Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Aurora, Nail.exe, A better internet.[RESOLVED]


  • This topic is locked This topic is locked

#1
Eyespy

Eyespy

    New Member

  • Member
  • Pip
  • 9 posts
I got myself malware bombed, I've cleaned up most of it, but a number of files simply wont die. Specifically Nail.exe and hcipiwyff.exe (aurora buddy) which are lurning around in my /Windows and /Windows/System32 folders. There are also some .exe's ID'd as www.abetterinternet.com showing up in my firewall that dont show in Adaware, but they might be symptoms of the above.

I'm running Win XP Home. Adaware SE, Spybot, Hijackthis 1.99 and Microsoft Antispyware, if thats any help.


Here's the log.

Logfile removed:Incorrect Logfile type posted

Edited by Andy_veal, 12 May 2005 - 10:35 AM.

  • 0

Advertisements


#2
koryo

koryo

    Member

  • Member
  • PipPip
  • 26 posts
Hi, im in a real sticky situation, this aurora popup seems to have snuck into my bios settings, even when i reformat i still get the popup after i reinstall windows, i have AVG, Windows antispy, Spy bot, and Spyware doctor, also i have Adaware 6.0, but i cant get rid of the stup[id thing, its one sneaky little devil. any help would be really appreciated

I dont mind looking at the board now and again, but it would be a lot easier if you would please e.mail me, thank you

my e.mail is Email Address removed: Spammers search forums for email addresses

HJT Logfile removed:Not requested

Edited by Andy_veal, 12 May 2005 - 10:33 AM.

  • 0

#3
Eyespy

Eyespy

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts

Hi, im in a real sticky situation


Try reading the FAQ, specifically the parts which says not to post in other peoples threads. Then read the part that says this is the Adaware forum, and not for Hijackthis logs.
  • 0

#4
Guest_Andy_veal_*

Guest_Andy_veal_*
  • Guest
In order to assist you, we need to see the log from an Ad-Aware SE 1.05 full system scan.

Important Note! Before performing a scan, be sure that you have the most recent definitions file by using WebUpdate. (Click on the Globe icon, Click connect, Click OK, Click Finish.) At this current point * SE1R44 10.05.2005 * is the most recent definition file.

Ad-Aware SE comes preconfigured with default options so we need you to make only one change. Please deselect "Search for negligible risk entries" as negligible risk entries (MRU's) are not considered to be a threat. This option can be changed when choosing your scan type.

Select "Perform Full System Scan" and press "Next". When the scan has completed, click "Show Logfile".

Please copy/paste the complete log file here using the reply button. Don't quarantine or remove anything at this time, just post a complete logfile. This sometimes takes 2-3 posts to get it all posted. You will know you are at the end when you see the "Summary of this scan" information has been posted.

When you have posted your log here, Team Lavasoft can advise on what to do next.

Please post back if you have any questions or other problems.


Good luck

Andy
  • 0

#5
koryo

koryo

    Member

  • Member
  • PipPip
  • 26 posts
i apologise, i didn't realise and im sorry, i will read up as soon as i get chance

Ok i took your advice, i wish i downloaded this earlyer lol, i have 260 critical errors lol ,i dont think its funny, ok, i really need help to remove them.

Here is the log file for you


Ad-Aware SE Build 1.05
Logfile Created on:12 May 2005 18:28:33
Created with Ad-Aware SE Personal, free for private use.
Using definitions file:SE1R44 10.05.2005
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

References detected during the scan:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
180Solutions(TAC index:6):29 total references
Alexa(TAC index:5):11 total references
BargainBuddy(TAC index:8):20 total references
CoolWebSearch(TAC index:10):20 total references
DyFuCA(TAC index:3):63 total references
Hijacker.TopConverting(TAC index:5):1 total references
istbar(TAC index:7):13 total references
MRU List(TAC index:0):12 total references
Other(TAC index:5):2 total references
Possible Browser Hijack attempt(TAC index:3):3 total references
Powerscan(TAC index:5):6 total references
Rads01.Quadrogram(TAC index:6):2 total references
SideFind(TAC index:5):6 total references
Tracking Cookie(TAC index:3):24 total references
Windows(TAC index:3):1 total references
VX2(TAC index:10):53 total references
ZyncosMark(TAC index:3):7 total references
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Ad-Aware SE Settings
===========================
Set : Search for negligible risk entries
Set : Safe mode (always request confirmation)
Set : Scan active processes
Set : Scan registry
Set : Deep-scan registry
Set : Scan my IE Favorites for banned URLs
Set : Scan my Hosts file

Extended Ad-Aware SE Settings
===========================
Set : Unload recognized processes & modules during scan
Set : Scan registry for all users instead of current user only
Set : Always try to unload modules before deletion
Set : During removal, unload Explorer and IE if necessary
Set : Let Windows remove files in use at next reboot
Set : Delete quarantined objects after restoring
Set : Include basic Ad-Aware settings in log file
Set : Include additional Ad-Aware settings in log file
Set : Include reference summary in log file
Set : Include alternate data stream details in log file
Set : Play sound at scan completion if scan locates critical objects


12-05-2005 18:28:33 - Scan started. (Full System Scan)

Listing running processes
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

#:1 [smss.exe]
FilePath : \SystemRoot\System32\
ProcessID : 804
ThreadCreationTime : 12-05-2005 15:52:06
BasePriority : Normal


#:2 [csrss.exe]
FilePath : \??\C:\WINDOWS\system32\
ProcessID : 856
ThreadCreationTime : 12-05-2005 15:52:07
BasePriority : Normal


#:3 [winlogon.exe]
FilePath : \??\C:\WINDOWS\system32\
ProcessID : 880
ThreadCreationTime : 12-05-2005 15:52:08
BasePriority : High


#:4 [services.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 924
ThreadCreationTime : 12-05-2005 15:52:08
BasePriority : Normal
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Services and Controller app
InternalName : services.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : services.exe

#:5 [lsass.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 936
ThreadCreationTime : 12-05-2005 15:52:08
BasePriority : Normal
FileVersion : 5.1.2600.1106 (xpsp1.020828-1920)
ProductVersion : 5.1.2600.1106
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : LSA Shell (Export Version)
InternalName : lsass.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : lsass.exe

#:6 [svchost.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 1120
ThreadCreationTime : 12-05-2005 15:52:08
BasePriority : Normal
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:7 [svchost.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 1268
ThreadCreationTime : 12-05-2005 15:52:08
BasePriority : Normal
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:8 [svchost.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 1492
ThreadCreationTime : 12-05-2005 15:52:09
BasePriority : Normal
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:9 [svchost.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 1544
ThreadCreationTime : 12-05-2005 15:52:09
BasePriority : Normal
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:10 [spoolsv.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 1780
ThreadCreationTime : 12-05-2005 15:52:09
BasePriority : Normal
FileVersion : 5.1.2600.0 (XPClient.010817-1148)
ProductVersion : 5.1.2600.0
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Spooler SubSystem App
InternalName : spoolsv.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : spoolsv.exe
Warning! VX2 Object found in memory(C:\WINDOWS\system32\DrPMon.dll)

VX2 Object Recognized!
Type : Process
Data : DrPMon.dll
Category : Malware
Comment :
Object : C:\WINDOWS\system32\
FileVersion : 1, 0, 0, 5
ProductVersion : 1, 0, 0, 0
ProductName : DrPMon PrintMonitor
CompanyName : Direct Revenue
FileDescription : DrPMon PrintMonitor
InternalName : DrPMon
LegalCopyright : Copyright © 2005
OriginalFilename : DrPMon.dll


#:11 [avgamsvr.exe]
FilePath : C:\PROGRA~1\Grisoft\AVG7\
ProcessID : 2036
ThreadCreationTime : 12-05-2005 15:52:17
BasePriority : Normal
FileVersion : 7,0,0,175
ProductVersion : 7.0.0.175
ProductName : AVG Anti-Virus System
CompanyName : GRISOFT, s.r.o.
FileDescription : AVG Alert Manager
InternalName : avgamsvr
LegalCopyright : Copyright © 2003, GRISOFT, s.r.o.
OriginalFilename : avgamsvr.EXE

#:12 [avgupsvc.exe]
FilePath : C:\PROGRA~1\Grisoft\AVG7\
ProcessID : 132
ThreadCreationTime : 12-05-2005 15:52:17
BasePriority : Normal
FileVersion : 7,0,0,132
ProductVersion : 7.0.0.132
ProductName : AVG 7.0 Anti-Virus System
CompanyName : GRISOFT, s.r.o.
FileDescription : AVG Update Service
InternalName : avgupsvc
LegalCopyright : Copyright © 2002, GRISOFT, s.r.o.
OriginalFilename : avgupdsvc.EXE

#:13 [swnetsup.exe]
FilePath : C:\Program Files\Sophos SWEEP for NT\
ProcessID : 264
ThreadCreationTime : 12-05-2005 15:52:17
BasePriority : Normal
FileVersion : 1.00.0235
ProductVersion : 3 (Build 0235)
ProductName : Sophos Anti-Virus
CompanyName : Sophos Plc
FileDescription : Sophos Anti-Virus network support service
InternalName : SWNETSUP
LegalCopyright : © 1989-2005 Sophos Plc, www.sophos.com
LegalTrademarks : SWEEP®, InterCheck®, and SAVI®, are trademarks of Sophos® Plc.
OriginalFilename : SWNETSUP.EXE

#:14 [sweepsrv.sys]
FilePath : C:\Program Files\Sophos SWEEP for NT\
ProcessID : 324
ThreadCreationTime : 12-05-2005 15:52:17
BasePriority : Normal
FileVersion : 2.01.0235
ProductVersion : 3 (Build 0235)
ProductName : Sophos Anti-Virus
CompanyName : Sophos Plc
FileDescription : Sophos Anti-Virus detection system service
InternalName : SWEEPSRV
LegalCopyright : © 1989-2005 Sophos Plc, www.sophos.com
LegalTrademarks : SWEEP®, InterCheck®, and SAVI®, are trademarks of Sophos® Plc.
OriginalFilename : SWEEPSRV.SYS

#:15 [explorer.exe]
FilePath : C:\WINDOWS\
ProcessID : 1148
ThreadCreationTime : 12-05-2005 15:52:31
BasePriority : Normal
FileVersion : 6.00.2800.1106 (xpsp1.020828-1920)
ProductVersion : 6.00.2800.1106
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Windows Explorer
InternalName : explorer
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : EXPLORER.EXE

#:16 [igfxtray.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 1352
ThreadCreationTime : 12-05-2005 15:52:33
BasePriority : Normal
FileVersion : 3.0.0.2209
ProductVersion : 7.0.0.2209
ProductName : Intel® Common User Interface
CompanyName : Intel Corporation
FileDescription : igfxTray Module
InternalName : IGFXTRAY
LegalCopyright : Copyright 1999-2003, Intel Corporation
OriginalFilename : IGFXTRAY.EXE

#:17 [hkcmd.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 1720
ThreadCreationTime : 12-05-2005 15:52:35
BasePriority : Normal
FileVersion : 3.0.0.2209
ProductVersion : 7.0.0.2209
ProductName : Intel® Common User Interface
CompanyName : Intel Corporation
FileDescription : hkcmd Module
InternalName : HKCMD
LegalCopyright : Copyright 1999-2003, Intel Corporation
OriginalFilename : HKCMD.EXE

#:18 [agrsmmsg.exe]
FilePath : C:\WINDOWS\
ProcessID : 1732
ThreadCreationTime : 12-05-2005 15:52:35
BasePriority : Normal
FileVersion : 2.1.21 2.1.21 11/21/2002 14:17:53
ProductVersion : 2.1.21 2.1.21 11/21/2002 14:17:53
ProductName : Agere SoftModem Messaging Applet
CompanyName : Agere Systems
FileDescription : SoftModem Messaging Applet
InternalName : smdmstat.exe
LegalCopyright : Copyright © Agere Systems 1998-2000
OriginalFilename : smdmstat.exe

#:19 [ltmoh.exe]
FilePath : C:\Program Files\ltmoh\
ProcessID : 1556
ThreadCreationTime : 12-05-2005 15:52:36
BasePriority : Normal
FileVersion : 1.68
ProductVersion : 1.68
ProductName : LtMoh Application
CompanyName : Agere Systems
FileDescription : LtMoh MFC Application
InternalName : LtMoh
LegalCopyright : Agere Copyright © 2001-2002
LegalTrademarks : LT
OriginalFilename : LtMoh.EXE

#:20 [syntplpr.exe]
FilePath : C:\Program Files\Synaptics\SynTP\
ProcessID : 1388
ThreadCreationTime : 12-05-2005 15:52:36
BasePriority : Normal
FileVersion : 7.2.9 03Jan03
ProductVersion : 7.2.9 03Jan03
ProductName : Progressive Touch
CompanyName : Synaptics, Inc.
FileDescription : TouchPad Driver Helper Application
InternalName : SynTPLpr
LegalCopyright : Copyright © Synaptics, Inc. 1996-2002
OriginalFilename : SynTPLpr.exe

#:21 [syntpenh.exe]
FilePath : C:\Program Files\Synaptics\SynTP\
ProcessID : 1880
ThreadCreationTime : 12-05-2005 15:52:39
BasePriority : Normal
FileVersion : 7.2.9 03Jan03
ProductVersion : 7.2.9 03Jan03
ProductName : Progressive Touch
CompanyName : Synaptics, Inc.
FileDescription : Synaptics TouchPad Enhancements
InternalName : Scrolleroo
LegalCopyright : Copyright © Synaptics, Inc. 1996-2002
OriginalFilename : SynTPEnh.exe

#:22 [avgcc.exe]
FilePath : C:\PROGRA~1\Grisoft\AVG7\
ProcessID : 216
ThreadCreationTime : 12-05-2005 15:52:42
BasePriority : Normal
FileVersion : 7,0,0,174
ProductVersion : 7.0.0.174
ProductName : AVG Anti-Virus System
CompanyName : GRISOFT, s.r.o.
FileDescription : AVG Control Center
InternalName : AvgCC
LegalCopyright : Copyright © 2003, GRISOFT, s.r.o.
OriginalFilename : AvgCC.EXE

#:23 [avgemc.exe]
FilePath : C:\PROGRA~1\Grisoft\AVG7\
ProcessID : 184
ThreadCreationTime : 12-05-2005 15:52:43
BasePriority : Normal
FileVersion : 7,0,0,159
ProductVersion : 7.0.0.159
ProductName : AVG Anti-Virus System
CompanyName : GRISOFT, s.r.o.
FileDescription : AVG E-Mail Scanner
InternalName : avgemc
LegalCopyright : Copyright © 2003, GRISOFT, s.r.o.
OriginalFilename : avgemc.exe

#:24 [gcasserv.exe]
FilePath : C:\Program Files\Microsoft AntiSpyware\
ProcessID : 468
ThreadCreationTime : 12-05-2005 15:52:45
BasePriority : Idle
FileVersion : 1.00.0509
ProductVersion : 1.00.0509
ProductName : Microsoft AntiSpyware (Beta 1)
CompanyName : Microsoft Corporation
FileDescription : Microsoft AntiSpyware Service
InternalName : gcasServ
LegalCopyright : Copyright © 2004-2005 Microsoft Corporation. All rights reserved.
LegalTrademarks : Microsoft® and Windows® are registered trademarks of Microsoft Corporation. SpyNet™ is a trademark of Microsoft Corporation.
OriginalFilename : gcasServ.exe

#:25 [ctfmon.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 572
ThreadCreationTime : 12-05-2005 15:52:45
BasePriority : Normal
FileVersion : 5.1.2600.1106 (xpsp1.020828-1920)
ProductVersion : 5.1.2600.1106
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : CTF Loader
InternalName : CTFMON
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : CTFMON.EXE

#:26 [iotvreq.exe]
FilePath : c:\windows\system32\
ProcessID : 1572
ThreadCreationTime : 12-05-2005 15:52:46
BasePriority : Normal
FileVersion : 1, 0, 7, 1
ProductVersion : 0, 0, 7, 0
ProductName : TODO: <Product name>
CompanyName : TODO: <Company name>
FileDescription : TODO: <File description>
LegalCopyright : TODO: © <Company name>. All rights reserved.

#:27 [msmsgs.exe]
FilePath : C:\Program Files\Messenger\
ProcessID : 1208
ThreadCreationTime : 12-05-2005 15:52:51
BasePriority : Normal
FileVersion : 4.7.0041
ProductVersion : Version 4.7
ProductName : Messenger
CompanyName : Microsoft Corporation
FileDescription : Messenger
InternalName : msmsgs
LegalCopyright : Copyright © Microsoft Corporation 1997-2001
LegalTrademarks : Microsoft® is a registered trademark of Microsoft Corporation in the U.S. and/or other countries.
OriginalFilename : msmsgs.exe

#:28 [msnmsgr.exe]
FilePath : C:\Program Files\MSN Messenger\
ProcessID : 1980
ThreadCreationTime : 12-05-2005 15:53:15
BasePriority : Normal
FileVersion : 7.0.0813
ProductVersion : 7.0.0813
ProductName : MSN Messenger
CompanyName : Microsoft Corporation
FileDescription : MSN Messenger
InternalName : msnmsgr
LegalCopyright : Copyright © Microsoft Corporation 1997-2005
LegalTrademarks : Microsoft® is a registered trademark of Microsoft Corporation in the U.S. and/or other countries.
OriginalFilename : msnmsgr.exe

#:29 [gcasdtserv.exe]
FilePath : C:\Program Files\Microsoft AntiSpyware\
ProcessID : 2316
ThreadCreationTime : 12-05-2005 15:53:30
BasePriority : Normal
FileVersion : 1.00.0509
ProductVersion : 1.00.0509
ProductName : Microsoft AntiSpyware (Beta 1)
CompanyName : Microsoft Corporation
FileDescription : Microsoft AntiSpyware Data Service
InternalName : gcasDtServ
LegalCopyright : Copyright © 2004-2005 Microsoft Corporation. All rights reserved.
LegalTrademarks : Microsoft® and Windows® are registered trademarks of Microsoft Corporation. SpyNet™ is a trademark of Microsoft Corporation.
OriginalFilename : gcasDtServ.exe

#:30 [wuauclt.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 2600
ThreadCreationTime : 12-05-2005 15:53:42
BasePriority : Normal
FileVersion : 5.4.3630.1106 (xpsp1.020828-1920)
ProductVersion : 5.4.3630.1106
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Windows Update AutoUpdate Client
InternalName : wuauclt.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : wuauclt.exe

#:31 [ypager.exe]
FilePath : C:\Program Files\Yahoo!\Messenger\
ProcessID : 2884
ThreadCreationTime : 12-05-2005 15:53:51
BasePriority : Normal
FileVersion : 6,0,0,1913
ProductVersion : 6,0,0,1913
ProductName : Yahoo! Messenger
CompanyName : Yahoo! Inc.
FileDescription : Yahoo! Messenger
InternalName : Yahoo! Messengerr
LegalCopyright : Copyright 1998-2004
OriginalFilename : YPager.exe

#:32 [icmon.exe]
FilePath : C:\Program Files\Sophos SWEEP for NT\
ProcessID : 3152
ThreadCreationTime : 12-05-2005 15:53:59
BasePriority : Normal
FileVersion : 1.00.0235
ProductVersion : 3 (Build 0235)
ProductName : Sophos Anti-Virus
CompanyName : Sophos Plc
FileDescription : Sophos Anti-Virus InterCheck activity monitor (ENG)
InternalName : ICMON
LegalCopyright : © 1989-2005 Sophos Plc, www.sophos.com
LegalTrademarks : SWEEP®, InterCheck®, and SAVI®, are trademarks of Sophos® Plc.
OriginalFilename : ICMON.EXE

#:33 [istsvc.exe]
FilePath : C:\Program Files\ISTsvc\
ProcessID : 3180
ThreadCreationTime : 12-05-2005 15:53:59
BasePriority : Normal


#:34 [btdownloadgui.exe]
FilePath : C:\Program Files\BitTorrent\
ProcessID : 3248
ThreadCreationTime : 12-05-2005 16:28:06
BasePriority : Normal


#:35 [iexplore.exe]
FilePath : C:\Program Files\Internet Explorer\
ProcessID : 2324
ThreadCreationTime : 12-05-2005 17:22:30
BasePriority : Normal
FileVersion : 6.00.2800.1106 (xpsp1.020828-1920)
ProductVersion : 6.00.2800.1106
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Internet Explorer
InternalName : iexplore
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : IEXPLORE.EXE

#:36 [firefox.exe]
FilePath : C:\PROGRA~1\MOZILL~1\
ProcessID : 2348
ThreadCreationTime : 12-05-2005 17:24:40
BasePriority : Normal


#:37 [ad-aware.exe]
FilePath : C:\PROGRA~1\Lavasoft\AD-AWA~1\
ProcessID : 3036
ThreadCreationTime : 12-05-2005 17:26:13
BasePriority : Normal
FileVersion : 6.2.0.206
ProductVersion : VI.Second Edition
ProductName : Lavasoft Ad-Aware SE
CompanyName : Lavasoft Sweden
FileDescription : Ad-Aware SE Core application
InternalName : Ad-Aware.exe
LegalCopyright : Copyright © Lavasoft Sweden
OriginalFilename : Ad-Aware.exe
Comments : All Rights Reserved

Memory scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 13


Started registry scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

BargainBuddy Object Recognized!
Type : Regkey
Data :
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : interface\{8eee58d5-130e-4cbd-9c83-35a0564e5678}

BargainBuddy Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : interface\{8eee58d5-130e-4cbd-9c83-35a0564e5678}
Value :

BargainBuddy Object Recognized!
Type : Regkey
Data :
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : interface\{c6906a23-4717-4e1f-b6fd-f06ebed15678}

BargainBuddy Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : interface\{c6906a23-4717-4e1f-b6fd-f06ebed15678}
Value :

Hijacker.TopConverting Object Recognized!
Type : Regkey
Data :
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : typelib\{4eb7bbe8-2e15-424b-9ddb-2cdb9516b2c3}

SideFind Object Recognized!
Type : Regkey
Data :
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : typelib\{58634367-d62b-4c2c-86be-5aac45cdb671}

SideFind Object Recognized!
Type : Regkey
Data :
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : typelib\{d0288a41-9855-4a9b-8316-babe243648da}

ZyncosMark Object Recognized!
Type : Regkey
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : interface\{0e704ba4-c517-4be7-a1cd-c3ffda1e1ffe}

ZyncosMark Object Recognized!
Type : RegValue
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : interface\{0e704ba4-c517-4be7-a1cd-c3ffda1e1ffe}
Value :

ZyncosMark Object Recognized!
Type : Regkey
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : testcontentmatchcontrol1.contentmatchtag

ZyncosMark Object Recognized!
Type : RegValue
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : testcontentmatchcontrol1.contentmatchtag
Value :

ZyncosMark Object Recognized!
Type : Regkey
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : typelib\{e9a5b71c-093b-4f34-af07-34fca89ba0df}

DyFuCA Object Recognized!
Type : Regkey
Data :
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-796845957-1708537768-1343024091-1003\software\avenue media

DyFuCA Object Recognized!
Type : Regkey
Data :
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-796845957-1708537768-1343024091-1003\software\ist

DyFuCA Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-796845957-1708537768-1343024091-1003\software\ist
Value : InstallDate

DyFuCA Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-796845957-1708537768-1343024091-1003\software\ist
Value : account_id

DyFuCA Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-796845957-1708537768-1343024091-1003\software\ist
Value : config

DyFuCA Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-796845957-1708537768-1343024091-1003\software\ist
Value : Recover

DyFuCA Object Recognized!
Type : Regkey
Data :
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-796845957-1708537768-1343024091-1003\software\policies\avenue media

VX2 Object Recognized!
Type : Regkey
Data :
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-796845957-1708537768-1343024091-1003\software\aurora

VX2 Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-796845957-1708537768-1343024091-1003\software\aurora
Value : AUI3d5OfSDist

VX2 Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-796845957-1708537768-1343024091-1003\software\aurora
Value : AUI3d5OfSInst

VX2 Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-796845957-1708537768-1343024091-1003\software\aurora
Value : AUC3n5trMsgSDisp

VX2 Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-796845957-1708537768-1343024091-1003\software\aurora
Value : AUs3t5icky1S

VX2 Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-796845957-1708537768-1343024091-1003\software\aurora
Value : AUs3t5icky2S

VX2 Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-796845957-1708537768-1343024091-1003\software\aurora
Value : AUs3t5icky3S

VX2 Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-796845957-1708537768-1343024091-1003\software\aurora
Value : AUs3t5icky4S

VX2 Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-796845957-1708537768-1343024091-1003\software\aurora
Value : AUC1o3d5eOfSFinalAd

VX2 Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-796845957-1708537768-1343024091-1003\software\aurora
Value : AUT3i5m7eOfSFinalAd

VX2 Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-796845957-1708537768-1343024091-1003\software\aurora
Value : AUD3s5tSSEnd

VX2 Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-796845957-1708537768-1343024091-1003\software\aurora
Value : AU3N5a7tionSCode

VX2 Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-796845957-1708537768-1343024091-1003\software\aurora
Value : AUP3D5om

VX2 Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-796845957-1708537768-1343024091-1003\software\aurora
Value : AUT3h5rshSCheckSIn

VX2 Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-796845957-1708537768-1343024091-1003\software\aurora
Value : AUT3h5rshSMots

VX2 Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-796845957-1708537768-1343024091-1003\software\aurora
Value : AUM3o5deSSync

VX2 Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-796845957-1708537768-1343024091-1003\software\aurora
Value : AUI3n5ProgSCab

VX2 Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-796845957-1708537768-1343024091-1003\software\aurora
Value : AUI3n5ProgSEx

VX2 Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-796845957-1708537768-1343024091-1003\software\aurora
Value : AUI3n5ProgSLstest

VX2 Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-796845957-1708537768-1343024091-1003\software\aurora
Value : AUB3D5om

VX2 Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-796845957-1708537768-1343024091-1003\software\aurora
Value : AUE3v5nt

VX2 Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-796845957-1708537768-1343024091-1003\software\aurora
Value : AUT3h5rshSBath

VX2 Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-796845957-1708537768-1343024091-1003\software\aurora
Value : AUT3h5rshSysSInf

VX2 Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-796845957-1708537768-1343024091-1003\software\aurora
Value : AUL3n5Title

VX2 Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-796845957-1708537768-1343024091-1003\software\aurora
Value : AUC3u5rrentSMode

VX2 Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-796845957-1708537768-1343024091-1003\software\aurora
Value : AUC3n5tFyl

VX2 Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-796845957-1708537768-1343024091-1003\software\aurora
Value : AUI3g5noreS

VX2 Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-796845957-1708537768-1343024091-1003\software\aurora
Value : AUS3t5atusOfSInst

VX2 Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-796845957-1708537768-1343024091-1003\software\aurora
Value : AUL3a5stMotsSDay

VX2 Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-796845957-1708537768-1343024091-1003\software\aurora
Value : AUL3a5stSSChckin

Alexa Object Recognized!
Type : Regkey
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\internet explorer\extensions\{c95fe080-8f5d-11d2-a20b-00aa003c157a}

Alexa Object Recognized!
Type : RegValue
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\internet explorer\extensions\{c95fe080-8f5d-11d2-a20b-00aa003c157a}
Value : MenuText

Alexa Object Recognized!
Type : RegValue
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\internet explorer\extensions\{c95fe080-8f5d-11d2-a20b-00aa003c157a}
Value : MenuStatusBar

Alexa Object Recognized!
Type : RegValue
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\internet explorer\extensions\{c95fe080-8f5d-11d2-a20b-00aa003c157a}
Value : Script

Alexa Object Recognized!
Type : RegValue
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\internet explorer\extensions\{c95fe080-8f5d-11d2-a20b-00aa003c157a}
Value : clsid

Alexa Object Recognized!
Type : RegValue
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\internet explorer\extensions\{c95fe080-8f5d-11d2-a20b-00aa003c157a}
Value : Icon

Alexa Object Recognized!
Type : RegValue
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\internet explorer\extensions\{c95fe080-8f5d-11d2-a20b-00aa003c157a}
Value : HotIcon

Alexa Object Recognized!
Type : RegValue
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\internet explorer\extensions\{c95fe080-8f5d-11d2-a20b-00aa003c157a}
Value : ButtonText

DyFuCA Object Recognized!
Type : Regkey
Data :
Category : Malware
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\istsvc

DyFuCA Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\istsvc
Value : version

DyFuCA Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\istsvc
Value : app_name

DyFuCA Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\istsvc
Value : popup_url

DyFuCA Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\istsvc
Value : update_url

DyFuCA Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\istsvc
Value : config_url

DyFuCA Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\istsvc
Value : ui

DyFuCA Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\istsvc
Value : popup_initial_delay

DyFuCA Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\istsvc
Value : popup_count

DyFuCA Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\istsvc
Value : popup_day_count

DyFuCA Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\istsvc
Value : popup_day_limit

DyFuCA Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\istsvc
Value : update_count

DyFuCA Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\istsvc
Value : update_version

DyFuCA Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\istsvc
Value : config_count

DyFuCA Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\istsvc
Value : account_id

DyFuCA Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\istsvc
Value : app_date

DyFuCA Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\istsvc
Value : popup_interval

DyFuCA Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\istsvc
Value : popup_last

DyFuCA Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\istsvc
Value : update_interval

DyFuCA Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\istsvc
Value : update_last

DyFuCA Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\istsvc
Value : config_interval

DyFuCA Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\istsvc
Value : config_last

DyFuCA Object Recognized!
Type : Regkey
Data :
Category : Malware
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\policies\avenue media

DyFuCA Object Recognized!
Type : Regkey
Data :
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-796845957-1708537768-1343024091-1003\software\sais

DyFuCA Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-796845957-1708537768-1343024091-1003\software\sais
Value : last_conn_h

DyFuCA Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-796845957-1708537768-1343024091-1003\software\sais
Value : last_conn_l

DyFuCA Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-796845957-1708537768-1343024091-1003\software\sais
Value : we

DyFuCA Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-796845957-1708537768-1343024091-1003\software\sais
Value : cdata

DyFuCA Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-796845957-1708537768-1343024091-1003\software\sais
Value : TimeOffset

DyFuCA Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-796845957-1708537768-1343024091-1003\software\sais
Value : action_url_version

DyFuCA Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-796845957-1708537768-1343024091-1003\software\sais
Value : action_url_last_chunk

DyFuCA Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-796845957-1708537768-1343024091-1003\software\sais
Value : action_url_last_full_version

DyFuCA Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-796845957-1708537768-1343024091-1003\software\sais
Value : key_file

DyFuCA Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-796845957-1708537768-1343024091-1003\software\sais
Value : kw_last_chunk

DyFuCA Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-796845957-1708537768-1343024091-1003\software\sais
Value : geourl_last_full_version

DyFuCA Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-796845957-1708537768-1343024091-1003\software\sais
Value : geourl_current_version

DyFuCA Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-796845957-1708537768-1343024091-1003\software\sais
Value : actionurl_last_full_version

DyFuCA Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-796845957-1708537768-1343024091-1003\software\sais
Value : actionurl_current_version

DyFuCA Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-796845957-1708537768-1343024091-1003\software\sais
Value : keyword_last_full_version

DyFuCA Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-796845957-1708537768-1343024091-1003\software\sais
Value : keyword_current_version

DyFuCA Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-796845957-1708537768-1343024091-1003\software\sais
Value : recent_shown

DyFuCA Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-796845957-1708537768-1343024091-1003\software\sais
Value : key_int_high

DyFuCA Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-796845957-1708537768-1343024091-1003\software\sais
Value : key_int_low

DyFuCA Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-796845957-1708537768-1343024091-1003\software\sais
Value : int_high

DyFuCA Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-796845957-1708537768-1343024091-1003\software\sais
Value : int_low

istbar Object Recognized!
Type : Regkey
Data :
Category : Malware
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\windows\currentversion\uninstall\istsvc

istbar Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\windows\currentversion\uninstall\istsvc
Value : DisplayName

istbar Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\windows\currentversion\uninstall\istsvc
Value : UninstallString

istbar Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\windows\currentversion\uninstall\istsvc
Value : NoModify

Alexa Object Recognized!
Type : RegValue
Data :
Category : Data Miner
Comment : "{c95fe080-8f5d-11d2-a20b-00aa003c157a}"
Rootkey : HKEY_USERS
Object : .DEFAULT\software\microsoft\internet explorer\extensions\cmdmapping
Value : {c95fe080-8f5d-11d2-a20b-00aa003c157a}

Alexa Object Recognized!
Type : RegValue
Data :
Category : Data Miner
Comment : "{c95fe080-8f5d-11d2-a20b-00aa003c157a}"
Rootkey : HKEY_USERS
Object : S-1-5-18\software\microsoft\internet explorer\extensions\cmdmapping
Value : {c95fe080-8f5d-11d2-a20b-00aa003c157a}

Alexa Object Recognized!
Type : RegValue
Data :
Category : Data Miner
Comment : "{c95fe080-8f5d-11d2-a20b-00aa003c157a}"
Rootkey : HKEY_USERS
Object : S-1-5-21-796845957-1708537768-1343024091-1003\software\microsoft\internet explorer\extensions\cmdmapping
Value : {c95fe080-8f5d-11d2-a20b-00aa003c157a}

CoolWebSearch Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment : "HOMEOldSP"
Rootkey : HKEY_USERS
Object : S-1-5-21-796845957-1708537768-1343024091-1003\software\microsoft\internet explorer\main
Value : HOMEOldSP

Powerscan Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment : "account_id"
Rootkey : HKEY_USERS
Object : S-1-5-21-796845957-1708537768-1343024091-1003\software\powerscan
Value : account_id

CoolWebSearch Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment : "HOMEOldSP"
Rootkey : HKEY_LOCAL_MACHINE
Object
  • 0

#6
koryo

koryo

    Member

  • Member
  • PipPip
  • 26 posts
right ok, was 2 big to put on one page so put it into a notepad file called help.txt

Attached Files

  • Attached File  help.txt   108.68KB   132 downloads

  • 0

#7
Guest_Andy_veal_*

Guest_Andy_veal_*
  • Guest
Hello and Welcome

Ad-aware has found objects on your computer

If you chose to clean your computer from what Ad-aware found please follow these instructions below…

Please make sure that you are using the * SE1R44 10.05.2005 * definition file.


Please launch Ad-Aware SE and click on the gear to access the Configuration Menu. Please make sure that this setting is applied.

Click on Tweak > Cleaning Engine > UNcheck "Always try to unload modules before deletion".

Disconnect from the internet (for broadband/cable users, it is recommended that you disconnect the cable connection) and close all open browsers or other programs you have running.

Please then boot into Safe Mode

To clean your machine, it is highly recommended that you clean the following directory contents (but not the directory folder):

Please run CCleaner to assist in this process.
Download CCleaner (Setup: go to >options > settings > Uncheck "Only delete files in Windows Temp folders older than 48 hours" for cleaning malware files!)

* C:\Windows\Temp\
* C:\Documents and Settings\<Your Profile>\Local Settings\Temporary Internet Files\ <- This will delete all your cached internet content including cookies.
* C:\Documents and Settings\<Your Profile>\Local Settings\Temp\
* C:\Documents and Settings\<Any other users Profile>\Local Settings\Temporary Internet Files\
* C:\Documents and Settings\<Any other users Profile>\Local Settings\Temp\
* Empty your "Recycle Bin".

Please run Ad-Aware SE from the command lines shown in the instructions shown below.

Click "Start" > select "Run" > type the text shown in bold below (including the quotation marks and with the same spacing as shown)

"C:\Program Files\Lavasoft\Ad-Aware SE Professional\Ad-Aware.exe" /full +procnuke
(For the Professional version)

"C:\Program Files\Lavasoft\Ad-Aware SE Plus\Ad-Aware.exe" /full +procnuke
(For the Plus version)

"C:\Program Files\Lavasoft\Ad-Aware SE Personal\Ad-Aware.exe" +procnuke
(For the Personal version)


Click OK.

Please note that the path above is of the default installion location for Ad-aware SE, if this is different, please adjust it to the location that you have installed it to.

When the scan has completed, select Next. In the Scanning Results window, select the "Scan Summary" tab. Check the box next to each "target family" you wish to remove. Click next, Click OK.

If problems are caused by deleting a family, please leave it.

Please firstly only remove Coolwebsearch

Please shutdown/restart your computer after removal, run a new full scan and post the results as a reply. Do not launch any programs or connect to the internet at this time.

Please then copy & paste the complete log file here. Don't quarantine or remove anything at this time, just post a complete logfile. This can sometimes takes 2-3 posts to get it all posted, once the "Summary of this scan" information is shown, you have posted all of your logfile.

Please remember when posting another logfile keep "Search for negligible risk entries" deselected as negligible risk entries (MRU's) are not considered to be a threat. This option can be changed when choosing your scan type.

Please post back here

Good luck

Andy
  • 0

#8
Eyespy

Eyespy

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
Not only has my PC been hijacked, but my first thread got hijacked as well, hopefully this time noone else will barge in.


I've found Nail.exe and the Aurora Buddy program, along with a number of other secondry nasties. This is a full scan with the latest update of Ad-aware. If you need more, let me know.

Ad-Aware SE Build 1.05
Logfile Created on:Friday, 13 May 2005 8:20:39 AM
Created with Ad-Aware SE Personal, free for private use.
Using definitions file:SE1R44 10.05.2005
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

References detected during the scan:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
MRU List(TAC index:0):14 total references
Tracking Cookie(TAC index:3):7 total references
VX2(TAC index:10):29 total references
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Definition File:
=========================
Definitions File Loaded:
Reference Number : SE1R44 10.05.2005
Internal build : 52
File location : C:\Program Files\Lavasoft\Ad-Aware SE Personal\defs.ref
File size : 470885 Bytes
Total size : 1423894 Bytes
Signature data size : 1392940 Bytes
Reference data size : 30442 Bytes
Signatures total : 39753
Fingerprints total : 872
Fingerprints size : 29756 Bytes
Target categories : 15
Target families : 668


Memory + processor status:
==========================
Number of processors : 1
Processor architecture : Intel Pentium IV
Memory available:70 %
Total physical memory:653808 kb
Available physical memory:451508 kb
Total page file size:815124 kb
Available on page file:672504 kb
Total virtual memory:2097024 kb
Available virtual memory:2042832 kb
OS:Microsoft Windows XP Home Edition Service Pack 2 (Build 2600)

Ad-Aware SE Settings
===========================
Set : Search for negligible risk entries
Set : Safe mode (always request confirmation)
Set : Scan active processes
Set : Scan registry
Set : Deep-scan registry
Set : Scan my IE Favorites for banned URLs
Set : Scan within archives
Set : Scan my Hosts file

Extended Ad-Aware SE Settings
===========================
Set : Unload recognized processes & modules during scan
Set : Obtain command line of scanned processes
Set : Scan registry for all users instead of current user only
Set : Always try to unload modules before deletion
Set : During removal, unload Explorer and IE if necessary
Set : Let Windows remove files in use at next reboot
Set : Delete quarantined objects after restoring
Set : Write-protect system files after repair (Hosts file, etc.)
Set : Include basic Ad-Aware settings in log file
Set : Include additional Ad-Aware settings in log file
Set : Include reference summary in log file
Set : Play sound at scan completion if scan locates critical objects


13/05/2005 8:20:39 AM - Scan started. (Full System Scan)

MRU List Object Recognized!
Location: : C:\Documents and Settings\Adam\recent
Description : list of recently opened documents


MRU List Object Recognized!
Location: : S-1-5-21-349521577-948938849-1002549238-1006\software\adobe\acrobat reader\6.0\avgeneral\crecentfiles
Description : list of recently used files in adobe reader


MRU List Object Recognized!
Location: : S-1-5-21-349521577-948938849-1002549238-1006\software\google\navclient\1.1\history
Description : list of recently used search terms in the google toolbar


MRU List Object Recognized!
Location: : software\microsoft\direct3d\mostrecentapplication
Description : most recent application to use microsoft direct3d


MRU List Object Recognized!
Location: : software\microsoft\direct3d\mostrecentapplication
Description : most recent application to use microsoft direct X


MRU List Object Recognized!
Location: : software\microsoft\directdraw\mostrecentapplication
Description : most recent application to use microsoft directdraw


MRU List Object Recognized!
Location: : S-1-5-21-349521577-948938849-1002549238-1006\software\microsoft\internet explorer
Description : last download directory used in microsoft internet explorer


MRU List Object Recognized!
Location: : S-1-5-21-349521577-948938849-1002549238-1006\software\microsoft\internet explorer\typedurls
Description : list of recently entered addresses in microsoft internet explorer


MRU List Object Recognized!
Location: : S-1-5-21-349521577-948938849-1002549238-1006\software\microsoft\mediaplayer\preferences
Description : last playlist index loaded in microsoft windows media player


MRU List Object Recognized!
Location: : S-1-5-21-349521577-948938849-1002549238-1006\software\microsoft\mediaplayer\preferences
Description : last playlist loaded in microsoft windows media player


MRU List Object Recognized!
Location: : S-1-5-21-349521577-948938849-1002549238-1006\software\microsoft\windows\currentversion\explorer\comdlg32\lastvisitedmru
Description : list of recent programs opened


MRU List Object Recognized!
Location: : S-1-5-21-349521577-948938849-1002549238-1006\software\microsoft\windows\currentversion\explorer\comdlg32\opensavemru
Description : list of recently saved files, stored according to file extension


MRU List Object Recognized!
Location: : S-1-5-21-349521577-948938849-1002549238-1006\software\microsoft\windows\currentversion\explorer\recentdocs
Description : list of recent documents opened


MRU List Object Recognized!
Location: : S-1-5-21-349521577-948938849-1002549238-1006\software\microsoft\windows media\wmsdk\general
Description : windows media sdk


Listing running processes
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

#:1 [smss.exe]
ModuleName : \SystemRoot\System32\smss.exe
Command Line : n/a
ProcessID : 756
ThreadCreationTime : 12/05/2005 10:19:48 PM
BasePriority : Normal


#:2 [csrss.exe]
ModuleName : \??\C:\WINDOWS\system32\csrss.exe
Command Line : C:\WINDOWS\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,3072,512 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ProfileControl=Off MaxRequestTh
ProcessID : 872
ThreadCreationTime : 12/05/2005 10:19:54 PM
BasePriority : Normal


#:3 [winlogon.exe]
ModuleName : \??\C:\WINDOWS\system32\winlogon.exe
Command Line : winlogon.exe
ProcessID : 1276
ThreadCreationTime : 12/05/2005 10:19:55 PM
BasePriority : High


#:4 [services.exe]
ModuleName : C:\WINDOWS\system32\services.exe
Command Line : C:\WINDOWS\system32\services.exe
ProcessID : 1336
ThreadCreationTime : 12/05/2005 10:19:55 PM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Services and Controller app
InternalName : services.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : services.exe

#:5 [lsass.exe]
ModuleName : C:\WINDOWS\system32\lsass.exe
Command Line : C:\WINDOWS\system32\lsass.exe
ProcessID : 1348
ThreadCreationTime : 12/05/2005 10:19:55 PM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : LSA Shell (Export Version)
InternalName : lsass.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : lsass.exe

#:6 [svchost.exe]
ModuleName : C:\WINDOWS\system32\svchost.exe
Command Line : C:\WINDOWS\system32\svchost -k DcomLaunch
ProcessID : 1608
ThreadCreationTime : 12/05/2005 10:19:56 PM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:7 [svchost.exe]
ModuleName : C:\WINDOWS\system32\svchost.exe
Command Line : C:\WINDOWS\system32\svchost -k rpcss
ProcessID : 1672
ThreadCreationTime : 12/05/2005 10:19:57 PM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:8 [svchost.exe]
ModuleName : C:\WINDOWS\System32\svchost.exe
Command Line : C:\WINDOWS\System32\svchost.exe -k netsvcs
ProcessID : 1816
ThreadCreationTime : 12/05/2005 10:19:58 PM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:9 [svchost.exe]
ModuleName : C:\WINDOWS\System32\svchost.exe
Command Line : C:\WINDOWS\System32\svchost.exe -k LocalService
ProcessID : 2016
ThreadCreationTime : 12/05/2005 10:19:59 PM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:10 [explorer.exe]
ModuleName : C:\WINDOWS\Explorer.EXE
Command Line : C:\WINDOWS\Explorer.EXE
ProcessID : 2028
ThreadCreationTime : 12/05/2005 10:19:59 PM
BasePriority : High
FileVersion : 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 6.00.2900.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Windows Explorer
InternalName : explorer
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : EXPLORER.EXE

#:11 [spoolsv.exe]
ModuleName : C:\WINDOWS\system32\spoolsv.exe
Command Line : C:\WINDOWS\system32\spoolsv.exe
ProcessID : 284
ThreadCreationTime : 12/05/2005 10:20:00 PM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Spooler SubSystem App
InternalName : spoolsv.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : spoolsv.exe

#:12 [ccevtmgr.exe]
ModuleName : C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
Command Line : "C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"
ProcessID : 328
ThreadCreationTime : 12/05/2005 10:20:00 PM
BasePriority : Normal
FileVersion : 1.03.4
ProductVersion : 1.03.4
ProductName : Event Manager
CompanyName : Symantec Corporation
FileDescription : Event Manager Service
InternalName : ccEvtMgr
LegalCopyright : Copyright © 2000-2002 Symantec Corporation. All rights reserved.
OriginalFilename : ccEvtMgr.exe

#:13 [ad-aware.exe]
ModuleName : C:\Program Files\Lavasoft\Ad-Aware SE Personal\Ad-Aware.exe
Command Line : "C:\Program Files\Lavasoft\Ad-Aware SE Personal\Ad-Aware.exe" "+b1"
ProcessID : 500
ThreadCreationTime : 12/05/2005 10:20:01 PM
BasePriority : Normal
FileVersion : 6.2.0.206
ProductVersion : VI.Second Edition
ProductName : Lavasoft Ad-Aware SE
CompanyName : Lavasoft Sweden
FileDescription : Ad-Aware SE Core application
InternalName : Ad-Aware.exe
LegalCopyright : Copyright © Lavasoft Sweden
OriginalFilename : Ad-Aware.exe
Comments : All Rights Reserved

#:14 [ghosts~2.exe]
ModuleName : C:\PROGRA~1\NORTON~2\NORTON~3\GHOSTS~2.EXE
Command Line : C:\PROGRA~1\NORTON~2\NORTON~3\GHOSTS~2.EXE
ProcessID : 720
ThreadCreationTime : 12/05/2005 10:20:06 PM
BasePriority : Normal
FileVersion : 2003.775
ProductVersion : 2003.775
ProductName : Norton Ghost Start Service
CompanyName : Symantec Corporation
FileDescription : Norton Ghost Start
InternalName : GhostStartService
LegalCopyright : Copyright © 1998-2002 Symantec Corp. All rights reserved.
OriginalFilename : GhostStartService.exe

#:15 [navapsvc.exe]
ModuleName : C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
Command Line : "C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe"
ProcessID : 748
ThreadCreationTime : 12/05/2005 10:20:06 PM
BasePriority : Normal
FileVersion : 9.05.1015
ProductVersion : 9.05.1015
ProductName : Norton AntiVirus
CompanyName : Symantec Corporation
FileDescription : Norton AntiVirus Auto-Protect Service
InternalName : NAVAPSVC
LegalCopyright : Copyright © 2000-2002 Symantec Corporation. All rights reserved.
OriginalFilename : NAVAPSVC.EXE

#:16 [nprotect.exe]
ModuleName : C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
Command Line : "C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE"
ProcessID : 792
ThreadCreationTime : 12/05/2005 10:20:06 PM
BasePriority : Normal
FileVersion : 16.00.0.22
ProductVersion : 16.00.0.22
ProductName : Norton Utilities
CompanyName : Symantec Corporation
FileDescription : Norton Protection Status
InternalName : NPROTECT
LegalCopyright : Copyright © 2003 Symantec Corporation
LegalTrademarks : Norton Utilities
OriginalFilename : NPROTECT.EXE

#:17 [nopdb.exe]
ModuleName : C:\PROGRA~1\NORTON~2\SPEEDD~1\nopdb.exe
Command Line : C:\PROGRA~1\NORTON~2\SPEEDD~1\nopdb.exe
ProcessID : 1032
ThreadCreationTime : 12/05/2005 10:20:15 PM
BasePriority : Normal
FileVersion : 7.00.0.24
ProductVersion : 7.00.0.24
ProductName : Norton Speed Disk
CompanyName : Symantec Corporation
FileDescription : NOPDB
InternalName : NOPDB
LegalCopyright : Copyright © 2002
OriginalFilename : NOPDB.dll

#:18 [svchost.exe]
ModuleName : C:\WINDOWS\System32\svchost.exe
Command Line : C:\WINDOWS\System32\svchost.exe -k imgsvc
ProcessID : 1064
ThreadCreationTime : 12/05/2005 10:20:15 PM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:19 [wdfmgr.exe]
ModuleName : C:\WINDOWS\system32\wdfmgr.exe
Command Line : C:\WINDOWS\system32\wdfmgr.exe
ProcessID : 1192
ThreadCreationTime : 12/05/2005 10:20:15 PM
BasePriority : Normal
FileVersion : 5.2.3790.1230 built by: DNSRV(bld4act)
ProductVersion : 5.2.3790.1230
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Windows User Mode Driver Manager
InternalName : WdfMgr
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : WdfMgr.exe

#:20 [vsmon.exe]
ModuleName : C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
Command Line : n/a
ProcessID : 1236
ThreadCreationTime : 12/05/2005 10:20:15 PM
BasePriority : Normal
FileVersion : 4.5.538.001
ProductVersion : 4.5.538.001
ProductName : TrueVector Service
CompanyName : Zone Labs Inc.
FileDescription : TrueVector Service
InternalName : vsmon
LegalCopyright : Copyright © 1998-2003, Zone Labs Inc.
OriginalFilename : vsmon.exe

#:21 [symwsc.exe]
ModuleName : C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
Command Line : "C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe"
ProcessID : 1620
ThreadCreationTime : 12/05/2005 10:20:16 PM
BasePriority : Normal
FileVersion : 2005.1.2.20
ProductVersion : 2005.1
ProductName : Norton Security Center
CompanyName : Symantec Corporation
FileDescription : Norton Security Center Service
InternalName : SymWSC.exe
LegalCopyright : Copyright © 1997-2004 Symantec Corporation
OriginalFilename : SymWSC.exe

#:22 [alg.exe]
ModuleName : C:\WINDOWS\System32\alg.exe
Command Line : C:\WINDOWS\System32\alg.exe
ProcessID : 200
ThreadCreationTime : 12/05/2005 10:20:29 PM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Application Layer Gateway Service
InternalName : ALG.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : ALG.exe

Memory scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 14


Started registry scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

VX2 Object Recognized!
Type : Regkey
Data :
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-349521577-948938849-1002549238-1006\software\aurora

VX2 Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-349521577-948938849-1002549238-1006\software\aurora
Value : AUI3d5OfSInst

VX2 Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-349521577-948938849-1002549238-1006\software\aurora
Value : AUC3n5trMsgSDisp

VX2 Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-349521577-948938849-1002549238-1006\software\aurora
Value : AUs3t5icky1S

VX2 Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-349521577-948938849-1002549238-1006\software\aurora
Value : AUs3t5icky2S

VX2 Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-349521577-948938849-1002549238-1006\software\aurora
Value : AUs3t5icky3S

VX2 Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-349521577-948938849-1002549238-1006\software\aurora
Value : AUs3t5icky4S

VX2 Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-349521577-948938849-1002549238-1006\software\aurora
Value : AUC1o3d5eOfSFinalAd

VX2 Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-349521577-948938849-1002549238-1006\software\aurora
Value : AUT3i5m7eOfSFinalAd

VX2 Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-349521577-948938849-1002549238-1006\software\aurora
Value : AUD3s5tSSEnd

VX2 Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-349521577-948938849-1002549238-1006\software\aurora
Value : AU3N5a7tionSCode

VX2 Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-349521577-948938849-1002549238-1006\software\aurora
Value : AUP3D5om

VX2 Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-349521577-948938849-1002549238-1006\software\aurora
Value : AUT3h5rshSCheckSIn

VX2 Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-349521577-948938849-1002549238-1006\software\aurora
Value : AUT3h5rshSMots

VX2 Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-349521577-948938849-1002549238-1006\software\aurora
Value : AUM3o5deSSync

VX2 Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-349521577-948938849-1002549238-1006\software\aurora
Value : AUI3n5ProgSCab

VX2 Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-349521577-948938849-1002549238-1006\software\aurora
Value : AUI3n5ProgSEx

VX2 Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-349521577-948938849-1002549238-1006\software\aurora
Value : AUI3n5ProgSLstest

VX2 Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-349521577-948938849-1002549238-1006\software\aurora
Value : AUB3D5om

VX2 Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-349521577-948938849-1002549238-1006\software\aurora
Value : AUE3v5nt

VX2 Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-349521577-948938849-1002549238-1006\software\aurora
Value : AUT3h5rshSBath

VX2 Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-349521577-948938849-1002549238-1006\software\aurora
Value : AUT3h5rshSysSInf

VX2 Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-349521577-948938849-1002549238-1006\software\aurora
Value : AUL3n5Title

VX2 Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-349521577-948938849-1002549238-1006\software\aurora
Value : AUC3u5rrentSMode

VX2 Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-349521577-948938849-1002549238-1006\software\aurora
Value : AUC3n5tFyl

VX2 Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-349521577-948938849-1002549238-1006\software\aurora
Value : AUI3g5noreS

VX2 Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-349521577-948938849-1002549238-1006\software\aurora
Value : AUS3t5atusOfSInst

Registry Scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 27
Objects found so far: 41


Started deep registry scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Deep registry scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 41


Started Tracking Cookie scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»


Tracking Cookie Object Recognized!
Type : IECache Entry
Data : [email protected][1].txt
Category : Data Miner
Comment : Hits:3
Value : Cookie:[email protected]/
Expires : 13/05/2005 7:10:34 PM
LastSync : Hits:3
UseCount : 0
Hits : 3

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : [email protected][1].txt
Category : Data Miner
Comment : Hits:1
Value : Cookie:[email protected]/cgi-bin
Expires : 19/01/2009 9:00:00 AM
LastSync : Hits:1
UseCount : 0
Hits : 1

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : [email protected][2].txt
Category : Data Miner
Comment : Hits:2
Value : Cookie:[email protected]/
Expires : 11/06/2005 10:31:02 PM
LastSync : Hits:2
UseCount : 0
Hits : 2

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : [email protected][2].txt
Category : Data Miner
Comment : Hits:4
Value : Cookie:[email protected]/
Expires : 1/01/2038 6:00:00 PM
LastSync : Hits:4
UseCount : 0
Hits : 4

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : [email protected][1].txt
Category : Data Miner
Comment : Hits:10
Value : Cookie:[email protected]/
Expires : 1/01/2021 10:00:00 AM
LastSync : Hits:10
UseCount : 0
Hits : 10

Tracking cookie scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 5
Objects found so far: 46



Deep scanning and examining files (C:)
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

VX2 Object Recognized!
Type : File
Data : temp.fr7380
Category : Malware
Comment :
Object : C:\Documents and Settings\Adam\Local Settings\Temp\
FileVersion : 1, 0, 0, 5
ProductVersion : 1, 0, 0, 0
ProductName : DrPMon PrintMonitor
CompanyName : Direct Revenue
FileDescription : DrPMon PrintMonitor
InternalName : DrPMon
LegalCopyright : Copyright © 2005
OriginalFilename : DrPMon.dll


Tracking Cookie Object Recognized!
Type : IECache Entry
Data : [email protected][1].txt
Category : Data Miner
Comment :
Value : C:\Documents and Settings\Administrator\Cookies\[email protected][1].txt

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : [email protected][1].txt
Category : Data Miner
Comment :
Value : C:\Documents and Settings\Administrator\Cookies\[email protected][1].txt

VX2 Object Recognized!
Type : File
Data : iszmdet.exe.tcf
Category : Malware
Comment :
Object : C:\WINDOWS\SYSTEM32\
FileVersion : 1, 0, 7, 1
ProductVersion : 0, 0, 7, 0
ProductName : TODO: <Product name>
CompanyName : TODO: <Company name>
FileDescription : TODO: <File description>
LegalCopyright : TODO: © <Company name>. All rights reserved.


Disk Scan Result for C:\
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 50


Scanning Hosts file......
Hosts file location:"C:\WINDOWS\system32\drivers\etc\hosts".
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Hosts file scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
1 entries scanned.
New critical objects:0
Objects found so far: 50




Performing conditional scans...
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Conditional scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 50

8:37:20 AM Scan Complete

Summary Of This Scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Total scanning time:00:16:40.734
Objects scanned:135747
Objects identified:36
Objects ignored:0
New critical objects:36
  • 0

#9
miekiemoes

miekiemoes

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 5,503 posts
  • MVP
Hi,

Download Findit
Unzip it to your desktop. Make sure the FindIt's.bat and XFind.com are together in the same UNZIPPED folder!
Disconnect from the internet, if you use an always on internet connection unplug it.
Let your PC be idle for 15 minutes !!

Doubleclick FindIt's.bat. When the scan is done, it will produce a log.
Post that log in your next reply
  • 0

#10
Eyespy

Eyespy

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
As you wish, my master...


Microsoft Windows XP [Version 5.1.2600]
The current date is: Fri 13/05/2005
PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, THERE MIGHT BE LEGIT FILES LISTED AND PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
»»»»»»»»»»»»»»»»»»»»»»»» Todo Files found »»»»»»»»»»»»»»»»»»»»»»»»»»»»»


»»»»»»»»»»»»»»»»»»»»»»»» aurora Files found »»»»»»»»»»»»»»»»»»»»»»»»»»»


»»»»»»»»»»»»»»»»»»»»»»»» Suspect's »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Dont delete file's in the section without guidance
If any doubt back them up first

* UPX! C:\WINDOWS\System32\OSVMDB.EXE
* UPX! C:\WINDOWS\NAIL.EXE
* UPX! C:\WINDOWS\SVCPROC.EXE

* Sniffed C:\WINDOWS\System32\DRPMON.DLL
»»»»» lagitamate file's can/will show in this section.

* UPX! C:\WINDOWS\System32\IASADM.DLL
»»»»»»»»»»»»»»»»»»»»»»»» Buddy file's »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

»»»»»»»»»»»»»»»»»»»»»»»» SAHAgent Files found »»»»»»»»»»»»»»»»»»»»»»»»»

»»»»»»»»»»»»»»»»»»»»»»»» Misc checks »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»


»»»»» Checking Windir\svcproc.exe and nail.exe.

svcproc.exe
Nail.exe
»»»»» Checking for System32\DrPMon.dll.

DrPMon.dll
»»»»» Check for Windows\SYSTEM32\cache32_rtneg* folder.

Volume in drive C is Local Disk
Volume Serial Number is 60BE-DB1A

Directory of C:\WINDOWS\SYSTEM32

»»»»» Checking for SAHAgent ico files.
Volume in drive C is Local Disk
Volume Serial Number is 60BE-DB1A

Directory of C:\WINDOWS\system32

07/12/2001 03:40 PM 22,486 LRNXP.ICO
1 File(s) 22,486 bytes
0 Dir(s) 6,531,244,032 bytes free

»»»»»»»»»»»»»»»»»»»»»»»».


! REG.EXE VERSION 3.0

HKEY_CURRENT_USER\Software\aurora


! REG.EXE VERSION 3.0

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Print\Monitors\ZepMon
Driver REG_SZ DrPMon.dll

! REG.EXE VERSION 3.0

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\ZepMon
Driver REG_SZ DrPMon.dll

! REG.EXE VERSION 3.0

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\Print\Monitors\ZepMon
Driver REG_SZ DrPMon.dll
  • 0

Advertisements


#11
miekiemoes

miekiemoes

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 5,503 posts
  • MVP
* Download Killbox.
Click killbox.exe.
Select the option "Delete on reboot".

Now copy the next bold:

C:\WINDOWS\System32\DRPMON.DLL
C:\WINDOWS\NAIL.EXE
C:\WINDOWS\System32\OSVMDB.EXE
C:\WINDOWS\System32\IASADM.DLL
C:\WINDOWS\SVCPROC.EXE


Open 'file' in the killboxmenu on top and choose Paste from clipboard

Now you will see, this is pasted in the "Full Path of File to Delete"-field.
There's a little arrow (dropdown-arrow) next to that field.
If you expand it, these lines must be there together if the files are present!

Then press the button that looks like a red circle with a white X in it.
Killbox will tell you that all listed files will be deleted on next reboot.. Click YES
When it asks if you would like to Reboot now, click YES
If you get a "PendingFileRenameOperations Registry Data has been Removed by External Process!" message then just restart manually.

Your computer must reboot now.

Post a hijackthislog afterwards.
  • 0

#12
Eyespy

Eyespy

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
By your command...

Logfile of HijackThis v1.99.1
Scan saved at 11:43:46 PM, on 13/05/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\NORTON~2\NORTON~3\GHOSTS~2.EXE
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\PROGRA~1\NORTON~2\SPEEDD~1\nopdb.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\System32\alg.exe
c:\windows\system32\zeofsf.exe
C:\Tools\hijackthis\HijackThis.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wscntfy.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [THGuard] "C:\Tools\TrojanHunter 4.2\THGuard.exe"
O4 - HKLM\..\Run: [judxzv] c:\windows\system32\vgcqpb.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....467&clcid=0x409
O16 - DPF: {8EB3FF4E-86A1-4717-884D-7BA2D38272CB} (F-Secure Online Scanner) - http://support.f-sec...m/ols/fscax.cab
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: GhostStartService - Symantec Corporation - C:\PROGRA~1\NORTON~2\NORTON~3\GHOSTS~2.EXE
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~2\SPEEDD~1\nopdb.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe (file missing)
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe

I think we're making progress, I got a message saying 'Nail.exe - File not found' when I rebooted. Probably the startup entry. and TrojanHunter Guard is still finding Agent.167 resident in the system.

Anyway, I'll wait to see what you think.
  • 0

#13
miekiemoes

miekiemoes

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 5,503 posts
  • MVP
hi,

I see you are running Teatimer.
I suggest you to disable it because it can interfere with the changes you'll make on your system.
When everything is done and your log is clean again, you can enable it again.
If teatimer gives you a warning afterwards that some changes were made, allow this instead of blocking it.
How to disable TeaTimer during HijackThis Cleanup

* Download and install CCleaner
Do not use it yet.

* Download ewido security suite here: http://www.ewido.net/en/download/
Install and update it. Don't let it scan yet!!

* Reboot into Safe Mode`:
°To get into the Safe mode as the computer is booting press and hold your "F8 Key". Use your arrow keys to move to "Safe Mode" and press your Enter key.

* Start HijackThis, close all open windows leaving only HijackThis running. Place a check against each of the following:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O4 - HKLM\..\Run: [judxzv] c:\windows\system32\vgcqpb.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe (file missing)


* Click on Fix Checked when finished and exit HijackThis.

* Using Windows Explorer, locate the following files/folders, and delete them if still present:

C:\WINDOWS\Nail.exe
C:\WINDOWS\svcproc.exe
C:\WINDOWS\System32\DrPmon.dll
C:\Windows\System32\zeofsf.exe
c:\windows\system32\vgcqpb.exe

* Go to start > run and type: sc delete SvcProc <OK>

* Run Ccleaner and click Run Cleaner (bottom right)

* Still in safe mode; Perform a full scan with ewido.
Let it delete everything it is finding.
When finished, you'll get the option to make a log.
Save this log, because I'll need that later.

* Reboot your system back to normal mode.

Post a new hijackthislog together with the log from ewido and tell me if Nail.exe is really gone now.
  • 0

#14
koryo

koryo

    Member

  • Member
  • PipPip
  • 26 posts
Ok i did what i understood but i didnt understand a few bits of it

Firstly what do you mean by "Family"
i deleted coolwebsearch
and have log as help2.txt
am having problems deselecting negligable risk entries, please advice on how as cannot find the selsction


Ad-Aware SE Build 1.05
Logfile Created on:13 May 2005 17:39:29
Created with Ad-Aware SE Personal, free for private use.
Using definitions file:SE1R44 10.05.2005
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

References detected during the scan:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
180Solutions(TAC index:6):3 total references
Alexa(TAC index:5):11 total references
BargainBuddy(TAC index:8):20 total references
DyFuCA(TAC index:3):36 total references
Hijacker.TopConverting(TAC index:5):1 total references
istbar(TAC index:7):13 total references
MRU List(TAC index:0):5 total references
Other(TAC index:5):2 total references
Possible Browser Hijack attempt(TAC index:3):3 total references
Rads01.Quadrogram(TAC index:6):2 total references
SideFind(TAC index:5):6 total references
Tracking Cookie(TAC index:3):7 total references
Windows(TAC index:3):1 total references
VX2(TAC index:10):55 total references
ZyncosMark(TAC index:3):6 total references
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Ad-Aware SE Settings
===========================
Set : Search for negligible risk entries
Set : Safe mode (always request confirmation)
Set : Scan active processes
Set : Scan registry
Set : Deep-scan registry
Set : Scan my IE Favorites for banned URLs
Set : Scan my Hosts file

Extended Ad-Aware SE Settings
===========================
Set : Unload recognized processes & modules during scan
Set : Scan registry for all users instead of current user only
Set : During removal, unload Explorer and IE if necessary
Set : Let Windows remove files in use at next reboot
Set : Delete quarantined objects after restoring
Set : Include basic Ad-Aware settings in log file
Set : Include additional Ad-Aware settings in log file
Set : Include reference summary in log file
Set : Include alternate data stream details in log file
Set : Play sound at scan completion if scan locates critical objects


13-05-2005 17:39:29 - Scan started. (Full System Scan)

Listing running processes
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

#:1 [smss.exe]
FilePath : \SystemRoot\System32\
ProcessID : 764
ThreadCreationTime : 13-05-2005 16:36:36
BasePriority : Normal


#:2 [csrss.exe]
FilePath : \??\C:\WINDOWS\system32\
ProcessID : 852
ThreadCreationTime : 13-05-2005 16:36:37
BasePriority : Normal


#:3 [winlogon.exe]
FilePath : \??\C:\WINDOWS\system32\
ProcessID : 876
ThreadCreationTime : 13-05-2005 16:36:38
BasePriority : High


#:4 [services.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 920
ThreadCreationTime : 13-05-2005 16:36:38
BasePriority : Normal
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Services and Controller app
InternalName : services.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : services.exe

#:5 [lsass.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 932
ThreadCreationTime : 13-05-2005 16:36:38
BasePriority : Normal
FileVersion : 5.1.2600.1106 (xpsp1.020828-1920)
ProductVersion : 5.1.2600.1106
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : LSA Shell (Export Version)
InternalName : lsass.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : lsass.exe

#:6 [svchost.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 1116
ThreadCreationTime : 13-05-2005 16:36:38
BasePriority : Normal
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:7 [svchost.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 1264
ThreadCreationTime : 13-05-2005 16:36:38
BasePriority : Normal
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:8 [svchost.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 1344
ThreadCreationTime : 13-05-2005 16:36:38
BasePriority : Normal
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:9 [svchost.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 1416
ThreadCreationTime : 13-05-2005 16:36:39
BasePriority : Normal
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:10 [spoolsv.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 1748
ThreadCreationTime : 13-05-2005 16:36:39
BasePriority : Normal
FileVersion : 5.1.2600.0 (XPClient.010817-1148)
ProductVersion : 5.1.2600.0
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Spooler SubSystem App
InternalName : spoolsv.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : spoolsv.exe
Warning! VX2 Object found in memory(C:\WINDOWS\system32\DrPMon.dll)

VX2 Object Recognized!
Type : Process
Data : DrPMon.dll
Category : Malware
Comment :
Object : C:\WINDOWS\system32\
FileVersion : 1, 0, 0, 5
ProductVersion : 1, 0, 0, 0
ProductName : DrPMon PrintMonitor
CompanyName : Direct Revenue
FileDescription : DrPMon PrintMonitor
InternalName : DrPMon
LegalCopyright : Copyright © 2005
OriginalFilename : DrPMon.dll


#:11 [explorer.exe]
FilePath : C:\WINDOWS\
ProcessID : 212
ThreadCreationTime : 13-05-2005 16:36:43
BasePriority : Normal
FileVersion : 6.00.2800.1106 (xpsp1.020828-1920)
ProductVersion : 6.00.2800.1106
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Windows Explorer
InternalName : explorer
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : EXPLORER.EXE

#:12 [igfxtray.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 652
ThreadCreationTime : 13-05-2005 16:36:44
BasePriority : Normal
FileVersion : 3.0.0.2209
ProductVersion : 7.0.0.2209
ProductName : Intel® Common User Interface
CompanyName : Intel Corporation
FileDescription : igfxTray Module
InternalName : IGFXTRAY
LegalCopyright : Copyright 1999-2003, Intel Corporation
OriginalFilename : IGFXTRAY.EXE

#:13 [hkcmd.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 688
ThreadCreationTime : 13-05-2005 16:36:44
BasePriority : Normal
FileVersion : 3.0.0.2209
ProductVersion : 7.0.0.2209
ProductName : Intel® Common User Interface
CompanyName : Intel Corporation
FileDescription : hkcmd Module
InternalName : HKCMD
LegalCopyright : Copyright 1999-2003, Intel Corporation
OriginalFilename : HKCMD.EXE

#:14 [agrsmmsg.exe]
FilePath : C:\WINDOWS\
ProcessID : 780
ThreadCreationTime : 13-05-2005 16:36:45
BasePriority : Normal
FileVersion : 2.1.21 2.1.21 11/21/2002 14:17:53
ProductVersion : 2.1.21 2.1.21 11/21/2002 14:17:53
ProductName : Agere SoftModem Messaging Applet
CompanyName : Agere Systems
FileDescription : SoftModem Messaging Applet
InternalName : smdmstat.exe
LegalCopyright : Copyright © Agere Systems 1998-2000
OriginalFilename : smdmstat.exe

#:15 [ltmoh.exe]
FilePath : C:\Program Files\ltmoh\
ProcessID : 788
ThreadCreationTime : 13-05-2005 16:36:45
BasePriority : Normal
FileVersion : 1.68
ProductVersion : 1.68
ProductName : LtMoh Application
CompanyName : Agere Systems
FileDescription : LtMoh MFC Application
InternalName : LtMoh
LegalCopyright : Agere Copyright © 2001-2002
LegalTrademarks : LT
OriginalFilename : LtMoh.EXE

#:16 [syntplpr.exe]
FilePath : C:\Program Files\Synaptics\SynTP\
ProcessID : 936
ThreadCreationTime : 13-05-2005 16:36:45
BasePriority : Normal
FileVersion : 7.2.9 03Jan03
ProductVersion : 7.2.9 03Jan03
ProductName : Progressive Touch
CompanyName : Synaptics, Inc.
FileDescription : TouchPad Driver Helper Application
InternalName : SynTPLpr
LegalCopyright : Copyright © Synaptics, Inc. 1996-2002
OriginalFilename : SynTPLpr.exe

#:17 [syntpenh.exe]
FilePath : C:\Program Files\Synaptics\SynTP\
ProcessID : 984
ThreadCreationTime : 13-05-2005 16:36:45
BasePriority : Normal
FileVersion : 7.2.9 03Jan03
ProductVersion : 7.2.9 03Jan03
ProductName : Progressive Touch
CompanyName : Synaptics, Inc.
FileDescription : Synaptics TouchPad Enhancements
InternalName : Scrolleroo
LegalCopyright : Copyright © Synaptics, Inc. 1996-2002
OriginalFilename : SynTPEnh.exe

#:18 [avgcc.exe]
FilePath : C:\PROGRA~1\Grisoft\AVG7\
ProcessID : 1164
ThreadCreationTime : 13-05-2005 16:36:45
BasePriority : Normal
FileVersion : 7,0,0,174
ProductVersion : 7.0.0.174
ProductName : AVG Anti-Virus System
CompanyName : GRISOFT, s.r.o.
FileDescription : AVG Control Center
InternalName : AvgCC
LegalCopyright : Copyright © 2003, GRISOFT, s.r.o.
OriginalFilename : AvgCC.EXE

#:19 [avgemc.exe]
FilePath : C:\PROGRA~1\Grisoft\AVG7\
ProcessID : 1180
ThreadCreationTime : 13-05-2005 16:36:45
BasePriority : Normal
FileVersion : 7,0,0,159
ProductVersion : 7.0.0.159
ProductName : AVG Anti-Virus System
CompanyName : GRISOFT, s.r.o.
FileDescription : AVG E-Mail Scanner
InternalName : avgemc
LegalCopyright : Copyright © 2003, GRISOFT, s.r.o.
OriginalFilename : avgemc.exe

#:20 [gcasserv.exe]
FilePath : C:\Program Files\Microsoft AntiSpyware\
ProcessID : 1208
ThreadCreationTime : 13-05-2005 16:36:45
BasePriority : Idle
FileVersion : 1.00.0509
ProductVersion : 1.00.0509
ProductName : Microsoft AntiSpyware (Beta 1)
CompanyName : Microsoft Corporation
FileDescription : Microsoft AntiSpyware Service
InternalName : gcasServ
LegalCopyright : Copyright © 2004-2005 Microsoft Corporation. All rights reserved.
LegalTrademarks : Microsoft® and Windows® are registered trademarks of Microsoft Corporation. SpyNet™ is a trademark of Microsoft Corporation.
OriginalFilename : gcasServ.exe

#:21 [ctfmon.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 1224
ThreadCreationTime : 13-05-2005 16:36:45
BasePriority : Normal
FileVersion : 5.1.2600.1106 (xpsp1.020828-1920)
ProductVersion : 5.1.2600.1106
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : CTF Loader
InternalName : CTFMON
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : CTFMON.EXE

#:22 [zzifsnh.exe]
FilePath : c:\windows\system32\
ProcessID : 1240
ThreadCreationTime : 13-05-2005 16:36:45
BasePriority : Normal
FileVersion : 1, 0, 7, 1
ProductVersion : 0, 0, 7, 0
ProductName : TODO: <Product name>
CompanyName : TODO: <Company name>
FileDescription : TODO: <File description>
LegalCopyright : TODO: © <Company name>. All rights reserved.

#:23 [icmon.exe]
FilePath : C:\Program Files\Sophos SWEEP for NT\
ProcessID : 1436
ThreadCreationTime : 13-05-2005 16:36:46
BasePriority : Normal
FileVersion : 1.00.0235
ProductVersion : 3 (Build 0235)
ProductName : Sophos Anti-Virus
CompanyName : Sophos Plc
FileDescription : Sophos Anti-Virus InterCheck activity monitor (ENG)
InternalName : ICMON
LegalCopyright : © 1989-2005 Sophos Plc, www.sophos.com
LegalTrademarks : SWEEP®, InterCheck®, and SAVI®, are trademarks of Sophos® Plc.
OriginalFilename : ICMON.EXE

#:24 [gcasdtserv.exe]
FilePath : C:\Program Files\Microsoft AntiSpyware\
ProcessID : 1604
ThreadCreationTime : 13-05-2005 16:36:48
BasePriority : Normal
FileVersion : 1.00.0509
ProductVersion : 1.00.0509
ProductName : Microsoft AntiSpyware (Beta 1)
CompanyName : Microsoft Corporation
FileDescription : Microsoft AntiSpyware Data Service
InternalName : gcasDtServ
LegalCopyright : Copyright © 2004-2005 Microsoft Corporation. All rights reserved.
LegalTrademarks : Microsoft® and Windows® are registered trademarks of Microsoft Corporation. SpyNet™ is a trademark of Microsoft Corporation.
OriginalFilename : gcasDtServ.exe

#:25 [avgamsvr.exe]
FilePath : C:\PROGRA~1\Grisoft\AVG7\
ProcessID : 1840
ThreadCreationTime : 13-05-2005 16:36:51
BasePriority : Normal
FileVersion : 7,0,0,175
ProductVersion : 7.0.0.175
ProductName : AVG Anti-Virus System
CompanyName : GRISOFT, s.r.o.
FileDescription : AVG Alert Manager
InternalName : avgamsvr
LegalCopyright : Copyright © 2003, GRISOFT, s.r.o.
OriginalFilename : avgamsvr.EXE

#:26 [avgupsvc.exe]
FilePath : C:\PROGRA~1\Grisoft\AVG7\
ProcessID : 1852
ThreadCreationTime : 13-05-2005 16:36:51
BasePriority : Normal
FileVersion : 7,0,0,132
ProductVersion : 7.0.0.132
ProductName : AVG 7.0 Anti-Virus System
CompanyName : GRISOFT, s.r.o.
FileDescription : AVG Update Service
InternalName : avgupsvc
LegalCopyright : Copyright © 2002, GRISOFT, s.r.o.
OriginalFilename : avgupdsvc.EXE

#:27 [swnetsup.exe]
FilePath : C:\Program Files\Sophos SWEEP for NT\
ProcessID : 2012
ThreadCreationTime : 13-05-2005 16:36:52
BasePriority : Normal
FileVersion : 1.00.0235
ProductVersion : 3 (Build 0235)
ProductName : Sophos Anti-Virus
CompanyName : Sophos Plc
FileDescription : Sophos Anti-Virus network support service
InternalName : SWNETSUP
LegalCopyright : © 1989-2005 Sophos Plc, www.sophos.com
LegalTrademarks : SWEEP®, InterCheck®, and SAVI®, are trademarks of Sophos® Plc.
OriginalFilename : SWNETSUP.EXE

#:28 [sweepsrv.sys]
FilePath : C:\Program Files\Sophos SWEEP for NT\
ProcessID : 132
ThreadCreationTime : 13-05-2005 16:36:53
BasePriority : Normal
FileVersion : 2.01.0235
ProductVersion : 3 (Build 0235)
ProductName : Sophos Anti-Virus
CompanyName : Sophos Plc
FileDescription : Sophos Anti-Virus detection system service
InternalName : SWEEPSRV
LegalCopyright : © 1989-2005 Sophos Plc, www.sophos.com
LegalTrademarks : SWEEP®, InterCheck®, and SAVI®, are trademarks of Sophos® Plc.
OriginalFilename : SWEEPSRV.SYS

#:29 [ad-aware.exe]
FilePath : C:\Program Files\Lavasoft\Ad-Aware SE Personal\
ProcessID : 380
ThreadCreationTime : 13-05-2005 16:36:56
BasePriority : Normal
FileVersion : 6.2.0.206
ProductVersion : VI.Second Edition
ProductName : Lavasoft Ad-Aware SE
CompanyName : Lavasoft Sweden
FileDescription : Ad-Aware SE Core application
InternalName : Ad-Aware.exe
LegalCopyright : Copyright © Lavasoft Sweden
OriginalFilename : Ad-Aware.exe
Comments : All Rights Reserved

#:30 [istsvc.exe]
FilePath : C:\Program Files\ISTsvc\
ProcessID : 3264
ThreadCreationTime : 13-05-2005 16:37:57
BasePriority : Normal


#:31 [wuauclt.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 3816
ThreadCreationTime : 13-05-2005 16:38:20
BasePriority : Normal
FileVersion : 5.4.3630.1106 (xpsp1.020828-1920)
ProductVersion : 5.4.3630.1106
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Windows Update AutoUpdate Client
InternalName : wuauclt.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : wuauclt.exe

Memory scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 6


Started registry scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

BargainBuddy Object Recognized!
Type : Regkey
Data :
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : interface\{8eee58d5-130e-4cbd-9c83-35a0564e5678}

BargainBuddy Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : interface\{8eee58d5-130e-4cbd-9c83-35a0564e5678}
Value :

BargainBuddy Object Recognized!
Type : Regkey
Data :
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : interface\{c6906a23-4717-4e1f-b6fd-f06ebed15678}

BargainBuddy Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : interface\{c6906a23-4717-4e1f-b6fd-f06ebed15678}
Value :

Hijacker.TopConverting Object Recognized!
Type : Regkey
Data :
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : typelib\{4eb7bbe8-2e15-424b-9ddb-2cdb9516b2c3}

SideFind Object Recognized!
Type : Regkey
Data :
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : typelib\{58634367-d62b-4c2c-86be-5aac45cdb671}

SideFind Object Recognized!
Type : Regkey
Data :
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : typelib\{d0288a41-9855-4a9b-8316-babe243648da}

ZyncosMark Object Recognized!
Type : Regkey
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : interface\{0e704ba4-c517-4be7-a1cd-c3ffda1e1ffe}

ZyncosMark Object Recognized!
Type : RegValue
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : interface\{0e704ba4-c517-4be7-a1cd-c3ffda1e1ffe}
Value :

ZyncosMark Object Recognized!
Type : Regkey
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : testcontentmatchcontrol1.contentmatchtag

ZyncosMark Object Recognized!
Type : RegValue
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : testcontentmatchcontrol1.contentmatchtag
Value :

ZyncosMark Object Recognized!
Type : Regkey
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : typelib\{e9a5b71c-093b-4f34-af07-34fca89ba0df}

DyFuCA Object Recognized!
Type : Regkey
Data :
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-796845957-1708537768-1343024091-1003\software\avenue media

DyFuCA Object Recognized!
Type : Regkey
Data :
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-796845957-1708537768-1343024091-1003\software\ist

DyFuCA Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-796845957-1708537768-1343024091-1003\software\ist
Value : Recover

DyFuCA Object Recognized!
Type : Regkey
Data :
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-796845957-1708537768-1343024091-1003\software\policies\avenue media

VX2 Object Recognized!
Type : Regkey
Data :
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-796845957-1708537768-1343024091-1003\software\aurora

VX2 Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-796845957-1708537768-1343024091-1003\software\aurora
Value : AUI3d5OfSDist

VX2 Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-796845957-1708537768-1343024091-1003\software\aurora
Value : AUI3d5OfSInst

VX2 Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-796845957-1708537768-1343024091-1003\software\aurora
Value : AUC3n5trMsgSDisp

VX2 Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-796845957-1708537768-1343024091-1003\software\aurora
Value : AUs3t5icky1S

VX2 Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-796845957-1708537768-1343024091-1003\software\aurora
Value : AUs3t5icky2S

VX2 Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-796845957-1708537768-1343024091-1003\software\aurora
Value : AUs3t5icky3S

VX2 Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-796845957-1708537768-1343024091-1003\software\aurora
Value : AUs3t5icky4S

VX2 Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-796845957-1708537768-1343024091-1003\software\aurora
Value : AUC1o3d5eOfSFinalAd

VX2 Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-796845957-1708537768-1343024091-1003\software\aurora
Value : AUT3i5m7eOfSFinalAd

VX2 Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-796845957-1708537768-1343024091-1003\software\aurora
Value : AUD3s5tSSEnd

VX2 Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-796845957-1708537768-1343024091-1003\software\aurora
Value : AU3N5a7tionSCode

VX2 Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-796845957-1708537768-1343024091-1003\software\aurora
Value : AUP3D5om

VX2 Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-796845957-1708537768-1343024091-1003\software\aurora
Value : AUT3h5rshSCheckSIn

VX2 Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-796845957-1708537768-1343024091-1003\software\aurora
Value : AUT3h5rshSMots

VX2 Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-796845957-1708537768-1343024091-1003\software\aurora
Value : AUM3o5deSSync

VX2 Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-796845957-1708537768-1343024091-1003\software\aurora
Value : AUI3n5ProgSCab

VX2 Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-796845957-1708537768-1343024091-1003\software\aurora
Value : AUI3n5ProgSEx

VX2 Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-796845957-1708537768-1343024091-1003\software\aurora
Value : AUI3n5ProgSLstest

VX2 Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-796845957-1708537768-1343024091-1003\software\aurora
Value : AUB3D5om

VX2 Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-796845957-1708537768-1343024091-1003\software\aurora
Value : AUE3v5nt

VX2 Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-796845957-1708537768-1343024091-1003\software\aurora
Value : AUT3h5rshSBath

VX2 Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-796845957-1708537768-1343024091-1003\software\aurora
Value : AUT3h5rshSysSInf

VX2 Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-796845957-1708537768-1343024091-1003\software\aurora
Value : AUL3n5Title

VX2 Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-796845957-1708537768-1343024091-1003\software\aurora
Value : AUC3u5rrentSMode

VX2 Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-796845957-1708537768-1343024091-1003\software\aurora
Value : AUC3n5tFyl

VX2 Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-796845957-1708537768-1343024091-1003\software\aurora
Value : AUI3g5noreS

VX2 Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-796845957-1708537768-1343024091-1003\software\aurora
Value : AUS3t5atusOfSInst

VX2 Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-796845957-1708537768-1343024091-1003\software\aurora
Value : AUL3a5stMotsSDay

VX2 Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-796845957-1708537768-1343024091-1003\software\aurora
Value : AUL3a5stSSChckin

Alexa Object Recognized!
Type : Regkey
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\internet explorer\extensions\{c95fe080-8f5d-11d2-a20b-00aa003c157a}

Alexa Object Recognized!
Type : RegValue
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\internet explorer\extensions\{c95fe080-8f5d-11d2-a20b-00aa003c157a}
Value : MenuText

Alexa Object Recognized!
Type : RegValue
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\internet explorer\extensions\{c95fe080-8f5d-11d2-a20b-00aa003c157a}
Value : MenuStatusBar

Alexa Object Recognized!
Type : RegValue
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\internet explorer\extensions\{c95fe080-8f5d-11d2-a20b-00aa003c157a}
Value : Script

Alexa Object Recognized!
Type : RegValue
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\internet explorer\extensions\{c95fe080-8f5d-11d2-a20b-00aa003c157a}
Value : clsid

Alexa Object Recognized!
Type : RegValue
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\internet explorer\extensions\{c95fe080-8f5d-11d2-a20b-00aa003c157a}
Value : Icon

Alexa Object Recognized!
Type : RegValue
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\internet explorer\extensions\{c95fe080-8f5d-11d2-a20b-00aa003c157a}
Value : HotIcon

Alexa Object Recognized!
Type : RegValue
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\internet explorer\extensions\{c95fe080-8f5d-11d2-a20b-00aa003c157a}
Value : ButtonText

DyFuCA Object Recognized!
Type : Regkey
Data :
Category : Malware
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\istsvc

DyFuCA Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\istsvc
Value : version

DyFuCA Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\istsvc
Value : app_name

DyFuCA Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\istsvc
Value : popup_url

DyFuCA Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\istsvc
Value : update_url

DyFuCA Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\istsvc
Value : config_url

DyFuCA Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\istsvc
Value : ui

DyFuCA Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\istsvc
Value : popup_initial_delay

DyFuCA Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\istsvc
Value : popup_count

DyFuCA Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\istsvc
Value : popup_day_count

DyFuCA Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\istsvc
Value : popup_day_limit

DyFuCA Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\istsvc
Value : update_count

DyFuCA Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\istsvc
Value : update_version

DyFuCA Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\istsvc
Value : config_count

DyFuCA Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\istsvc
Value : account_id

DyFuCA Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\istsvc
Value : app_date

DyFuCA Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\istsvc
Value : popup_interval

DyFuCA Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\istsvc
Value : popup_last

DyFuCA Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\istsvc
Value : update_interval

DyFuCA Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\istsvc
Value : update_last

DyFuCA Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\istsvc
Value : config_interval

DyFuCA Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\istsvc
Value : config_last

DyFuCA Object Recognized!
Type : Regkey
Data :
Category : Malware
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\policies\avenue media

istbar Object Recognized!
Type : Regkey
Data :
Category : Malware
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\windows\currentversion\uninstall\istsvc

istbar Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\windows\currentversion\uninstall\istsvc
Value : DisplayName

istbar Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\windows\currentversion\uninstall\istsvc
Value : UninstallString

istbar Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\windows\currentversion\uninstall\istsvc
Value : NoModify

Alexa Object Recognized!
Type : RegValue
Data :
Category : Data Miner
Comment : "{c95fe080-8f5d-11d2-a20b-00aa003c157a}"
Rootkey : HKEY_USERS
Object : .DEFAULT\software\microsoft\internet explorer\extensions\cmdmapping
Value : {c95fe080-8f5d-11d2-a20b-00aa003c157a}

Alexa Object Recognized!
Type : RegValue
Data :
Category : Data Miner
Comment : "{c95fe080-8f5d-11d2-a20b-00aa003c157a}"
Rootkey : HKEY_USERS
Object : S-1-5-18\software\microsoft\internet explorer\extensions\cmdmapping
Value : {c95fe080-8f5d-11d2-a20b-00aa003c157a}

Alexa Object Recognized!
Type : RegValue
Data :
Category : Data Miner
Comment : "{c95fe080-8f5d-11d2-a20b-00aa003c157a}"
Rootkey : HKEY_USERS
Object : S-1-5-21-796845957-1708537768-1343024091-1003\software\microsoft\internet explorer\extensions\cmdmapping
Value : {c95fe080-8f5d-11d2-a20b-00aa003c157a}

istbar Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment : "IST Service"
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\windows\currentversion\run
Value : IST Service

Windows Object Recognized!
Type : RegData
Data : explorer.exe c:\windows\nail.exe
Category : Vulnerability
Comment : Shell Possibly Compromised
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\windows nt\currentversion\winlogon
Value : Shell
Data : explorer.exe c:\windows\nail.exe

Registry Scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 86
Objects found so far: 92


Started deep registry scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Trusted zone presumably compromised : contentmatch.net

Possible Browser Hijack attempt Object Recognized!
Type : Regkey
Data :
Category : Vulnerability
Comment : Trusted zone presumably compromised : contentmatch.net\ny
Rootkey : HKEY_LOCAL_MACHINE
Object : Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\contentmatch.net\ny

Possible Browser Hijack attempt Object Recognized!
Type : RegValue
Data :
Category : Vulnerability
Comment : Trusted zone presumably compromised : contentmatch.net\ny
Rootkey : HKEY_LOCAL_MACHINE
Object : Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\contentmatch.net\ny
Value : http

Possible Browser Hijack attempt Object Recognized!
Type : RegValue
Data :
Category : Vulnerability
Comment : Trusted zone presumably compromised : contentmatch.net\ny
Rootkey : HKEY_LOCAL_MACHINE
Object : Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\contentmatch.net\ny
Value : https

istbar Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment : "ele5Mw"
Rootkey : HKEY_LOCAL_MACHINE
Object : Software\Microsoft\Windows\CurrentVersion\Run
Value : ele5Mw

istbar Object Recognized!
Type : File
Data : dmfeyss.exe
Category : Malware
Comment :
Object : c:\windows\



Deep registry scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 4
Objects found so far: 97


Started Tracking Cookie scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»


Tracking Cookie Object Recognized!
Type : IECache Entry
Data : [email protected][2].txt
Category : Data Miner
Comment :
Value : C:\Documents and Settings\Koryo\Cookies\[email protected][2].txt

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : [email protected][1].txt
Category : Data Miner
Comment :
Value : C:\Documents and Settings\Koryo\Cookies\[email protected][1].txt

Tracking cookie scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 2
Objects found so far: 99



Deep scanning and examining files (C:)
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : pox [email protected][1].txt
Category : Data Miner
Comment :
Value : C:\Documents and Settings\Pox Master\Cookies\pox [email protected][1].txt

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : pox [email protected][3].txt
Category : Data Miner
Comment :
Value : C:\Documents and Settings\Pox Master\Cookies\pox [email protected][3].txt

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : pox [email protected][1].txt
Category : Data Miner
Comment :
Value : C:\Documents and Settings\Pox Master\Cookies\pox [email protected][1].txt

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : pox [email protected][1].txt
Category : Data Miner
Comment :
Value : C:\Documents and Settings\Pox Master\Cookies\pox [email protected][1].txt

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : pox [email protected][1].txt
Category : Data Miner
Comment :
Value : C:\Documents and Settings\Pox Master\Cookies\pox [email protected][1].txt

BargainBuddy Object Recognized!
Type : File
Data : B70235B0-A656-4A51-A002-2ED856
Category : Malware
Comment :
Object : C:\Program Files\Microsoft AntiSpyware\Quarantine\0476495C-FEC1-4F11-829B-1EDE42\
FileVersion : 1.00
ProductVersion : 1.00
ProductName : adx
CompanyName : eXact Advertising
InternalName : adx
LegalCopyright : Copyright © 2003, 2004. eXact Advertising, LLC. All Rights Reserved.
OriginalFilename : adx.exe


DyFuCA Object Recognized!
Type : File
Data : EAD0CE43-EA32-4227-9A61-CA66D2
Category : Malware
Comment :
Object : C:\Program Files\Microsoft AntiSpyware\Quarantine\F0A36185-6724-495D-AD5A-85FBFB\
FileVersion : 1, 0, 0, 1
ProductVersion : 1, 0, 0, 1
ProductName : SideFind Module
CompanyName : IST
FileDescription : SideFind Module
InternalName : SideFind
LegalCopyright : Copyright 2004
OriginalFilename : SideFind.DLL


VX2 Object Recognized!
Type : File
Data : A0000464.exe
Category : Malware
Comment :
Object : C:\System Volume Information\_restore{68566D48-95BC-4ED0-A629-CF8DF0350705}\RP4\
FileVersion : 1, 0, 7, 1
ProductVersion : 0, 0, 7, 0
ProductName : TODO: <Product name>
CompanyName : TODO: <Company name>
FileDescription : TODO: <File description>
LegalCopyright : TODO: © <Company name>. All rights reserved.


VX2 Object Recognized!
Type : File
Data : A0000474.exe
Category : Malware
Comment :
Object : C:\System Volume Information\_restore{68566D48-95BC-4ED0-A629-CF8DF0350705}\RP4\
FileVersion : 1, 0, 7, 1
ProductVersion : 0, 0, 7, 0
ProductName : TODO: <Product name>
CompanyName : TODO: <Company name>
FileDescription : TODO: <File description>
LegalCopyright : TODO: © <Company name>. All rights reserved.


VX2 Object Recognized!
Type : File
Data : A0000482.exe
Category : Malware
Comment :
Object : C:\System Volume Information\_restore{68566D48-95BC-4ED0-A629-CF8DF0350705}\RP4\
FileVersion : 1, 0, 7, 1
ProductVersion : 0, 0, 7, 0
ProductName : TODO: <Product name>
CompanyName : TODO: <Company name>
FileDescription : TODO: <File description>
LegalCopyright : TODO: © <Company name>. All rights reserved.


VX2 Object Recognized!
Type : File
Data : A0000492.exe
Category : Malware
Comment :
Object : C:\System Volume Information\_restore{68566D48-95BC-4ED0-A629-CF8DF0350705}\RP4\
FileVersion : 1, 0, 7, 1
ProductVersion : 0, 0, 7, 0
ProductName : TODO: <Product name>
CompanyName : TODO: <Company name>
FileDescription : TODO: <File description>
LegalCopyright : TODO: © <Company name>. All rights reserved.


DyFuCA Object Recognized!
Type : File
Data : A0000506.dll
Category : Malware
Comment :
Object : C:\System Volume Information\_restore{68566D48-95BC-4ED0-A629-CF8DF0350705}\RP4\
FileVersion : 1, 0, 0, 1
ProductVersion : 1, 0, 0, 1
ProductName : DyFuCA_BH Module
FileDescription : DyFuCA_BH Module
InternalName : DyFuCA_BH
LegalCopyright : Copyright 2002
OriginalFilename : DyFuCA_BH.DLL


BargainBuddy Object Recognized!
Type : File
Data : A0000510.exe
Category : Malware
Comment :
Object : C:\System Volume Information\_restore{68566D48-95BC-4ED0-A629-CF8DF0350705}\RP4\
FileVersion : 1, 0, 0, 2
ProductVersion : 1, 0, 0, 2
ProductName : Upload Module
CompanyName : eXact Advertising
FileDescription : Upload Module
InternalName : Upload Utility
LegalCopyright : Copyright © 2003, 2004. eXact Advertising, LLC. All Rights Reserved.
OriginalFilename : exul.exe


VX2 Object Recognized!
Type : File
Data : A0000523.exe
Category : Malware
Comment :
Object : C:\System Volume Information\_restore{68566D48-95BC-4ED0-A629-CF8DF0350705}\RP4\
FileVersion : 1, 0, 7, 1
ProductVersion : 0, 0, 7, 0
ProductName : TODO: <Product name>
CompanyName : TODO: <Company name>
FileDescription : TODO: <File description>
LegalCopyright : TODO: © <Company name>. All rights reserved.


VX2 Object Recognized!
Type : File
Data : A0000532.exe
Category : Malware
Comment :
Object : C:\System Volume Information\_restore{68566D48-95BC-4ED0-A629-CF8DF0350705}\RP4\
FileVersion : 1, 0, 7, 1
ProductVersion : 0, 0, 7, 0
ProductName : TODO: <Product name>
CompanyName : TODO: <Company name>
FileDescription : TODO: <File description>
LegalCopyright : TODO: © <Company name>. All rights reserved.


VX2 Object Recognized!
Type : File
Data : A0000541.exe
Category : Malware
Comment :
Object : C:\System Volume Information\_restore{68566D48-95BC-4ED0-A629-CF8DF0350705}\RP4\
FileVersion : 1, 0, 7, 1
ProductVersion : 0, 0, 7, 0
ProductName : TODO: <Product name>
CompanyName : TODO: <Company name>
FileDescription : TODO: <File description>
LegalCopyright : TODO: © <Company name>. All rights reserved.


VX2 Object Recognized!

Attached Files


Edited by koryo, 13 May 2005 - 10:55 AM.

  • 0

#15
Eyespy

Eyespy

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
Guess who's back, back again. Nail was definitly gone before I rebooted from safe mode, and yet here it is large as life.

Hijackthis and Ewido log follows


C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Messenger\msmsgs.exe
C:\tools\ewido\security suite\ewidoctrl.exe
C:\PROGRA~1\NORTON~2\NORTON~3\GHOSTS~2.EXE
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\PROGRA~1\NORTON~2\SPEEDD~1\nopdb.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Tools\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....467&clcid=0x409
O16 - DPF: {8EB3FF4E-86A1-4717-884D-7BA2D38272CB} (F-Secure Online Scanner) - http://support.f-sec...m/ols/fscax.cab
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\tools\ewido\security suite\ewidoctrl.exe
O23 - Service: GhostStartService - Symantec Corporation - C:\PROGRA~1\NORTON~2\NORTON~3\GHOSTS~2.EXE
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~2\SPEEDD~1\nopdb.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe


---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 9:23:11 AM, 14/05/2005
+ Report-Checksum: D55802E7

+ Date of database: 13/05/2005
+ Version of scan engine: v3.0

+ Duration: 530 min
+ Scanned Files: 126577
+ Speed: 3.98 Files/Second
+ Infected files: 25
+ Removed files: 25
+ Files put in quarantine: 25
+ Files that could not be opened: 0
+ Files that could not be cleaned: 0

+ Binder: Yes
+ Crypter: Yes
+ Archives: Yes

+ Scanned items:
C:\

+ Scan result:
C:\Documents and Settings\Adam\My Documents\backups\backup-20040710-232435-821.dll.tcf -> Spyware.ToolBar.MyWay.g -> Cleaned with backup
C:\Program Files\Norton SystemWorks\Norton CleanSweep\Backup\powe6081.BUD/Program Files/Power Scan/powerscan.exe -> Spyware.PowerScan.d -> Cleaned with backup
C:\RECYCLER\NPROTECT\00186519.exe.tcf -> Trojan.Agent.cp -> Cleaned with backup
C:\RECYCLER\NPROTECT\00186522.exe.tcf -> Trojan.Agent.cp -> Cleaned with backup
C:\RECYCLER\NPROTECT\00186994.exe.tcf -> Trojan.Agent.cp -> Cleaned with backup
C:\RECYCLER\NPROTECT\00187039.exe.tcf -> Trojan.Agent.cp -> Cleaned with backup
C:\RECYCLER\NPROTECT\00187041.exe -> Trojan.Agent.cp -> Cleaned with backup
C:\RECYCLER\NPROTECT\00187235.TXT -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\RECYCLER\NPROTECT\00187237.TCF -> Trojan.Agent.cp -> Cleaned with backup
C:\RECYCLER\NPROTECT\00187274.exe -> Trojan.Agent.cp -> Cleaned with backup
C:\RECYCLER\NPROTECT\00188015.exe -> Trojan.Agent.cp -> Cleaned with backup
C:\RECYCLER\NPROTECT\00188035.exe -> Trojan.Agent.cp -> Cleaned with backup
C:\RECYCLER\NPROTECT\00188103.exe -> Trojan.Stervis.c -> Cleaned with backup
C:\RECYCLER\NPROTECT\00188125.exe -> Trojan.Agent.cp -> Cleaned with backup
C:\RECYCLER\NPROTECT\00188126.exe -> Trojan.Agent.cp -> Cleaned with backup
C:\RECYCLER\NPROTECT\00188145.exe -> Trojan.Agent.cp -> Cleaned with backup
C:\RECYCLER\NPROTECT\00188146.exe -> Trojan.Agent.cp -> Cleaned with backup
C:\RECYCLER\NPROTECT\00188261.exe -> Trojan.Agent.cp -> Cleaned with backup
C:\RECYCLER\NPROTECT\00188262.exe -> Trojan.Agent.cp -> Cleaned with backup
C:\RECYCLER\NPROTECT\00188339.exe -> Trojan.Agent.cp -> Cleaned with backup
C:\RECYCLER\NPROTECT\00188347.exe -> Trojan.Agent.cp -> Cleaned with backup
C:\WINDOWS\Nail.exe -> Trojan.Nail -> Cleaned with backup
C:\WINDOWS\SYSTEM32\azesearch3.ocx -> Spyware.Azesearch.b -> Cleaned with backup
C:\WINDOWS\SYSTEM32\bmiemb.exe.tcf -> Trojan.Agent.cp -> Cleaned with backup
C:\WINDOWS\SYSTEM32\ndamdn.exe -> Trojan.Agent.cp -> Cleaned with backup


::Report End
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP