Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

[Referred]have gone through with adaware, over 50 in quarant[RESOLVED]

Started by endless_cups_of_tea , May 15 2005 06:14 AM

  • This topic is locked This topic is locked

#1
endless_cups_of_tea
Posted 15 May 2005 - 06:14 AM

endless_cups_of_tea

    Member

  • Member
  • PipPip
  • 10 posts
Hi. installed and gone through with adaware

did post in another forum, but am now follwoing general advice to go through adaware then other prgrams to remove this nasty trojan horse. it stop me from surfing the web :tazz:


manythanks for your help ;)


Ad-Aware SE Build 1.05
Logfile Created on:15 May 2005 12:52:43
Created with Ad-Aware SE Personal, free for private use.
Using definitions file:SE1R45 13.05.2005
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

References detected during the scan:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Alexa(TAC index:5):3 total references
AltnetBDE(TAC index:4):31 total references
CoolWebSearch(TAC index:10):17 total references
Other(TAC index:5):4 total references
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Ad-Aware SE Settings
===========================
Set : Search for negligible risk entries
Set : Safe mode (always request confirmation)
Set : Scan active processes
Set : Scan registry
Set : Deep-scan registry
Set : Scan my IE Favorites for banned URLs
Set : Scan my Hosts file

Extended Ad-Aware SE Settings
===========================
Set : Unload recognized processes & modules during scan
Set : Scan registry for all users instead of current user only
Set : Always try to unload modules before deletion
Set : During removal, unload Explorer and IE if necessary
Set : Let Windows remove files in use at next reboot
Set : Delete quarantined objects after restoring
Set : Include basic Ad-Aware settings in log file
Set : Include additional Ad-Aware settings in log file
Set : Include reference summary in log file
Set : Include alternate data stream details in log file
Set : Play sound at scan completion if scan locates critical objects


15-05-2005 12:52:43 - Scan started. (Full System Scan)

Listing running processes
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

#:1 [smss.exe]
FilePath : \SystemRoot\System32\
ProcessID : 444
ThreadCreationTime : 15-05-2005 10:38:30
BasePriority : Normal


#:2 [csrss.exe]
FilePath : \??\C:\WINDOWS\system32\
ProcessID : 500
ThreadCreationTime : 15-05-2005 10:38:33
BasePriority : Normal


#:3 [winlogon.exe]
FilePath : \??\C:\WINDOWS\system32\
ProcessID : 524
ThreadCreationTime : 15-05-2005 10:38:34
BasePriority : High


#:4 [services.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 568
ThreadCreationTime : 15-05-2005 10:38:34
BasePriority : Normal
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Services and Controller app
InternalName : services.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : services.exe

#:5 [lsass.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 580
ThreadCreationTime : 15-05-2005 10:38:34
BasePriority : Normal
FileVersion : 5.1.2600.1106 (xpsp1.020828-1920)
ProductVersion : 5.1.2600.1106
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : LSA Shell (Export Version)
InternalName : lsass.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : lsass.exe

#:6 [svchost.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 736
ThreadCreationTime : 15-05-2005 10:38:36
BasePriority : Normal
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:7 [svchost.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 808
ThreadCreationTime : 15-05-2005 10:38:36
BasePriority : Normal
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:8 [svchost.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 916
ThreadCreationTime : 15-05-2005 10:38:38
BasePriority : Normal
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:9 [svchost.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 928
ThreadCreationTime : 15-05-2005 10:38:38
BasePriority : Normal
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:10 [spoolsv.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 1124
ThreadCreationTime : 15-05-2005 10:38:41
BasePriority : Normal
FileVersion : 5.1.2600.0 (XPClient.010817-1148)
ProductVersion : 5.1.2600.0
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Spooler SubSystem App
InternalName : spoolsv.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : spoolsv.exe

#:11 [eebsvc.exe]
FilePath : C:\Program Files\Common Files\EPSON\EBAPI\
ProcessID : 1272
ThreadCreationTime : 15-05-2005 10:38:49
BasePriority : Normal


#:12 [sagent2.exe]
FilePath : C:\Program Files\Common Files\EPSON\EBAPI\
ProcessID : 1504
ThreadCreationTime : 15-05-2005 10:38:50
BasePriority : Normal
FileVersion : 2, 3, 0, 0
ProductVersion : 1, 0, 0, 0
ProductName : EPSON Bidirectional Printer
CompanyName : SEIKO EPSON CORPORATION
FileDescription : EPSON Printer Status Agent
InternalName : SAgent2
LegalCopyright : Copyright © SEIKO EPSON CORP. 2000-2001
OriginalFilename : SAgent2.exe

#:13 [svchost.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 1580
ThreadCreationTime : 15-05-2005 10:38:50
BasePriority : Normal
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:14 [wdfmgr.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 1600
ThreadCreationTime : 15-05-2005 10:38:50
BasePriority : Normal
FileVersion : 5.2.3790.1230 built by: dnsrv(bld4act)
ProductVersion : 5.2.3790.1230
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Windows User Mode Driver Manager
InternalName : WdfMgr
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : WdfMgr.exe

#:15 [csrss.exe]
FilePath : \??\C:\WINDOWS\system32\
ProcessID : 1876
ThreadCreationTime : 15-05-2005 11:04:38
BasePriority : Normal


#:16 [winlogon.exe]
FilePath : \??\C:\WINDOWS\system32\
ProcessID : 1048
ThreadCreationTime : 15-05-2005 11:04:39
BasePriority : High


#:17 [taskmgr.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 940
ThreadCreationTime : 15-05-2005 11:26:56
BasePriority : High
FileVersion : 5.1.2600.1106 (xpsp1.020828-1920)
ProductVersion : 5.1.2600.1106
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Windows TaskManager
InternalName : taskmgr
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : taskmgr.exe

#:18 [uwdf.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 504
ThreadCreationTime : 15-05-2005 11:27:32
BasePriority : Normal
FileVersion : 5.2.3790.1230 built by: dnsrv(bld4act)
ProductVersion : 5.2.3790.1230
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Windows User-Mode Driver Framework
InternalName : uwdf.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : uwdf.exe

#:19 [ad-aware.exe]
FilePath : C:\PROGRA~1\LAVASOFT\AD-AWA~2\
ProcessID : 2024
ThreadCreationTime : 15-05-2005 11:52:09
BasePriority : Normal
FileVersion : 6.2.0.206
ProductVersion : VI.Second Edition
ProductName : Lavasoft Ad-Aware SE
CompanyName : Lavasoft Sweden
FileDescription : Ad-Aware SE Core application
InternalName : Ad-Aware.exe
LegalCopyright : Copyright © Lavasoft Sweden
OriginalFilename : Ad-Aware.exe
Comments : All Rights Reserved

#:20 [hh.exe]
FilePath : C:\WINDOWS\
ProcessID : 1524
ThreadCreationTime : 15-05-2005 11:52:09
BasePriority : Normal
FileVersion : 5.2.3644.0
ProductVersion : 5.2.3644.0
ProductName : HTML Help
CompanyName : Microsoft Corporation
FileDescription : Microsoft® HTML Help Executable
InternalName : HH 1.4
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : HH.exe

Memory scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 0


Started registry scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

CoolWebSearch Object Recognized!
Type : Regkey
Data :
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : interface\{b1e68d42-02c4-465b-8368-5ed9b732e22d}

CoolWebSearch Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : interface\{b1e68d42-02c4-465b-8368-5ed9b732e22d}
Value :

CoolWebSearch Object Recognized!
Type : Regkey
Data :
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : interface\{0b6ef17e-18e5-4449-86ea-64c82d596eae}

CoolWebSearch Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : interface\{0b6ef17e-18e5-4449-86ea-64c82d596eae}
Value :

CoolWebSearch Object Recognized!
Type : Regkey
Data :
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : clsid\{b599c57e-113a-4488-a5e9-bc552c4f1152}

CoolWebSearch Object Recognized!
Type : Regkey
Data :
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : clsid\{1d27210e-2da2-41e2-a103-b5fd9d6a798b}

CoolWebSearch Object Recognized!
Type : Regkey
Data :
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : clsid\{145e6fb1-1256-44ed-a336-8bba43373be6}

CoolWebSearch Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : clsid\{145e6fb1-1256-44ed-a336-8bba43373be6}
Value : InprocServer32

AltnetBDE Object Recognized!
Type : Regkey
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\classes\adm25.adm25

AltnetBDE Object Recognized!
Type : RegValue
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\classes\adm25.adm25
Value :

AltnetBDE Object Recognized!
Type : Regkey
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\classes\adm25.adm25.1

AltnetBDE Object Recognized!
Type : RegValue
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\classes\adm25.adm25.1
Value :

AltnetBDE Object Recognized!
Type : Regkey
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\classes\adm4.adm4

AltnetBDE Object Recognized!
Type : RegValue
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\classes\adm4.adm4
Value :

AltnetBDE Object Recognized!
Type : Regkey
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\classes\adm4.adm4.1

AltnetBDE Object Recognized!
Type : RegValue
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\classes\adm4.adm4.1
Value :

AltnetBDE Object Recognized!
Type : Regkey
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\classes\appid\adm.exe

AltnetBDE Object Recognized!
Type : RegValue
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\classes\appid\adm.exe
Value : AppID

AltnetBDE Object Recognized!
Type : Regkey
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\classes\appid\altnet signing module.exe

AltnetBDE Object Recognized!
Type : RegValue
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\classes\appid\altnet signing module.exe
Value : AppID

Alexa Object Recognized!
Type : RegValue
Data :
Category : Data Miner
Comment : "{c95fe080-8f5d-11d2-a20b-00aa003c157a}"
Rootkey : HKEY_USERS
Object : .DEFAULT\software\microsoft\internet explorer\extensions\cmdmapping
Value : {c95fe080-8f5d-11d2-a20b-00aa003c157a}

Alexa Object Recognized!
Type : RegValue
Data :
Category : Data Miner
Comment : "{c95fe080-8f5d-11d2-a20b-00aa003c157a}"
Rootkey : HKEY_USERS
Object : S-1-5-18\software\microsoft\internet explorer\extensions\cmdmapping
Value : {c95fe080-8f5d-11d2-a20b-00aa003c157a}

Alexa Object Recognized!
Type : RegValue
Data :
Category : Data Miner
Comment : "{c95fe080-8f5d-11d2-a20b-00aa003c157a}"
Rootkey : HKEY_USERS
Object : S-1-5-21-2000478354-1708537768-854245398-1004\software\microsoft\internet explorer\extensions\cmdmapping
Value : {c95fe080-8f5d-11d2-a20b-00aa003c157a}

Registry Scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 23
Objects found so far: 23


Started deep registry scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Deep registry scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 23


Started Tracking Cookie scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»


Tracking cookie scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 23



Deep scanning and examining files (C:)
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

AltnetBDE Object Recognized!
Type : File
Data : dmfiles.cab
Category : Data Miner
Comment :
Object : C:\WINDOWS\Temp\Altnet\



AltnetBDE Object Recognized!
Type : File
Data : DMinfo3.cab
Category : Data Miner
Comment :
Object : C:\WINDOWS\Temp\Altnet\



AltnetBDE Object Recognized!
Type : File
Data : dminstall7.cab
Category : Data Miner
Comment :
Object : C:\WINDOWS\Temp\Altnet\



AltnetBDE Object Recognized!
Type : File
Data : pmexe.cab
Category : Data Miner
Comment :
Object : C:\WINDOWS\Temp\Altnet\



AltnetBDE Object Recognized!
Type : File
Data : pmfiles.cab
Category : Data Miner
Comment :
Object : C:\WINDOWS\Temp\Altnet\



AltnetBDE Object Recognized!
Type : File
Data : pminstall.cab
Category : Data Miner
Comment :
Object : C:\WINDOWS\Temp\Altnet\



AltnetBDE Object Recognized!
Type : File
Data : Setup.cab
Category : Data Miner
Comment :
Object : C:\WINDOWS\Temp\Altnet\



AltnetBDE Object Recognized!
Type : File
Data : Setup.exe
Category : Data Miner
Comment :
Object : C:\WINDOWS\Temp\Altnet\
FileVersion : 1, 0, 4, 13
ProductVersion : 1, 0, 0, 0
ProductName : AltnetInstaller
CompanyName : Altnet
FileDescription : AltnetInstaller
InternalName : AltnetInstaller
LegalCopyright : Copyright © 2003
OriginalFilename : AltnetInstaller.exe


AltnetBDE Object Recognized!
Type : File
Data : adm4.dll
Category : Data Miner
Comment :
Object : C:\WINDOWS\Temp\Altnet\
FileVersion : 4, 0, 0, 6
ProductVersion : 4, 0, 0, 0
ProductName : ADM
CompanyName : Altnet
FileDescription : ADM
InternalName : ADM
LegalCopyright : Copyright © 2003 Altnet
OriginalFilename : ADM4.dll


AltnetBDE Object Recognized!
Type : File
Data : adm25.dll
Category : Data Miner
Comment :
Object : C:\WINDOWS\Temp\Altnet\
FileVersion : 1, 2, 4, 3
ProductVersion : 1, 0, 0, 0
ProductName : ADM
CompanyName : Altnet
FileDescription : ADM
InternalName : ADM
LegalCopyright : Copyright 2002
OriginalFilename : ADM25.dll


AltnetBDE Object Recognized!
Type : File
Data : adm.exe
Category : Data Miner
Comment :
Object : C:\WINDOWS\Temp\Altnet\
FileVersion : 4, 0, 0, 5
ProductVersion : 4, 0, 0, 0
ProductName : ADM
CompanyName : Altnet
FileDescription : ADM
InternalName : ADM
LegalCopyright : Copyright © 2003, 2004 Altnet
OriginalFilename : ADM.exe


AltnetBDE Object Recognized!
Type : File
Data : admdata.dll
Category : Data Miner
Comment :
Object : C:\WINDOWS\Temp\Altnet\
FileVersion : 1, 0, 1, 10
ProductVersion : 1, 0, 0, 0
ProductName : ADMData
CompanyName : Altnet
FileDescription : ADMData
InternalName : ADMData
LegalCopyright : Copyright 1999
OriginalFilename : ADMData.dll


AltnetBDE Object Recognized!
Type : File
Data : admdloader.dll
Category : Data Miner
Comment :
Object : C:\WINDOWS\Temp\Altnet\
FileVersion : 3, 0, 39, 2
ProductVersion : 3, 0, 0, 0
ProductName : ADMDloader
CompanyName : Altnet
FileDescription : BDEDownloader
InternalName : ADMDloader
LegalCopyright : Copyright © 2001 Altnet
OriginalFilename : ADMDloader.dll


AltnetBDE Object Recognized!
Type : File
Data : admfdi.dll
Category : Data Miner
Comment :
Object : C:\WINDOWS\Temp\Altnet\
FileVersion : 1, 0, 0, 8
ProductVersion : 1, 0, 0, 0
ProductName : ADMFdi
CompanyName : Altnet
FileDescription : ADMFdi
InternalName : ADMFdi
LegalCopyright : Copyright © 2000
OriginalFilename : ADMFdi


AltnetBDE Object Recognized!
Type : File
Data : admprog.dll
Category : Data Miner
Comment :
Object : C:\WINDOWS\Temp\Altnet\
FileVersion : 4, 0, 0, 4
ProductVersion : 4, 0, 0, 0
ProductName : ADMProg
CompanyName : Altnet
InternalName : ADMProg
LegalCopyright : Copyright © 2003 Altnet
OriginalFilename : ADMProg.dll


Disk Scan Result for C:\
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 38


Scanning Hosts file......
Hosts file location:"C:\WINDOWS\system32\drivers\etc\hosts".
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Hosts file scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
1 entries scanned.
New critical objects:0
Objects found so far: 38




Performing conditional scans...
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

CoolWebSearch Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_CURRENT_USER
Object : software\microsoft\windows\currentversion\run
Value : WindowsFY

CoolWebSearch Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_CURRENT_USER
Object : software\microsoft\internet explorer\search\searchproperties\en-us
Value : SingleProvider

CoolWebSearch Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_CURRENT_USER
Object : software\microsoft\internet explorer\main
Value : Search Bar

CoolWebSearch Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_CURRENT_USER
Object : software\microsoft\windows\currentversion\policies\system
Value : NoDispAppearancePage

CoolWebSearch Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_CURRENT_USER
Object : software\microsoft\windows\currentversion\policies\system
Value : WallpaperStyle

CoolWebSearch Object Recognized!
Type : RegData
Data : no
Category : Malware
Comment :
Rootkey : HKEY_CURRENT_USER
Object : software\microsoft\internet explorer\main
Value : Use Search Asst
Data : no

CoolWebSearch Object Recognized!
Type : RegData
Data : C:\wp.bmp
Category : Malware
Comment :
Rootkey : HKEY_CURRENT_USER
Object : control panel\desktop
Value : Wallpaper
Data : C:\wp.bmp

CoolWebSearch Object Recognized!
Type : File
Data : wp.bmp
Category : Malware
Comment :
Object : c:\



CoolWebSearch Object Recognized!
Type : File
Data : hosts
Category : Malware
Comment :
Object : C:\WINDOWS\



AltnetBDE Object Recognized!
Type : Folder
Category : Data Miner
Comment :
Object : C:\WINDOWS\temp\Altnet

AltnetBDE Object Recognized!
Type : File
Data : msvcirt.dll
Category : Data Miner
Comment :
Object : C:\WINDOWS\temp\altnet\
FileVersion : 6.00.8168.0
ProductVersion : 6.00.8168.0
ProductName : Microsoft ® Visual C++
CompanyName : Microsoft Corporation
FileDescription : Microsoft ® C++ Runtime Library
InternalName : MSVCIRT.DLL
LegalCopyright : Copyright © Microsoft Corp. 1981-1998
OriginalFilename : MSVCIRT.DLL


AltnetBDE Object Recognized!
Type : File
Data : mysearch.cab
Category : Data Miner
Comment :
Object : C:\WINDOWS\temp\altnet\



AltnetBDE Object Recognized!
Type : File
Data : atl.dll
Category : Data Miner
Comment :
Object : C:\WINDOWS\temp\altnet\
FileVersion : 3.00.8168
ProductVersion : 6.00.8168
ProductName : Microsoft ® Visual C++
CompanyName : Microsoft Corporation
FileDescription : ATL Module for Windows (ANSI)
InternalName : ATL
LegalCopyright : Copyright © Microsoft Corp. 1996-1998
OriginalFilename : ATL.DLL


Conditional scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 17
Objects found so far: 55

13:07:06 Scan Complete

Summary Of This Scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Total scanning time:00:14:22.630
Objects scanned:83183
Objects identified:55
Objects ignored:0
New critical objects:55




BIG THANKS for all your wonderful help. i search at msn and they know nothing. you peeps are de kings ;)
  • 0

Advertisements

#2
endless_cups_of_tea
Posted 15 May 2005 - 07:21 AM

endless_cups_of_tea

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
:tazz: hi! really sorry cos i keep making new posts, but i can't find a way of following my old ones

have done a deep C: scan as mentioned in title.

can use use pc. now have a black screen. no desktop to speak of. use pc thru task manager, browsing and running a program. on net through opera.

net log as follows ;)



hopefully is attachment as clipboard strangely not copy pasting. hmmm.

many thanks ;)



Attached File  qu2log.TXT   14.3KB   195 downloads
  • 0

#3
Mannen
Posted 16 May 2005 - 02:10 AM

Mannen

    Ad-Aware Expert

  • Member
  • PipPipPip
  • 110 posts
Greetings and welcome!


I merged your two threads into one. So please only reply to this topic

Your last Adaware log is looking good but Adaware usually doesn't get all the files behind this infection so I will move you over to the Hijackthis forum for a deeper look

Cheers
Mannen
  • 0

#4
Mannen
Posted 16 May 2005 - 02:35 AM

Mannen

    Ad-Aware Expert

  • Member
  • PipPipPip
  • 110 posts
Please follow the instructions located in Step Five: Posting a Hijack This Log. Post your HJT log as a reply to this thread, which has been relocated to the Malware Removal Forum for providing you with further assistance.

Kindly note that it is very busy in the Malware Removal Forum, so there may be a delay in receiving a reply. Please also note that HJT logfiles are reviewed on a first come/first served basis.
  • 0

#5
endless_cups_of_tea
Posted 16 May 2005 - 05:20 AM

endless_cups_of_tea

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
Many thanks Mannen. Muchos thanks for all the efforts. Will do the step 5 Hijack this log thing. Have just done an AVG scan which removed a load of start up trojans and also an ewido which seemed to remove a lot. Let's just say i've learned my lesson - i hope. will post hijack log asap :tazz:


endless
  • 0

#6
endless_cups_of_tea
Posted 16 May 2005 - 05:28 AM

endless_cups_of_tea

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
My hijack this log :tazz:


Logfile of HijackThis v1.99.1
Scan saved at 12:25:43, on 16/05/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\AVPersonal\AVWUPSRV.EXE
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\taskmgr.exe
C:\Program Files\Opera7\opera.exe
C:\webdownloads\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://uk.red.client...fo/bt_side.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://uk.red.client...www.yahoo.co.uk
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = 192.168.0.1
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: XMLDP Class - {60371670-81B9-4d06-9C42-4DEC1AABE62B} - C:\WINDOWS\xmllib.dll (file missing)
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [EPSON Stylus CX3200] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /P19 "EPSON Stylus CX3200" /O6 "USB001" /M "Stylus CX3200"
O4 - HKLM\..\Run: [Nokia Tray Application] C:\Program Files\Common Files\Nokia\NCLTools\NclTray.exe
O4 - HKLM\..\Run: [DataLayer] C:\Program Files\Nokia\Nokia PC Suite 5\DataLayer.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\RunOnce: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe /0
O4 - Startup: BBCTicker.lnk = C:\Program Files\BBC Ticker\BBCTicker.exe
O4 - Global Startup: Image Transfer.lnk = ?
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.c...utocomplete.cab
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AntiVir Update (AVWUpSrv) - H+BEDV Datentechnik GmbH, Germany - C:\Program Files\AVPersonal\AVWUPSRV.EXE
O23 - Service: EpsonBidirectionalService - Unknown owner - C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe



hope this is the right thing, and am awaiting further instructions as and when you busy lot get a moment to spend on mine!!!

cheers ;)

Removed E-mail Addy

Edited by don77, 16 May 2005 - 05:45 AM.

  • 0

#7
don77
Posted 16 May 2005 - 05:49 AM

don77

    Malware Expert

  • Retired Staff
  • 18,526 posts
Hi and welcome endless_cups_of_tea
I removed your E-mail address from your post, Don't want to be posting it as your likely to end with all kinds of e-mails most of which would not be from folks you want.

Looks as though you cleaned up quite nicely, Just a few more to go,
  • Please set your system to show
    all files; please see here if you're unsure how to do this.










  • Close all programs leaving only HijackThis running. Place a check mark next to the following, making sure you get them all and not any others by mistake:

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://uk.red.client...fo/bt_side.html
    O2 - BHO: XMLDP Class - {60371670-81B9-4d06-9C42-4DEC1AABE62B} - C:\WINDOWS\xmllib.dll (file missing)

    Click on Fix Checked when finished and exit HijackThis.

  • Reboot into Safe Mode: please see here if you are not sure how to do this.


    Using Windows Explorer, locate the following files/folders, and delete them:

    C:\WINDOWS\xmllib.dll (file missing)
    Exit Explorer, and reboot as normal afterwards.
Post back a fresh HijackThis log and we will take another look.
  • 0

#8
endless_cups_of_tea
Posted 16 May 2005 - 06:01 AM

endless_cups_of_tea

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
hi there ;) thanks for all the help ;)

will follow instructions. one prob is that i have to do all through the task manager panel, as i have no usual desktop at all, just a blank screen and then i go through the run command from task manager to do ANYTHING!!! this is how all other things i have done, have been done ( if that makes sense :tazz: )

anyway, will follow instructions and post new hijack log asap.

endless
  • 0

#9
endless_cups_of_tea
Posted 16 May 2005 - 06:24 AM

endless_cups_of_tea

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
checked the two bit in hijack this log and fixed.

had probs finding the file, c:\\WINDOWS\xmllib.dll

found c:\\WINDOWS\XMLLIBUI - has a white square box with a blue strip as the icon

hope this helps :tazz:


many thanks again.

still have a black screen when i log into xp. so doing everything thru task manager.

cheers

endless.
  • 0

#10
don77
Posted 16 May 2005 - 07:35 PM

don77

    Malware Expert

  • Retired Staff
  • 18,526 posts
Lets see if we can get it back for you,

Please right-click: HERE and go to Save As (in Internet Explorer it's "Save Target As") in order to download Grinler's reg file. Save it to your desktop.

Locate "smitfraud.reg" on your desktop and double-click it. When asked if you want to merge with the registry, click YES. Wait for the "merged successfully" prompt


Also, for the start bar,
ctrl-esc or try the windows key on your key board
  • 0

Advertisements

#11
endless_cups_of_tea
Posted 16 May 2005 - 11:22 PM

endless_cups_of_tea

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
Hi! did that and now have the windows blue, but no desktop to speak of! windows key not working, and still basically using the task manager.

i also found the file you were looking for earlier that i couldn't. it was quarantined in ewido, so i deleted it. hope this was the right thing to do.

windows blue beats just darkness tho.

many thanks for all the help. any ideas on how to get the desktop back

muchos thanks
  • 0

#12
don77
Posted 17 May 2005 - 04:58 PM

don77

    Malware Expert

  • Retired Staff
  • 18,526 posts
Lets see if this helps,
Go to Control Panel > Display. Click on the "Desktop" tab then click the "Customize Desktop" button. Click on the "Web" tab. Under "Web Pages" you should see an entry checked called something like "Security" or similar. Select that entry and click the "Delete" button. Click OK then Apply and OK.

Let me know how you make out
  • 0

#13
endless_cups_of_tea
Posted 26 May 2005 - 01:48 PM

endless_cups_of_tea

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
Hi there! Thanks for the help but i don't know how to get control panel as i can't find it through the task manager!!

any ideas appreciated

i was advised by another member to delete these keys from the registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iexplore.exe

also, interesting, explorer does not come up in any form, when i find it through task manager!

many thanks again for your help :tazz:
  • 0

#14
don77
Posted 27 May 2005 - 08:29 PM

don77

    Malware Expert

  • Retired Staff
  • 18,526 posts
right click on where your start button should be, choose Properties,
Make sure Auto Hide is unchecked
  • 0

#15
endless_cups_of_tea
Posted 09 June 2005 - 11:40 AM

endless_cups_of_tea

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
Many thanks for ALL of your help!

My computer is well again!

I am using AVG and other various scanning programs to keep my computer well :tazz:


Many thanks again ;)
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP