE]
ModuleName : C:\WINDOWS\SYSTEM\TAPISRV.EXE
Command Line : tapisrv.exe
ProcessID : 4293085599
Threads : 7
Priority : Normal
FileVersion : 4.90.3000
ProductVersion : 4.90.3000
ProductName : Microsoft® Windows® Millennium Operating System
CompanyName : Microsoft Corporation
FileDescription : Microsoft® Windows™ Telephony Server
InternalName : Telephony Service
LegalCopyright : Copyright © Microsoft Corp. 1994-1998
OriginalFilename : TAPISRV.EXE

#:17 [SPOOL32.EXE]
ModuleName : C:\WINDOWS\SYSTEM\SPOOL32.EXE
Command Line : C:\WINDOWS\SYSTEM\spool32.exe
ProcessID : 4293076323
Threads : 2
Priority : Normal
FileVersion : 4.90.3000
ProductVersion : 4.90.3000
ProductName : Microsoft® Windows® Millennium Operating System
CompanyName : Microsoft Corporation
FileDescription : Spooler Sub System Process
InternalName : spool32
LegalCopyright : Copyright © Microsoft Corp. 1994 - 1998
OriginalFilename : spool32.exe

#:18 [AOLDIAL.EXE]
ModuleName : C:\PROGRAM FILES\COMMON FILES\AOL\ACS\AOLDIAL.EXE
Command Line : "C:\Program Files\Common Files\AOL\ACS\AOLDial.exe"
ProcessID : 4294759475
Threads : 13
Priority : Normal
FileVersion : 2.6.6.3.UK.53
ProductVersion : 2.6.6.3.UK.53
ProductName : AOL Connectivity Service
CompanyName : America Online, Inc
FileDescription : AOL Connectivity Service Dialer
LegalCopyright : Copyright © 2003 America Online, Inc.
OriginalFilename : AOLDial.exe

#:19 [VSSTAT.EXE]
ModuleName : C:\PROGRAM FILES\NETWORK ASSOCIATES\VIRUSSCAN\VSSTAT.EXE
Command Line : "C:\PROGRAM FILES\NETWORK ASSOCIATES\VIRUSSCAN\VsStat.exe"
ProcessID : 4294821515
Threads : 2
Priority : Normal


#:20 [REALPLAY.EXE]
ModuleName : C:\PROGRAM FILES\REAL\REALPLAYER\REALPLAY.EXE
Command Line : "C:\Program Files\Real\RealPlayer\RealPlay.exe" SYSTEMBOOTHIDEPLAYER
ProcessID : 4293097915
Threads : 6
Priority : Normal
FileVersion : 6.0.9.584
ProductVersion : 6.0.9.584
ProductName : RealPlayer (32-bit)
CompanyName : RealNetworks, Inc.
FileDescription : RealPlayer
InternalName : REALPLAY
LegalCopyright : Copyright © RealNetworks, Inc. 1995-2000
LegalTrademarks : RealAudio™ is a trademark of RealNetworks, Inc.
OriginalFilename : REALPLAY.EXE

#:21 [LOADQM.EXE]
ModuleName : C:\WINDOWS\LOADQM.EXE
Command Line : "C:\WINDOWS\loadqm.exe"
ProcessID : 4293070299
Threads : 3
Priority : Normal
FileVersion : 5.4.1103.3
ProductVersion : 5.4.1103.3
ProductName : QMgr Loader
CompanyName : Microsoft Corporation
FileDescription : Microsoft QMgr
InternalName : LOADQM.EXE
LegalCopyright : Copyright © Microsoft Corp. 1981-1999
OriginalFilename : LOADQM.EXE

#:22 [WMIEXE.EXE]
ModuleName : C:\WINDOWS\SYSTEM\WMIEXE.EXE
Command Line : WmiExe WMI_fffcd993
ProcessID : 4293099967
Threads : 3
Priority : Normal
FileVersion : 4.90.2452.1
ProductVersion : 4.90.2452.1
ProductName : Microsoft® Windows® Millennium Operating System
CompanyName : Microsoft Corporation
FileDescription : WMI service exe housing
InternalName : wmiexe
LegalCopyright : Copyright © Microsoft Corp. 1981-1999
OriginalFilename : wmiexe.exe

#:23 [AVCONSOL.EXE]
ModuleName : C:\PROGRAM FILES\NETWORK ASSOCIATES\VIRUSSCAN\AVCONSOL.EXE
Command Line : "C:\PROGRAM FILES\NETWORK ASSOCIATES\VIRUSSCAN\Avconsol.exe"
ProcessID : 4293116559
Threads : 2
Priority : Normal


#:24 [AOLTRAY.EXE]
ModuleName : C:\PROGRAM FILES\AOL 9.0\AOLTRAY.EXE
Command Line : "C:\Program Files\AOL 9.0\aoltray.exe" -check
ProcessID : 4293046927
Threads : 1
Priority : Normal
FileVersion : 9.00.001
ProductVersion : 9.00.001
ProductName : America Online
CompanyName : America Online, Inc.
FileDescription : AOL Tray Icon
InternalName : AolTray
LegalCopyright : Copyright © America Online, Inc. 1999 - 2004

#:25 [QUICKDCF.EXE]
ModuleName : C:\PROGRAM FILES\FINEPIXVIEWER\QUICKDCF.EXE
Command Line : "C:\Program Files\FinePixViewer\QuickDCF.exe"
ProcessID : 4293046871
Threads : 1
Priority : Normal
FileVersion : 3, 0, 0, 0
ProductVersion : 3, 0, 0, 0
ProductName : FinePixViewer
CompanyName : FUJI PHOTO FILM CO., LTD.
FileDescription : Exif Launcher
InternalName : QuickDCF
LegalCopyright : Copyright 2000-2002 FUJI PHOTO FILM CO.,LTD.
OriginalFilename : QuickDCF.exe

#:26 [WKCALREM.EXE]
ModuleName : C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\WORKS SHARED\WKCALREM.EXE
Command Line : "C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe"
ProcessID : 4293013643
Threads : 2
Priority : Normal
FileVersion : 5.00.1928.1
ProductVersion : 5.00.1928.1
ProductName : Microsoft® Works 2000
CompanyName : Microsoft® Corporation
FileDescription : Microsoft® Works Calendar Reminder Service
InternalName : WkCalRem
LegalCopyright : © 1999 Microsoft Corp. All rights reserved.
OriginalFilename : WKCALREM.EXE

#:27 [VSHWIN32.EXE]
ModuleName : C:\PROGRAM FILES\NETWORK ASSOCIATES\VIRUSSCAN\VSHWIN32.EXE
Command Line : "C:\PROGRAM FILES\NETWORK ASSOCIATES\VIRUSSCAN\Vshwin32.exe"
ProcessID : 4292871943
Threads : 6
Priority : Normal


#:28 [RNAAPP.EXE]
ModuleName : C:\WINDOWS\SYSTEM\RNAAPP.EXE
Command Line : rnaapp.exe -l
ProcessID : 4292995023
Threads : 3
Priority : Normal
FileVersion : 4.90.3000
ProductVersion : 4.90.3000
ProductName : Microsoft® Windows® Millennium Operating System
CompanyName : Microsoft Corporation
FileDescription : Dial-Up Networking Application
InternalName : RNAAPP
LegalCopyright : Copyright © Microsoft Corp. 1992-1996
OriginalFilename : RNAAPP.EXE

#:29 [WAOL.EXE]
ModuleName : C:\PROGRAM FILES\AOL 9.0\WAOL.EXE
Command Line : "C:\PROGRAM FILES\AOL 9.0\waol.exe"
ProcessID : 4292990739
Threads : 18
Priority : Normal


#:30 [SHELLMON.EXE]
ModuleName : C:\PROGRAM FILES\AOL 9.0\SHELLMON.EXE
Command Line : "C:\PROGRAM FILES\AOL 9.0\shellmon.exe"
ProcessID : 4293263455
Threads : 1
Priority : Normal


#:31 [AOLTPSPD.EXE]
ModuleName : C:\PROGRAM FILES\COMMON FILES\AOL\AOLTPSPD.EXE
Command Line : -p11523 -S256 -s443 -l443 -G"C:\WINDOWS\All Users\Application Data\AOL\C_AOL 9.0\vph.ph" -c1 -Z -H4292990739
ProcessID : 4293276327
Threads : 3
Priority : Normal
FileVersion : 1, 1, 0, 0
ProductVersion : [v1.1-4] On Tue 03/16/2004 21:24:09.18
ProductName : AOL TopSpeed™
CompanyName : America Online Inc
FileDescription : AOL TopSpeed™
InternalName : AOL TopSpeed™
LegalCopyright : Copyright © America Online 2003
LegalTrademarks : AOL TopSpeed™
OriginalFilename : aoltpspd.exe

#:32 [DDHELP.EXE]
ModuleName : C:\WINDOWS\SYSTEM\DDHELP.EXE
Command Line : ddhelp.exe
ProcessID : 4293209879
Threads : 5
Priority : Realtime
FileVersion : 4.08.00.0400
ProductVersion : 4.08.00.0400
ProductName : Microsoft® DirectX for Windows® 95 and 98
CompanyName : Microsoft Corporation
FileDescription : Microsoft DirectX Helper
InternalName : DDHelp.exe
LegalCopyright : Copyright © Microsoft Corp. 1994-2000
OriginalFilename : DDHelp.exe

#:33 [AD-AWARE.EXE]
ModuleName : C:\PROGRAM FILES\LAVASOFT\AD-AWARE SE PERSONAL\AD-AWARE.EXE
Command Line : "C:\Program Files\Lavasoft\Ad-Aware SE Personal\Ad-Aware.exe"
ProcessID : 4293171635
Threads : 2
Priority : Idle
FileVersion : 6.2.0.206
ProductVersion : VI.Second Edition
ProductName : Lavasoft Ad-Aware SE
CompanyName : Lavasoft Sweden
FileDescription : Ad-Aware SE Core application
InternalName : Ad-Aware.exe
LegalCopyright : Copyright © Lavasoft Sweden
OriginalFilename : Ad-Aware.exe
Comments : All Rights Reserved

Memory scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 0


Started registry scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Registry Scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 0


Started deep registry scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Deep registry scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 0


Started Tracking Cookie scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»


Tracking Cookie Object Recognized!
Type : IECache Entry
Data : bill gates@atdmt[1].txt
Category : Data Miner
Comment : Hits:1
Value : Cookie:bill gates@atdmt.com/
Expires : 11-05-2010 01:00:00
LastSync : Hits:1
UseCount : 0
Hits : 1

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : bill gates@doubleclick[2].txt
Category : Data Miner
Comment : Hits:3
Value : Cookie:bill gates@doubleclick.net/
Expires : 11-05-2008 17:27:36
LastSync : Hits:3
UseCount : 0
Hits : 3

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : bill gates@2o7[1].txt
Category : Data Miner
Comment : Hits:1
Value : Cookie:bill gates@2o7.net/
Expires : 11-05-2010 22:07:20
LastSync : Hits:1
UseCount : 0
Hits : 1

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : bill gates@advertising[1].txt
Category : Data Miner
Comment : Hits:13
Value : Cookie:bill gates@advertising.com/
Expires : 11-05-2010 23:11:16
LastSync : Hits:13
UseCount : 0
Hits : 13

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : bill gates@servedby.advertising[2].txt
Category : Data Miner
Comment : Hits:12
Value : Cookie:bill gates@servedby.advertising.com/
Expires : 11-06-2005 23:11:16
LastSync : Hits:12
UseCount : 0
Hits : 12

Tracking cookie scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 5
Objects found so far: 5



Deep scanning and examining files...
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Disk Scan Result for C:\WINDOWS
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 5

Disk Scan Result for C:\WINDOWS\SYSTEM
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 5

Disk Scan Result for C:\WINDOWS\TEMP\
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 5


Performing conditional scans...
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Conditional scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 5

23:28:50 Scan Complete

Summary Of This Scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Total scanning time:00:02:35.600
Objects scanned:35821
Objects identified:5
Objects ignored:0
New critical objects:5
  • 0

#9
Guest_Andy_veal_*

Guest_Andy_veal_*
  • Guest

#:9 [SPOOLSRV32.EXE]
ModuleName : C:\WINDOWS\SYSTEM\SPOOLSRV32.EXE
Command Line : C:\WINDOWS\System\spoolsrv32.exe
ProcessID : 4294899107
Threads : 3
Priority : Normal


This is a virus.

Please scan your computer with one of the free following online anti-virus scanners:


Panda

Symantec

McAfee

TrendMicro Recommended

F-secure


Thank you

Andy
  • 0

#10
Guest_Andy_veal_*

Guest_Andy_veal_*
  • Guest

hi andy

hope you had a good day

thanks for the new advice, i have entered each file in killbox and rebooted but have no windows explorer for the next step.

here is a new scan
not finding bad registrykeys so must have done something right!

sitting here with a very large glass of wine and a big bar of chocolate before i hang myself or this wretched computer lol


In reply, Its been a busy day. Rather tired :tazz:

But otherwise my day has been good!

I hope you enjoy your wine (Red or white) and your chocolate!

;)

Thanks
  • 0

Advertisements


#11
lilli

lilli

    Member

  • Topic Starter
  • Member
  • PipPip
  • 16 posts
i ran trend about two hours ago found nothing

i will try all the other aswell

thanks again

Edited by lilli, 12 May 2005 - 04:39 PM.

  • 0

#12
Guest_Andy_veal_*

Guest_Andy_veal_*
  • Guest
Please follow the instructions located in Step Five: Posting a Hijack This Log. Post your HJT log as a reply to this thread, which has been relocated to the Malware Removal Forum for providing you with further assistance.

Kindly note that it is very busy in the Malware Removal Forum, so there may be a delay in receiving a reply. Please also note that HJT logfiles are reviewed on a first come/first served basis.
  • 0

#13
lilli

lilli

    Member

  • Topic Starter
  • Member
  • PipPip
  • 16 posts
thanks andy and goodnight

here is my log file i hope i did it right

please help me someone this is driving me mad.

dont know why i dont have windows explorer can i get it from somewhere?




Logfile of HijackThis v1.99.1
Scan saved at 00:07:52, on 13/05/2005
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v5.50 (5.50.4134.0100)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\PROGRAM FILES\NETWORK ASSOCIATES\VIRUSSCAN\AVSYNMGR.EXE
C:\PROGRAM FILES\COMMON FILES\AOL\ACS\AOLACSD.EXE
C:\WINDOWS\SYSTEM\SPOOLSRV32.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\PCTVOICE.EXE
C:\WINDOWS\SYSTEM\E_S10IC2.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\PROGRAM FILES\COMMON FILES\AOL\ACS\AOLDIAL.EXE
C:\PROGRAM FILES\REAL\REALPLAYER\REALPLAY.EXE
C:\WINDOWS\LOADQM.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\AOL 9.0\AOLTRAY.EXE
C:\PROGRAM FILES\FINEPIXVIEWER\QUICKDCF.EXE
C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\WORKS SHARED\WKCALREM.EXE
C:\PROGRAM FILES\AOL 9.0\WAOL.EXE
C:\PROGRAM FILES\AOL 9.0\SHELLMON.EXE
C:\PROGRAM FILES\COMMON FILES\AOL\AOLTPSPD.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\DESKTOP\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.aol.co.uk/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.makemesearch.com/?said=959
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = https://loginnet.pas...uth.srf?lc=1033
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [CountrySelection] pctptt.exe
O4 - HKLM\..\Run: [PCTVOICE] pctvoice.exe
O4 - HKLM\..\Run: [EPSON Stylus CX3200] C:\WINDOWS\SYSTEM\E_S10IC2.EXE /P19 "EPSON Stylus CX3200" /O7 "EPUSB1:" /M "Stylus CX3200"
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [Local runole service] C:\WINDOWS\System\srvc32.exe
O4 - HKLM\..\Run: [WinPatrol] C:\PROGRAM FILES\BILLP STUDIOS\WINPATROL\winpatrol.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\RunServices: [McAfeeVirusScanService] C:\Program Files\Network Associates\VirusScan\AVSYNMGR.EXE
O4 - HKLM\..\RunServices: [AolAcsDaemon1] "C:\PROGRAM FILES\COMMON FILES\AOL\ACS\AOLACSD.EXE"
O4 - HKLM\..\RunServices: [Srv32 spool service] C:\WINDOWS\System\spoolsrv32.exe
O4 - Startup: AOL 9.0 Tray Icon.lnk = C:\Program Files\AOL 9.0\aoltray.exe
O4 - Startup: Exif Launcher.lnk = C:\Program Files\FinePixViewer\QuickDCF.exe
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE10\EXCEL.EXE/3000
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll
O9 - Extra button: Microsoft AntiSpyware helper - {4BF2F769-637E-41C9-AEB6-E21719465B50} - C:\WINDOWS\SYSTEM\WLDR.DLL (file missing)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {4BF2F769-637E-41C9-AEB6-E21719465B50} - C:\WINDOWS\SYSTEM\WLDR.DLL (file missing)
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM\MSJAVA.DLL
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM\MSJAVA.DLL
O9 - Extra button: Microsoft AntiSpyware helper - {4BF2F769-637E-41C9-AEB6-E21719465B50} - C:\WINDOWS\SYSTEM\WLDR.DLL (file missing) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {4BF2F769-637E-41C9-AEB6-E21719465B50} - C:\WINDOWS\SYSTEM\WLDR.DLL (file missing) (HKCU)
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aolsvc....kup/qdiagcc.cab
O16 - DPF: {D8089245-3211-40F6-819B-9E5E92CD61A2} (FlashXControl Object) - https://register3.va...OCX/FlashAX.cab
O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.ofoto.co...._1/axofupld.cab
O16 - DPF: {BFF1950D-B1B4-4AE8-B842-B2CCF06D9A1B} (Zylom Games Player) - http://game18.zylomg...gamesplayer.cab
O16 - DPF: {AED98630-0251-4E83-917D-43A23D66D507} (WebHandler Class) - http://activex.micro...n7/dlhelper.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivi...n/ravonline.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcaf...478/mcfscan.cab
O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = aoldsl.net


here are the results of active scan

Incident Status Location

Adware:Adware/TopSpyware No disinfected C:\WINDOWS\SYSTEM\SPOOLSRV32.EXE
Adware:Adware/TopSpyware No disinfected C:\WINDOWS\SYSTEM\SPOOLS~1.EXE
Adware:Adware/Tubby No disinfected C:\WINDOWS\SYSTEM\MTC.ini
Adware:Adware/BlueScreenWarningNo disinfected Windows Registry
Adware:Adware/Tubby No disinfected C:\WINDOWS\SYSTEM\MTC.ini
Adware:Adware/TopSpyware No disinfected C:\WINDOWS\SYSTEM\spoolsrv32.exe

its quarter past one in the morning in good old london town, going to bed now will check in again in the morning

thanks again

hope to speak to someone tomorrow

Edited by lilli, 12 May 2005 - 06:17 PM.

  • 0

#14
lilli

lilli

    Member

  • Topic Starter
  • Member
  • PipPip
  • 16 posts
good morning

i am back and wondering if i reinstall windows will i get explorer back, found the disc.
thanks anyone
  • 0

#15
lilli

lilli

    Member

  • Topic Starter
  • Member
  • PipPip
  • 16 posts
just ran trend again and it found nothing
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP